564 posts categorized "Privacy" Feed

Cozy Relationship Between The FBI And A Computer Repair Service Spurs 4th Amendment Concerns

Image of Geek Squad auto and two technicians. Click to view larger version The Electronic Frontier Foundation (EFF) has learned more about the relationship between Geek Squad, a computer repair service, and the U.S. Federal Bureau of Investigation (FBI). In a March 6th announcement, the EFF said it filed a:

"... FOIA lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights."

Founded in 1966, the Best Buy retail chain operates more than 1,500 stores in North America and employs more than 125,000 people. The chain sells home appliances and electronics both online and at stores in the United States, Canada, and Mexico. Located in about 1,100 Best Buy stores, Geek Squad provides repair services via phone, in-store, or at home. This means that Geek Squad employees configure and fix popular smart devices many consumers have purchased for their homes: cameras and camcorders, cell phones, computers and tablets, home theater, car electronics, home security (e.g., smart doorbells, smart locks, smart thermostats, wireless cameras), smart appliances (e.g., refrigerators, ovens, washing machines, dryers, etc.), smart speakers, video game consoles, wearables (e.g., fitness bands, smart watches), and more.

The 4th Amendment of the U.S. Constitution states:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

It is most puzzling how a broken computer translates into probable cause for a search. The FOIA request was prompted by the prosecution of a doctor in California, "who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility."

Logos for Best Buy and Geek Squad The FOIA request yielded documents which showed:

"... that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency’s “Cyber Working Group” at the company’s Kentucky repair facility... Another document records a $500 payment from the FBI to a confidential Geek Squad informant... over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs..."

The EFF announcement described that process in detail:

"... a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and in some cases try to obtain a warrant to search the device... For example, documents reflect that Geek Squad employees only alert the FBI when they happen to find illegal materials during a manual search of images on a device and that the FBI does not direct those employees to actively find illegal content. But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material... Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography..."

Finding child pornography and prosecuting perpetrators is a worthy goal, but the FBI-Geek Squad program seems to blur the line between computer repair and law enforcement. The program and FOIA documents raise several questions:

  1. What are the program details (e.g., training, qualifications for informants, payments, conditions for payments, scope, etc.) for financial rewarding Geek Squad employees for finding child pornography?
  2. What other computer/appliance repair vendors does the FBI operate similar programs with?
  3. What quality control measures does the program contain to prevent wrongful prosecutions?
  4. What penalties or consequences, if any, for Geek Squad employees who falsely reported child pornography claims?
  5. Is this Geek Squad program nationwide, or if not, in which states does it operate?
  6. In cases of suspected child pornography, what other information on targets' devices is collected and archived by the FBI through this program?
  7. Were/are whole hard drives copied and archived?
  8. How long is information archived?
  9. Does the program between the FBI and Geek Squad target other types of crime  and threats (e.g., terrorism)?
  10. What other law enforcement or security agencies does Geek Squad have cozy relationships with?

I'm sure there are more questions to be asked. What are your opinions?

Image of Geek Squad services promoted on Best Buy site

Analysis: Closing The 'Regulatory Donut Hole' - The 9th Circuit Appeals Court, AT&T, The FCC And The FTC

The International Association of Privacy Professionals (IAPP) site has a good article explaining what a recent appeals court decision means for everyone who uses the internet:

"When the 9th U.S. Circuit Court of Appeals ruled, in September 2016, that the Federal Trade Commission did not have the authority to regulate AT&T because it was a “common carrier,” which only the Federal Communications Commission can regulate, the decision created what many in privacy foresaw as a “regulatory doughnut hole.” Indeed, when the FCC, in repealing its broadband privacy rules, decided to hand over all privacy regulation of internet service providers to the FTC, the predicted situation came about: The courts said “common carriers” could only be regulated by the FCC, but the FCC says only the FTC should be regulating privacy. So, was there no regulator to oversee a company like AT&T’s privacy practices?

Indeed, argued Gigi Sohn, formerly counsel to then-FCC Chair Tom Wheeler, “The new FCC/FTC relationship lets consumers know they’re getting screwed. But much beyond that, they don’t have any recourse.” Now, things have changed once again. With an en banc decision, the 9th Circuit has reversed itself... This reversal of its previous decision by the 9th Circuit now allows the FTC to go forward with its case against AT&T and what it says were deceptive throttling practices, but it also now allows the FTC to once again regulate internet service providers’ data-handling and cybersecurity practices if they come in the context of activities that are outside their activities as common carriers."

Somebody has to oversee Internet service providers (ISPs). Somebody has to do their job. It's an important job. The Republicans-led FCC, by Trump appointee Ajit Pai, has clearly stated it won't given its "light touch" approach to broadband regulation, and repeals last year of both broadband privacy and net neutrality rules. Earlier this month, the National Rifle Association (NRA) honored FCC Chairman Pai for repealing net neutrality rules.

"No touch" is probably a more accurate description. A prior blog post listed many historical problems and abuses of consumers by some ISPs. Consumers should buckle up, as ISPs slowly unveiled their plans in a world without net neutrality protections for consumers. What might that look like? What has AT&T said about this?

Bob Quinn, the Vice President of External and Legislative Affairs for AT&T, claimed today in a blog post:

"Net neutrality has been an emotional issue for a lot of people over the past 10 years... For much of those 10 years, there has been relative agreement over what those rules should be: don’t block websites; censor online content; or throttle, degrade or discriminate in network performance based on content; and disclose to consumers how you manage your network to make that happen. AT&T has been publicly committed to those principles... But no discussion of net neutrality would be complete without also addressing the topic of paid prioritization. Let me start by saying that the issue of paid prioritization has always been hazy and theoretical. The business models for services that would require end-to-end management have only recently begun to come into focus... Let me clear about this – AT&T is not interested in creating fast lanes and slow lanes on anyone’s internet."

Really? The Ars Technica blog called out AT&T and Quinn on his claim:

"AT&T is talking up the benefits of paid prioritization schemes in preparation for the death of net neutrality rules while claiming that charging certain content providers for priority access won't create fast lanes and slow lanes... What Quinn did not mention is that the net neutrality rules have a specific carve-out that already allows such services to exist... without violating the paid prioritization ban. Telemedicine, automobile telematics, and school-related applications and content are among the services that can be given isolated capacity... The key is that the FCC maintained the right to stop ISPs from using this exception to violate the spirit of the net neutrality rules... In contrast, AT&T wants total control over which services are allowed to get priority."

Moreover, fast and slow lanes by AT&T already exist:

"... AT&T provides only DSL service in many rural areas, with speeds of just a few megabits per second or even less than a megabit. AT&T has a new fixed wireless service for some rural areas, but the 10Mbps download speeds fall well short of the federal broadband standard of 25Mbps. In areas where AT&T has brought fiber to each home, the company might be able to implement paid prioritization and manage its network in a way that prevents most customers from noticing any slowdown in other services..."

So, rural (e.g., DSL) consumers are more likely to suffer and notice service slowdowns. Once the final FCC rules are available without net neutrality protections for consumers and the lawsuits have been resolved, then AT&T probably won't have to worry about violating any prioritization bans.

The bottom line for consumers: expect ISPs to implement first changes consumers won't see directly. Remember the old story about a frog stuck in a pot of water? The way to kill it is to slowly turn up the heat. You can expect ISPs to implement this approach in a post-net-neutrality world. (Yes, in this analogy we consumers are the frog, and the heat is higher internet prices.) Paid prioritization is one method consumers won't directly see. It forces content producers, and not ISPs, to raise prices on consumers. Make no mistake about where the money will go.

Consumers will likely see ISPs introduce tiered broadband services, with lower-priced service options that exclude video streaming content... spun as greater choice for consumers. (Some hotels in the United States already sell to their guests WiFi services with tiered content.) Also, expect to see more "sponsored data programs," where video content owned by your ISP doesn't count against wireless data caps. Read more about other possible changes.

Seems to me the 9th Circuit Appeals Court made the best of a bad situation. I look forward to the FTC doing an important job which the FCC chose to run away from. What do you think?

DuckDuckGo Introduces New Privacy Browser

DuckDuckGo search engine for privacy Readers of this blog are familiar with DuckDuckGo, the popular search engine for privacy which doesn't track you nor maintain logs of your search queries. For even more online privacy, DuckDuckGo has has introduced a web browser mobile app for your smartphone or tablet. Benefits of this new browser app:

"1. Escape Advertising Tracker Networks: Our Privacy Protection will block all the hidden trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.
2. Increase Encryption Protection: We force sites to use an encrypted connection where available, protecting your data from prying eyes, like internet service providers (ISPs).
3. Search Privately: You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.
4. Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available."

The new browser app is available in the iTunes store and the Google Play store. The iPhone and iPad versions requires iOS version 9.0 or later. How it provides more privacy online:

"As you search and browse, the DuckDuckGo Privacy Browser shows you a Privacy Grade rating when you visit a website (A-F). This rating lets you see how protected you are at a glance, dig into the details to see who we caught trying to track you, and learn how we enhanced the underlying site's privacy measures. The Privacy Grade is scored automatically based on the prevalence of hidden tracker networks, encryption availability, and website privacy practices.

Our app provides standard browsing functionality including tabs, bookmarks, and autocomplete. In addition to strong Privacy Protection as described above, we also packed in some extra privacy features into the browser itself: a) Fire Button — Clear all your tabs and data with one tap; b) Application Lock: Secure the app with Touch ID or Face ID."

The Privacy Grade ratings reminds me of the warnings provided by the Privacy Badger add-on, which alerts consumers to the tracking mechanisms used by sites, and provides consumers finer control about which mechanisms to enable or disable at each site.

Fresenius Medical Care To Pay $3.5 Million For 5 Small Data Breaches During 2012

Logo-fresenius-medical-careFresenius Medical Care Holdings, Inc. has agreed to a $3.5 million settlement agreement regarding five small data breaches the Massachusetts-based healthcare organization experienced during 2012. Fresenius Medical Care Holdings, Inc. does business under the name Fresenius Medical Care North America (FMCNA). This represents one of the largest HIPAA settlements ever by the U.S. Department of Health & Human Services (HHS).

The five small data breaches, at different locations across the United States, affected about 521 persons:

  1. Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility: On February 23, 2012, two desktop computers were stolen during a break-in. One of the computers contained the electronic Protected Health Information (ePHI) of 200 persons, including patient name, admission date, date of first dialysis, days and times of treatments, date of birth, and Social Security number
  2. Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove: On April 3, 2012, an unencrypted USB drive was stolen from a worker's car while parked in the organization's parking lot. The USB device contained the ePHI of 245 persons, including patient name, address, date of birth, telephone number, insurance company, insurance account number (a potential social security number derivative for some patients) and the covered entity location where each patient was seen.
  3. Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin: On June 18, 2012, an anonymous phone tip reported that a hard drive was missing from a desktop computer, which had been taken out of service. The hard drive contained the ePHI of 35 persons, including name, date of birth, Social Security number and Zip code. While the worker notified a manager about the missing hard drive, the manager failed t notify the FMCNA Corporate Risk Management Department.
  4. Fresenius Vascular Care Augusta, LLC: On June 16, 2012, a worker's unencrypted laptop was stolen from her car while parked overnight at home. The laptop bag also include a list of her passwords. The laptop contained the ePHI of 10 persons, including patient name, insurance account number (which could be a social security number derivative) and other insurance information.
  5. WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis: On or about June 17 - 18, 2012, three desktop computers and one encrypted laptop were stolen from the office. One of the desktop computers contained the ePHI of 31 persons, including patient name, dates of birth, address, telephone number, and either full or partial Social Security numbers.

Besides the hefty payment, terms of the settlement agreement (Adobe PDF) require FMCNA to implement and complete a Corrective Action Plan:

  • Conduct a risk analysis,
  • Develop and implement a risk management plan,
  • Implement a process for evaluating workplace operational changes,
  • Develop an Encryption Report,
  • Review and revise internal policies and procedures to control devices and storage media,
  • Review and revise policies to control access to facilities,
  • Develop a privacy and security awareness training program for workers, and
  • Submit progress reports at regular intervals to HHS.

The Encryption report identifies and describes the devices and equipment (e.g., desktops, laptops, tables smartphones, etc.) that may be used to access, store, and transmit patients' ePHI information; records the number of devices including which utilize encrypted information; and provides a detailed plan for implementing encryption on devices and media which should contain encrypted information and currently don't.

Some readers may wonder why a large fine for relatively small data breaches, since news reports often cite data breaches affecting thousands or millions of persons. HHS explained that the investigation by its Office For Civil Rights (OCR) unit:

"... revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule... Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules.."

OCR Director Roger Severino added:

"The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity... Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law."

Fitness Device Usage By U.S. Soldiers Reveal Sensitive Location And Movement Data

Useful technology can often have unintended consequences. The Washington Post reported about an interactive map:

"... posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the locations and activities of soldiers at U.S. military bases, in what appears to be a major security oversight. The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the locations and movements of subscribers to the company’s fitness service over a two-year period, by illuminating areas of activity. Strava says it has 27 million users around the world, including people who own widely available fitness devices such as Fitbit and Jawbone, as well as people who directly subscribe to its mobile app. The map is not live — rather, it shows a pattern of accumulated activity between 2015 and September 2017... The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations. "

Takeaway #1: it's easier than you might think for the bad guys to track the locations and movements of high-value targets (e.g, soldiers, corporate executives, politicians, attorneys).

Takeaway #2: unintended consequences from mobile devices is not new, as CNN reported in 2015. Consumers love the convenience of their digital devices. It is wise to remember the warning from a famous economist, "There's no such thing as a free lunch."

Royal Caribbean Cruise Line And CPP-The Myers-Briggs Offer Travel Personality Quiz

Inc. Magazine warned in 2016, "ready or not, companies will soon be tracking your emotions." Most Facebook users already knows this. Also in 2016, the social networking site expanded several reaction buttons beyond its (in)famous "Like" button to cover several emotions (e.g., "Love," "Haha," "Wow," "Sad," "Angry"):


Maybe you have used these reaction buttons. Companies do this because effective marketing appeals to emotions instead of reason.

Now, a popular cruise line has taken things a step further. Cruise Critic, a popular travel site, announced:

"... Royal Caribbean has teamed up with CPP-The Myers-Briggs Company to launch a quiz that offers cruise recommendations based on your personality type. The assessment tool, found on MyAdventurePersonality.com, asks users 13 questions as they pertain to personal behavior and preferences... Once the results are calculated, users will be designated a travel personality type, such as Expert Adventure Planner, Laidback Wanderer and Spontaneous Sightseer. They also will receive an itinerary recommendation best suited for their type, with planning tips."

What is the Myers'Briggs assessment tool? The Myers-Briggs Foundation site explains:

"The purpose of the Myers-Briggs Type Indicator® (MBTI®) personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. The essence of the theory is that much seemingly random variation in the behavior is actually quite orderly and consistent, being due to basic differences in the ways individuals prefer to use their perception and judgment... In developing the Myers-Briggs Type Indicator [instrument], the aim of Isabel Briggs Myers, and her mother, Katharine Briggs, was to make the insights of type theory accessible to individuals and groups... The identification of basic preferences of each of the four dichotomies specified or implicit in Jung's theory. The identification and description of the 16 distinctive personality types that result from the interactions among the preferences."

Indeed, this assessment tool became very accessible. The Seattle Times reported in 2013:

"Chances are you’ve taken the Myers-Briggs Type Indicator (MBTI), or will. Roughly 2 million people a year do. It has become the gold standard of psychological assessments, used in businesses, government agencies and educational institutions... More than 10,000 companies, 2,500 colleges and universities and 200 government agencies in the United States use the test... It’s estimated that 50 million people have taken the Myers-Briggs personality test since the Educational Testing Service first added the research to its portfolio in 1962... Organizations administer the MBTI assessment to employees in one of two ways. They either pay for someone in their human-resources department to become certified, then pay the materials costs each time employees take the test. Or, they contract with certified, independent training consultants or leadership coaches."

Selected questions from the MyAdventurePersonality site. Click to view larger version The travel quiz uses different and fewer (13 versus ~ 88) forced-choice questions than the MBTI. Plus, the travel quiz categorizes consumers into four travel personality types (versus 16 types by the MBTI). And, the MBTI tool is administered by certified professionals in an ethical manner. So, consumers shouldn't assume that the travel quiz is as rigorous as the MBTI. Admittedly, MyAdventurePersonality may add more questions and/or types in the future.

If you are considering the travel quiz, wise consumers always read the fine print, first. The MyAdventurePersonality site uses the same legal and privacy policies as the core Royal Caribbean cruise line site. So, consumers should know that whatever they submit to the travel quiz will probably be freely shared with other entities, since the Royal Caribbean Privacy Policy does not state any limitations.

The MyAdventurePersonality site may be a marketing gimmick to attract new customers and/or better target e-mail marketing campaigns to current and prospective cruise travelers.

Me? After 28 cruise ship vacations (with many on Royal Caribbean ships) to many areas of the planet, I know my travel needs and preferences very well. So, I doubt the quiz will tell me something I don't already know.

What do you think? Should companies uses these types of quizzes?

Report: Several Impacts From Technology Changes Within The Financial Services Industry

For better or worse, the type of smart device you use can identify you in ways you may not expect. First, a report by London-based Privacy International highlighted the changes within the financial services industry:

"Financial services are changing, with technology being a key driver. It is affecting the nature of financial services from credit and lending through to insurance and even the future of money itself. The field known as “fintech” is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. These changes are significant to this sector and the lives of the people it serves. We are seeing dramatic changes in the ways that financial products make decisions. The nature of the decision-making is changing, transforming the products in the market and impacting on end results and bottom lines. However, this also means that treatment of individuals will change. This changing terrain of finance has implications for human rights, privacy and identity... Data that people would consider as having nothing to do with the financial sphere, such as their text-messages, is being used at an increasing rate by the financial sector...  Yet protections are weak or absent... It is essential that these innovations are subject to scrutiny... Fintech covers a broad array of sectors and technologies. A non-exhaustive list includes:

  • Alternative credit scoring (new data sources for credit scoring)
  • Payments (new ways of paying for goods and services that often have implications for the data generated)
  • Insurtech (the use of technology in the insurance sector)
  • Regtech (the use of technology to meet regulatory requirements)."

"Similarly, a breadth of technologies are used in the sector, including: Artificial Intelligence; Blockchain; the Internet of Things; Telematics and connected cars..."

While the study focused upon India and Kenya, it has implications for consumers worldwide. More observations and concerns:

"Social media is another source of data for companies in the fintech space. However, decisions are made not on just on the content of posts, but rather social media is being used in other ways: to authenticate customers via facial recognition, for instance... blockchain, or distributed ledger technology, is still best known for cryptocurrencies like BitCoin. However, the technology is being used more broadly, such as the World Bank-backed initiative in Kenya for blockchain-backed bonds10. Yet it is also used in other fields, like the push in digital identities11. A controversial example of this was a very small-scale scheme in the UK to pay benefits using blockchain technology, via an app developed by the fintech GovCoin12 (since renamed DISC). The trial raised concerns, with the BBC reporting a former member of the Government Digital Service describing this as "a potentially efficient way for Department of Work and Pensions to restrict, audit and control exactly what each benefits payment is actually spent on, without the government being perceived as a big brother13..."

Many consumers know that you can buy a wide variety of internet-connected devices for your home. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., sex toys, smart watches for children, mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). Add your car or truck to the list:

"With an increasing number of sensors being built into cars, they are increasingly “connected” and communicating with actors including manufacturers, insurers and other vehicles15. Insurers are making use of this data to make decisions about the pricing of insurance, looking for features like sharp acceleration and braking and time of day16. This raises privacy concerns: movements can be tracked, and much about the driver’s life derived from their car use patterns..."

And, there are hidden prices for the convenience of making payments with your favorite smart device:

"The payments sector is a key area of growth in the fintech sector: in 2016, this sector received 40% of the total investment in fintech22. Transactions paid by most electronic means can be tracked, even those in physical shops. In the US, Google has access to 70% of credit and debit card transactions—through Google’s "third-party partnerships", the details of which have not been confirmed23. The growth of alternatives to cash can be seen all over the world... There is a concerted effort against cash from elements of the development community... A disturbing aspect of the cashless debate is the emphasis on the immorality of cash—and, by extension, the immorality of anonymity. A UK Treasury minister, in 2012, said that paying tradesman by cash was "morally wrong"26, as it facilitated tax avoidance... MasterCard states: "Contrary to transactions made with a MasterCard product, the anonymity of digital currency transactions enables any party to facilitate the purchase of illegal goods or services; to launder money or finance terrorism; and to pursue other activity that introduces consumer and social harm without detection by regulatory or police authority."27"

The report cited a loss of control by consumers over their personal information. Going forward, the report included general and actor-specific recommendations. General recommendations:

  • "Protecting the human right to privacy should be an essential element of fintech.
  • Current national and international privacy regulations should be applicable to fintech.
  • Customers should be at the centre of fintech, not their product.
  • Fintech is not a single technology or business model. Any attempt to implement or regulate fintech should take these differences into account, and be based on the type activities they perform, rather than the type of institutions involved."

Want to learn more? Follow Privacy International on Facebook, on Twitter, or read about 10 ways of "Invisible Manipulation" of consumers.

Security Researchers Announce Another Method To Defeat Apple Face ID

You may remember, earlier this year Apple launched its iPhone X with Face ID feature for users to unlock their phones:

"Your face is now your password. Face ID is a secure and private new way to unlock, authenticate, and pay... Face ID is enabled by the TrueDepth camera and is simple to set up. It projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face."

Like it or not, there is no security system for your smartphone that can't be defeated. Mashable reported yesterday that security researchers have found another method to defeat Face ID:

"The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs. Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For

The Bkav researchers explained in a blog post how their crude mask defeated Face ID:

"Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes. Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores. The eyes are printed infrared images – the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."

The same blog post also explained how a three-dimensional model can defeat Face ID:

"Bkav researchers said that making 3D model is very simple. A person can be secretly taken photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object.

It can be said that, until now, Fingerprint is still the most secure biometric technology. Collecting a fingerprint is much harder than taking photos from a distance. Meanwhile, just by taking photos from a distance to create 3D objects as mentioned above, both Apple's Face ID and Samsung's Iris Scanner can be bypassed easily."

Experts advise consumers to continue using passcodes, especially for online banking apps. And high-value targets (e.g., senior corporate executives, government officials, politicians, attorneys, etc.) probably shouldn't use facial recognition features to unlock their mobile devices.

I guess that 3-D models will provide law enforcement (and spy agencies) with new ways to use their archived collections of facial images. The Guardian reported earlier this year:

"Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people."

What do you think?

German Regulator Bans Smartwatches For Children

VTech Kidizoom DX smartwatch for children. Select for larger version Parents: considering a smartwatch for your children or grandchildren? Consider the privacy implications first. Bleeping Computer reported on Friday:

"Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, has banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices." The ban was announced earlier today... parents are using their children's smartwatches to listen to teachers in the classroom. Recording or listening to private conversations is against the law in Germany without the permission of all recorded persons."

Some smartwatches are designed for children as young as four years of age. Several brands are available at online retailers, such as Amazon and Best Buy.

Why the ban? Gizmodo explained:

"Saying the technology more closely resembles a “spying device” than a toy... Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control. "

Clearly, this is another opportunity for parents to carefully research and consider smart device purchases for their family, to teach their children about privacy, and to not record persons without their permission.

Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices

Image of butt plug, Hush by Lovense. Click to view larger version

In a blog post on Tuesday, security researcher Giovanni Mellini  discussed how easy it was to hack a Bluetooth-enabled butt plug. Why this Internet-connected sex toy? Mellini explained that after what started as a joke he'd bought a few weeks ago:

"... a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol. This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design."

Another security researcher, Simone Margaritelli had previously discussed a BLE scanner he wrote called BLEAH and how to use it to hack BLE-connected devices. Mellini sought to replicate Margaritelli's hack, and was successful:

"The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here). With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration... So we have all the elements to hack the sex toy with BLEAH... At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017."

Welcome, indeed, to 2017. The seems to be the year of hacked mobile devices. Too many news reports about devices with poor (or no) security: the encryption security flaw in many home wireless routers and devices, patched Macs still vulnerable to firmware hacks, a robovac maker's plans to resell interior home maps its devices created, a smart vibrator maker paid hefty fines to settle allegations it tracked users without their knowledge nor consent, security researchers hacked a popular smart speaker, and a bungled software update bricked many customers' smart door locks.

In 2016, security researchers hacked an internet-connected vibrator.

And, that's some of the reports. All of this runs counter to consumers' needs. In August, a survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built in. Are device makers listening?

Newsweek reported:

"Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products. "There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers." "

I have nothing against sex toys. Use one or not. I don't care. My concern: supposedly smart devices should have robust security to protect consumers' privacy.

Smart shoppers want persons they authorize -- and not unknown hackers -- to remotely control their vibrators. Thoughts? Comments?

Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?

Experts Say the Use of Private Email by Trump’s Voter Fraud Commission Isn’t Legal

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

By Jessica Huseman, ProPublica

President Donald Trump’s voter fraud commission came under fire earlier this month when a lawsuit and media reports revealed that the commissioners were using private emails to conduct public business. Commission co-chair Kris Kobach confirmed this week that most of them continue to do so.

Experts say the commission’s email practices do not appear to comport with federal law. "The statute here is clear," said Jason R. Baron, a lawyer at Drinker Biddle and former director of litigation at the National Archives and Records Administration.

Essentially, Baron said, the commissioners have three options: 1. They can use a government email address; 2. They can use a private email address but copy every message to a government account; or 3. They can use a private email address and forward each message to a government account within 20 days. According to Baron, those are the requirements of the Presidential Records Act of 1978, which the commission must comply with under its charter.

"All written communications between or among its members involving commission business are permanent records destined to be preserved at the National Archives," said Baron. "Without specific guidance, commission members may not realize that their email communications about commission business constitute White House records."

ProPublica reviewed dozens of emails to and from members of the commission as well as written directives on records retention. The commissioners appear to have been given no instructions to use government email or copy or forward messages to a government account.

Commissioner Matthew Dunlap, the secretary of state for Maine, confirmed that he’d received no such directives. "That’s news to me," he said, when read the PRA provision governing emails. "I think it would be a little cleaner if I had a us.gov email account."

Dunlap’s account is disputed by Andrew Kossack, the executive director of the commission. Kossack said attorneys from the Government Services Administration provided training on the PRA before the commission’s first meeting on July 19. Kossack provided a copy of the PowerPoint presentation. However, the word "email" appears in only a single slide — with no mention of anything relating to the use of government email.

Notably, the commission did not receive any training in records retention until the July 19 meeting, even though the commission was formed in May and had been actively engaged in commission business.

Indeed, the commission had kicked into high gear on June 28, when it sent a letter to all 50 secretaries of state requesting publicly available voter rolls. The response was swift and negative, and commissioners began receiving a wave of messages from election officials and the public.

Despite this, the commissioners were offered no instructions then on how to preserve communications. Baron said such messages would presumptively be considered presidential records, and "the obligation to preserve such records would have arisen on day one."

In a statement, Kossack denied there is an obligation to provide commissioners with government email addresses. He maintained that the commission is required only to "preserve emails and other records related to work on commission matters, regardless of the forum on which the records are created or sent, which the commission and its members are doing."

After the commission’s most recent meeting, on Tuesday, Kobach confirmed that he plans to continue to use his personal Gmail account to conduct commission business. Using his Kansas secretary of state email address, he said, would be a "waste of state resources" as he’s acting as a private citizen on the commission and not in his role as secretary of state.

Dunlap has interpreted the requirements differently. He’s trying to ensure his state email account is used so that emails can be made available to constituents under Maine state law. Even this is a struggle, he said, asserting that commissioners continue to email him at his personal account despite multiple requests that they send email to his government account.

"I really don’t understand why they keep using my personal Gmail account instead of my official state email. But I’m saving everything!" Dunlap wrote to himself on August 7, when he forwarded a communication from the commission to his government address. He has, it appears, continued to immediately forward all emails sent to his personal address by the commission to his state address.

At ProPublica’s request, Dunlap shared every email he has received or sent relating to the commission. The majority went to personal email accounts.

At their recent meeting in New Hampshire, Kossack provided commissioners printed instructions on how to retain their own emails related to a lawsuit filed against the commission by the Lawyers Committee for Civil Rights Under Law.

Dunlap said these instructions are the only written set of instructions on records retention he recalls receiving. (The instructions leave records retention entirely to the discretion of each member of the commission, which Dunlap said concerns him.)

Past commissions with similar missions were not allowed such wide discretion. The Presidential Commission on Election Administration, formed by the Obama administration in March 2013, provided ethics and records retention training days after commissioners were nominated. Each commissioner was provided with a federal email address that automatically archived all messages. PCEA documents show extensive, specific instructions on records retention and compliance with FACA.

Richard Painter, who served as the George W. Bush administration’s chief ethics lawyer from 2005 to 2007, expressed shock that the current commission is being allowed to rely on personal email accounts (which are to be forwarded to Kossack at their discretion). "This is just sloppy," he said, adding that waiting more than two months to offer ethics training was just another sign that the Trump administration "doesn’t take ethics training seriously."

One footnote: Among the emails provided by Dunlap was a message from Carter Page, a former policy adviser to the Trump campaign who has reportedly attracted the attention of investigators probing the Russia imbroglio. Page sent an email on July 5 to three accounts associated with Kobach and cc’d Dunlap, New Hampshire Secretary of State Bill Gardner and Indiana Secretary of State Connie Lawson. In it, he implored the commission to investigate "the Obama administration’s misuse of federal resources of the Intelligence Community in their unjustified attacks on myself and other volunteers who peacefully supported [Trump’s] campaign as private citizens."

"The work of your commission offers an essential opportunity to take further steps toward helping to further restore the integrity of the American democracy following their abuses of last year," he wrote.

There is no evidence this email was forwarded to a federal email account. Page, Kossack and Kobach did not respond to requests for comment about the email.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?

The Bogus Claims By Broadband Providers And Their Allies About Net Neutrality

The Techdirt blog has called out -- in plain language -- the bogus claims and distortions by broadband providers about net neutrality rules. Techdirt reported:

"... one of AT&T, Comcast and Verizon's favorite bogus claims about net neutrality rules is that such consumer protections will somehow prevent the sick or disabled from getting the essential internet connectivity they need. For example, Verizon once tried to claim that the deaf and disabled would be harmed if large ISPs weren't allowed to create fast or slow lanes.. this claim that net neutrality rules somehow prevent ISPs from prioritizing essential medical technologies or other priority traffic has always been bullshit. The FCC's 2015 open internet rules (pdf) are embedded with numerous, significant caveats when it comes to creating fast and slow lanes... In fact, the existing rules go to great lengths to differentiate "Broadband Internet Access Service (BIAS),” (your e-mail, Netflix streams and other more ordinary traffic) from “Non-BIAS data services,” which can include everything from priority VoIP traffic to your heart monitor and other Telemedicine systems."

The U.S. Federal Communications Commission (FCC), led by Ajit Pai a former lawyer at Verizon, moved closer to eliminating net neutrality with a preliminary vote in May. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Without net neutrality, consumers lose the freedom of choice. ISPs will decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs will likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

TechDirt highlighted other bogus claims:

... how net neutrality kills network investment) doesn't stop it from being circulated repeatedly by the army of politicians, think tankers, consultants, fauxcademics, and lobbyists paid to pee in the net neutrality discourse pool.

One of the core perpetrators of this myth is AT&T, which just scored a massive, lucrative $6.5 billion contract to build the nation's first, unified emergency first responder network: aka FirstNet... AT&T isn't worried about net neutrality rules harming medical services, since they've long-been exempted. AT&T's worried about one thing: any rules stopping it from abusing a lack of broadband competition to drive up prices and engage in anti-competitive behavior."

Back in May, the U.S. Federal Communications Commission (FCC) tmoved closer to eliminating net neutrality with a preliminary vote in May.

What can you do? Plenty. Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.

Google And Massachusetts Transportation Department Provide GPS Signals In Tunnels

Smartphone users love their phones. That includes Global Positioning System (GPS) navigation services for driving directions. However, those driving directions don't work in tunnels where phones can't get GPS signals. That is changing.

Google and the Massachusetts Department of Transportation (MassDOT) have entered a partnership to provide GPS navigation services for drivers inside tunnels. If you've familiar with Boston, then you know that portions of both Interstate 93 and the Massachusetts Turnpike include tunnels. The ABC affiliate in Boston, WCVB reported last month that the partnership, part of the Connected Citizens Program, will:

"... install beacons inside Boston's tunnels to help GPS connection stay strong underground. Around 850 beacons are being installed, free of charge, as a part of an ongoing partnership between the state and the traffic app... Installation is scheduled to be complete by the end of July... The beacons are not limited to improving their own app's signal. As long as you are using Bluetooth, they are able to help improve any traffic app's connection."

For those unfamiliar with the technology, beacons are low-powered transmitters which, in this particular application, are installed in the tunnels' walls and provide geographic location information usable by drivers' (or passengers') smartphones passing by (assuming the phones' Bluetooth features are enabled).

Bluetooth beacons are used in a variety of applications and locations. The Privacy SOS blog explained:

"... They’re useful in places where precise location information is necessary but difficult to acquire via satellite. For that reason, they’ve been field tested in museums such as New York’s Metropolitan Museum of Art and airports like London Gatwick. At Gatwick, beacons deliver turn-by-turn directions to users’ phones to help them navigate the airport terminals..."

Within large airports such as Gatwick, the technology can present more precise geolocation data of nearby dining and shopping venues to travelers. According to Bluetooth SIG, Inc., the community of 30,000 companies that use the technology:

"The proliferation and near universal availability of Bluetooth® technology is opening up new markets at all ends of the spectrum. Beacons or iBeacons—small objects transmitting location information to smartphones and powered by Bluetooth with low energy—make the promise of a mobile wallet, mobile couponing, and location-based services possible... The retail space is the first to envision a future for beacons using for everything from in-store analytics to proximity marketing, indoor navigation and contactless payments. Think about a customer who is looking at a new TV and he/she gets a text with a 25 percent off coupon for that same TV and then pays automatically using an online account..."

iBeacons are the version for Apple branded mobile devices. All 12 major automobile makers offer hands-free phone calling systems using the technology. And, social network giant Facebook has developed its own proprietary Bluetooth module for an undisclosed upcoming consumer electronics device.

So, the technology provides new marketing and revenue opportunities to advertisers. TechCrunch explained:

"The Beacons program isn’t looking to get help from individual-driver Wazers in this case, but is looking for cities and tunnel owners who might be fans of the service to step up and apply to its program. The program is powered by Eddystone, a Bluetooth Low Energy beacon profile created by Google that works with cheap, battery-powered BLE Waze Beacon hardware to be installed in participating tunnels. These beacons would be configured to transmit signals to Bluetooth-enabled smartphones... There is a cost to participate — each beacon is $28.50, Waze notes, and a typical installation requires around 42 beacons per mile of tunnel. But for municipalities and tunnel operators, this would actually be a service they can provide drivers, which might actually eliminate frustration and traffic..."

There are several key takeaways here:

  1. GPS navigation services can perform better in previously unavailable areas,
  2. Companies can collect (and share) more precise geolocation data about consumers and our movements,
  3. Consumers' GPS data can now be collected in previously unattainable locations,
  4. What matters aren't the transmissions by beacons, but rather the GPS and related data collected by your phone and the apps you use, which are transmitted back to the apps' developers, and then shared by developers with their business partners (e.g., mobile service providers, smartphone operating system developers, advertisers, and affiliates
  5. You don't have to be a Google user for Google to collect GPS data about you, and
  6. Consumers can expect a coming proliferation of Bluetooth modules in a variety of locations, retail stores, and devices.

So, now you know more about how Google and other companies collect GPS data about you. After analyzing the geolocation data collected, they know not only when and where you go, but also your patterns in the physical world: where you go on certain days and times, how long you stay, where and what you've done before (and after), who you associate with, and more.

Don't like the more precise tracking? Then, don't use the Waze app or Google Maps, delete the blabbermouth apps, or turn off the Bluetooth feature on your phone.

A noted economist once said, "There is no free lunch." And that applies to GPS navigation in tunnels. The price for "free," convenient navigation services means mobile users allow companies to collect and analyze mountains of data about their movements in the physical world.

What are your opinions of GPS navigation services in tunnels? If the city or town where you live has tunnels, have beacons been installed?

Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?

Survey: 90 Percent Of Consumers Want Smart Devices With Security Built In

A recent survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built into the products. Also, 78 percent said they are aware that any smart device connected to their home WiFi network is vulnerable to attacks by hackers wanting to steal personal data stored on the device.

Security importance by country. Irdeto Global Consumer IoT Security Survey. Select to view larger version The Irdeto Global Consumer IoT Security Survey, conducted online from June 22, 2017 to July 10, 2017 by YouGov Plc for Irdeto, included 7,882 adults (aged 18 or older) in six countries: Brazil, China, Germany, India, United Kingdom, and United States. Irdeto provides security solutions to protect platforms and applications for media, entertainment, automotive and Internet-of-things (IoT) connected industries.

Additional key findings:

"... 72% of millennials (ages 18-24 years) indicated that they are aware that any smart device connected to the Wi-Fi in their home has the potential to be targeted by a hacker, compared to 82% of consumers 55+. This indicates that older generations may be more savvy about IoT security or more cautious... More than half of consumers around the globe (56%) think that it is the responsibility of both the end-user and the manufacturer of the product to prevent hacking of smart devices. Alternatively, only 15% of consumers globally think they are responsible, while 20% feel the manufacturer of the device is responsible for cybersecurity. In China, more consumers than any other country surveyed (31%) stated that it is the responsibility of manufacturers. Brazilians led all countries surveyed (23%) in the belief that it is the responsibility of the end-user to prevent hacking of connected devices... Germans expressed the least concern with nearly half (42%) stating that they are not concerned about smart devices being hacked. On the opposite end of the spectrum, Brazilian smart device owners expressed the most concern with 88% of those surveyed saying they were concerned...

And, smart device usage varies by country:

"Regarding the number of smart devices consumers own, 89% of those surveyed have at least one connected device in their home. In addition, 81% of consumers across the globe admitted to having more than one connected device in the home. India led all countries with a staggering 97% of consumers stating that they have at least one smart device in the home, compared to only 80% of US consumers..."

Read the announcement by Irdeto. View the full infographic.

Device security responsibility. Irdeto Global Consumer IoT Security Survey. Select to view larger version

Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.

Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?