558 posts categorized "Privacy" Feed

Seattle Strengthens Privacy Protections For Broadband And Cable Users

The city of Seattle has strengthened it privacy rules to better protect residents using cable-TV services and high-speed internet services (a/k/a broadband). The new rules go into effect on May 24, and mirrors the FCC broadband privacy rules which Congress revoked earlier this year.

The announcement by the Seattle Mayor's office explained:

"Seattle Municipal Code (SMC 21.60) grants the City of Seattle authority to issue rules related to the privacy practices of cable operators. These rules govern not only cable television services but also non-cable services, such as internet service. The new rule states cable operators must obtain opt-in consent before sharing a customer’s web browsing history or otherwise using such information for a purpose other than providing a customer with their requested service.

Comcast, CenturyLink, and Wave have cable franchise agreements with the City of Seattle and will be subject to the new rule. Under the terms of the rule, these cable operators must report their compliance by Sept. 30, 2017 and annually thereafter."

Earlier this year, a national poll found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers. Despite this, President Trump signed the privacy-rollback legislation on April 3.

The new rules in Seattle, ITD Director's Rule 2017-10 (Adobe PDF), state in part:

"- Prohibit Cable Operators from collecting or disclosing any information regarding the extent of any individual customer's viewing habits, or other use by a customer of a cable service or other service provided such as web browsing activity, without the prior affirmative consent of the customer, unless such information is necessary to render a service requested by the customer, or a legitimate business purpose related to the service.
- Require Cable Operators to fully and completely disclose customer rights and the limitations imposed on a Cable Operator's collection, use, and disclosure of Personally Identifiable Information (PII) in clear language that a customer can radily understand.
- Require Cable Operators to destroy within 90 days any PII if the PII is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to shuch PII... Require Cable Operators to provide stamped, self-addressed post cards that customers can mail in to have their names and addresses removed form any lists the Cable Operators might use for purposes other than the direct provision of service to those customers.
- Establish without ambiguity that a customer, once "opting out" of the Cable Operator's mailing list, is permanently removed from that list unless that customer subsequently requests inclusion on such list."

This is a great start. The rules define PII as:

"... specific information about a customer, including, but not not limited to, a customer's (a) login information, (b) extent of viewing of video programming or other services, (c) shopping choices, (d) interests and opinions, (e) energy uses, (f) medical information, (g) banking data or information, (h) web browsing activities, or (i) any other personal or private information..."

Mayor Edward B. Murray commented about the new rules:

"Where the Trump administration continues to roll back critical consumer protections, Seattle will act... I believe protecting the privacy of internet users is essential and this policy allows the City to do just that. Because of regulation repeals at the national level, we must use all of the powers at our disposal to protect the rights of our residents."

Citizens in other major cities across the United States may want to ask what consumer-friendly privacy actions their mayors are taking.


Update: Net Neutrality, Adminstrative Law, The Courts, And Next Steps

Federal communications Commission logo A lot has happened since Federal Communications Commission (FCC) Chairman Ajit Pai disclosed his plan last week to kill net neutrality. While the FCC commissioners will vote on May 18 about the rules changes, a federal law could affect the outcome. First, Wired reported:

"A 1946 law called the Administrative Procedure Act bans federal agencies making “capricious” decisions. The law is meant, in part, to keep regulations from yo-yoing back and forth every time a new party gained control of the White House. The FCC successfully argued in favor of Title II reclassification in federal court just last summer. That effort means Pai might have to make the case that things had changed enough since then to justify a complete reversal in policy."

Read the text of the Administrative Procedure Act (APA). Learn more here.

The recent actions (e.g., privacy, net neutrality) by the Republican-led FCC have definitely resulted in both uncertainty and a yo-yoing of rules. At times, it feels like watching a tennis match. While Pai and other advocates of killing net neutrality have claimed that infrastructure investment has declined due to the reclassification by the FCC, the reality:

"During a hearing earlier this year, senator Edward Markey (D-Massachusetts) pointed to US Census Bureau estimates that broadband investment increased slightly from $86.6 in 2014 to $87.2 billion in 2015..."

Data for 2016 isn't available yet. As I mentioned in a prior post, telecommunications companies made conscious decisions and could have diverted money from other spending to infrastructure. They didn't and chose this legislation path instead. Again from Wired's analysis:

"Other business considerations could also play into changes in telecom spending on network infrastructure, such as a desire to wait and let previous investments pay for themselves before making new ones. The CEO of Verizon, for example, told shareholders that Title II didn’t affect the company’s investment plans. And Martin points out that a recent auction in which companies spent $19.8 billion to buy rights to use more of the wireless spectrum doesn’t exactly look like an industry shy of investing."

"If the infrastructure argument doesn’t fly, Pai could also argue that the rules are unnecessary because proverbial fast and slow lanes for the internet never existed. The problem is that’s not true. The Bush-era FCC ordered Comcast to stop throttling BitTorrent traffic in 2008... Under a secret agreement with AT&T, Apple blocked iPhone users from making Skype calls over the carrier’s network until the FCC pressured the companies into reversing the policy in 2009..."

Read the entire Wired analysis. It makes it crystal clear how corporate ISPs are trying to rig the system for themselves and against consumers.

Second, a recent decision by a federal court rejected big telecom's petition to have the existing FCC's net neutrality rules overturned. On Monday, Ars Technica reported:

"The US Court of Appeals for the District of Columbia Circuit denied the broadband industry's petition for a rehearing of a case that upheld net neutrality rules last year. A three-judge panel ruled 2-1 in favor of the FCC in June 2016, but ISPs wanted an en banc review in front of all of the court's judges. The request for an en banc review was denied in the order issued today."

What to make of this? The bottom line is that the circuit court decided to uphold the reclassification of broadband ISPs as common carriers and the FCC's net neutrality rules. While big telecom could appeal the decision with the Supreme Court, that seems unlikely since they know that the FCC, led by Chairman Ajit Pai, a Republican, has a majority of Republican commissioners who will vote to overturn net neutrality rules on May 18. And, Chairman Pai will have to overcome any challenges with the APA.

In response to the court decision, FCC Chairman Pai issued this statement:

"In light of the fact that the Commission on May 18 will begin the process of repealing the FCC’s Title II regulations, it is not surprising, as Judges Srinivasan and Tatel pointed out, that the D.C. Circuit would decide not to grant the petitions for rehearing en banc. Their opinion is important going forward, however, because it makes clear that the FCC has the authority to classify broadband Internet access service as an information service..."

Chairman Pai seems hell-bent upon ignoring the historical problems in the broadband industry that plagued consumers, in order to change the rules in favor of big telecom. Those problems led to the reclassification by the FCC. A prior blog post listed some of those problems:

"The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. Rural consumers and low-income areas lacked broadband services. There were numerous complaints by consumers about usage Based Internet Pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General invited residents to check their broadband speed with this tool. Tim Berners-Lee, the founder of the internet, cited in March three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information... Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress."

Third, big telecom is engaged in some savvy, deceptive maneuvering. Ars Technica discussed bizarre claims by Verizon:

"... Verizon's general counsel, Craig Silliman, wants you to believe that Verizon never opposed net neutrality rules, even though it sued the FCC to eliminate them. He's also making the claim that the FCC isn't even talking about eliminating the net neutrality rules, even though FCC Chairman Ajit Pai is proposing to do exactly that."

Watch the Verizon video with Verizon's Silliman. When Silliman said, "changing the legal footing," he is referring to comments by others that the FTC should regulate broadband services, and not the FCC. That places the burden on consumers and the FTC to sue when broadband providers don't deliver the services promised; assuming that broadband providers disclose in their terms-of-service and privacy policies what they will deliver. With regulation by the FCC, consumers would have been in charge of their privacy, big telecom would have been forced to be transparent and explain what they were doing, and big telecom couldn't slice up the internet into slow and fast lanes forcing consumers to pay more to access certain sites.

During the last fight about neutrality in 2014, about about 90 tech companies sent a letter to FCC Chairman Tom Wheeler (Adobe PDF) encouraging the FCC to support for a free and open internet, where consumers decide where to go online with the broadband services purchased. Several notable companies signed that 2014 letter: Amazon, Dropbox, Ebay, Facebook, Gawker, Google, Microsoft, Mozilla, Netflix, Twitter, Vonage, and Yahoo. I did not see Verizon (nor Comcast) in the list of signers.

That's some brilliant and deceptive maneuvering. Big telcom can appear reasonable and deny talking about killing net neutrality rules while knowing that their representative, Chairman Pai and his fellow Republican commissioners at the FCC, will do it for them. Again, from Ars Technica:

"No major Internet service provider has done more to prevent implementation of net neutrality rules in the US than Verizon. After years of fighting the rules in courts of law and public opinion, Verizon is about to get what it wants as the FCC—now led by a former Verizon lawyer—prepares to eliminate the rules and the legal authority that allows them to be enforced."

Fourth, the FCC released its Notice of Proposed Rule Making (NPRM): Proceeding 17-108, "Restoring Internet Freedom" - April 26, 2017 (Adobe PDF). Just as before in 2014 - 15, the new rule is open to public comments. This means, it is time for citizens and voters to take action.

FCC Chairman Pai and others claim that the Internet was working well before, and net neutrality rules are unnecessary and a government intrusion. Ordinary broadband customers can have a great impact. It is time for consumers to submit comments to the FCC. About 25,578 people have already submitted comments. For example, a comment by Darion from Austin, Texas:

"The FCC Open Internet Rules (net neutrality rules) are extremely important to me. I urge you to protect them. Most Americans only have one choice for true high speed Internet access: our local cable company. Cable companies (and wireless carriers) are actively lobbying Congress and the FCC for the power to: i) Block sites and apps, to charge them "access fees;" ii) Slow sites and apps to a crawl, to establish paid "fast lanes" (normal speed) and slow lanes (artificially low speeds); and iii) Impose arbitrarily low data caps, so they can charge sites to escape those caps, or privilege their own services ("zero rating").
They're doing it so they can use their monopoly power to stand between me and the sites I want to access, extorting money from us both. I'll be forced to pay more to access the sites I want, and sites will have to pay a kind of protection money to every major cable company or wireless carrier—just to continue working properly!

The FCC's Open Internet Rules are the only thing standing in their way. I'm sending this to letter to my two senators, my representative, the White House, and the FCC. First, to the FCC: don’t interfere with my ability to access what I want on the Internet, or with websites' ability to reach me. You should leave the existing rules in place, and enforce them.

To my senators: you have the power to stop FCC Chair Ajit Pai from abusing the rules by refusing to vote for his reconfirmation. I expect you to use that power. Pai, a former Verizon employee, has made it clear he intends to gut the rules to please his former employer and other major carriers, despite overwhelming support for the rules from voters in both parties... To the White House: Ajit Pai, a former Verizon employee, is acting in the interests of his former employer, not the American people. America deserves better... To my representative: please publicly oppose Ajit Pai's plan to oppose the rules... I would be happy to speak more with anyone on your staff about the rules and why they’re so important to me. Please notify me of any opportunities to meet with you or your staff."

Be brief. Use your own words. Submit your comments soon, since the deadline fast approaches. Also, tell your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


The Need For A Code Of Ethics With The Internet Of Things

Earlier this week, The Atlantic website published and interview with Francine Berman, a computer-science professor at Rensselaer Polytechnic Institute, about the need for a code of ethics for connected, autonomous devices, commonly referred to as the internet-of-things (IoT). The IoT is exploding.

Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. North America, Western Europe, and China, which already comprise 67 percent of the installed base, will drive much of this growth.

In a February, 2017 article (Adobe PDF) in the journal Communications of the Association for Computing Machinery, Berman and Vint Cerf, an engineer, discussed the need for a code of ethics:

"Last October, millions of interconnected devices infected with malware mounted a "denial-of-service" cyberattack on Dyn, a company that operates part of the Internet’s directory service. Such attacks require us to up our technical game in Internet security and safety. They also expose the need to frame and enforce social and ethical behavior, privacy, and appropriate use in Internet environments... At present, policy and laws about online privacy and rights to information are challenging to interpret and difficult to enforce. As IoT technologies become more pervasive, personal information will become more valuable to a diverse set of actors that include organizations, individuals, and autonomous systems with the capacity to make decisions about you."

Given this, it seems wise for voters to consider whether or not elected officials in state, local, and federal government understand the issues. Do they understand the issues? If they understand the issues, are they taking appropriate action? If they aren't taking appropriate action, is due to other priorities? Or are different elected officials needed? At the federal level, recent events with broadband privacy indicate a conscious decision to ignore consumers' needs in favor of business.

In their ACM article, Bermand and Cerf posed three relevant questions:

  1. "What are your rights to privacy in the internet-of-things?
  2. Who is accountable for decisions made by autonomous systems?
  3. How do we promote the ethical use of IoT technologies?"

Researchers and technologists have already raised concerns about the ethical dilemmas of self-driving cars. Recent events have also highlighted the issues.

Some background. Last October, a denial-of-service attack against a hosting service based in France utilized a network of more than 152,000 IoT devices, including closed-circuit-television (CCTV) cameras and DVRs. The fatal crash in May of a Tesla Model S car operating in auto-pilot mode and the crash in February of a Google self-driving car raised concerns. According to researchers, 75 percent of all cars shipped globally will have internet connectivity by 2020. Last month, a security expert explained the difficulty with protecting connected cars from hackers.

And after a customer posted a negative review online, a developer of connected garage-door openers disabled both the customer's device and online account. (Service was later restored.) Earlier this year, a smart TV maker paid $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC). Consumers buy and use a wide variety of connected devices: laptops, tablets, smartphones, personal assistants, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. In January, the FTC filed a lawsuit against a modem/router maker alleging poor security in its products.

Consumers have less control over many IoT devices, such as smart utility meters, which collect information about consumers. Typically, the devices are owned and maintained by utility companies while installed in or on consumers' premises.

Now, back to the interview in The Atlantic. Professor Berman reminded us that society has met the ethical challenge before:

"Think about the Industrial Revolution: The technologies were very compelling—but perhaps the most compelling part were the social differences it created. During the Industrial Revolution, you saw a move to the cities, you saw the first child-labor laws, you saw manufacturing really come to the fore. Things were available that had not been very available before..."

Well, another revolution is upon us. This time, it includes changes brought about by the internet and the IoT. Berman explained today's challenges include considerations:

"... we never even imagined we’d have to think about. A great example: What if self-driving cars have to make bad choices? How do they do that? Where are the ethics? And then who is accountable for the choices that are made by autonomous systems? This needs to be more of a priority, and we need to be thinking about it more broadly. We need to start designing the systems that are going to be able to support social regulation, social policy, and social practice, to bring out the best of the Internet of Things... Think about designing a car. I want to design it so it’s safe, and so that the opportunity to hack my car is minimized. If I design Internet of Things systems that are effective, provide me a lot of opportunities, and are adaptive, but I only worry about really important things like security and privacy and safety afterwards, it’s much less effective than designing them with those things in mind. We can lessen the number of unintended consequences if we start thinking from the design stage and the innovation stage how we’re going to use these technologies. Then, we put into place the corresponding social framework."

Perhaps, most importantly:

"There’s a shared responsibility between innovators, companies, the government, and the individual, to try and create and utilize a framework that assigns responsibility and accountability based on what promotes the public good."

Will we meet the challenge of this revolution? Will innovators, companies, government, and individuals share responsibility? Will we work for the public good or solely for business growth and profitability?

What do you think?


Speech By FCC Chairman. Time For Citizens To Fight To Keep Net Neutrality Protections

Federal communications Commission logo Earlier today, Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), gave a speech titled, "The Future Of Internet Freedom" at the Newseum in Washington, DC. He discussed the history of the Internet, regulation, business investment, innovation, and jobs. He also shared his views on regulation and a desire for the FCC's to pursue a "light touch" regulatory approach:

"First, we are proposing to return the classification of broadband service from a Title II telecommunications service to a Title I information service—that is, light-touch regulation drawn from the Clinton Administration.  As I mentioned earlier, this Title I classification was expressly upheld by the Supreme Court in 2005, and it’s more consistent with the facts and the law.

Second, we are proposing to eliminate the so-called Internet conduct standard. This 2015 rule gives the FCC a roving mandate to micromanage the Internet... The FCC used the Internet conduct standard to launch a wide-ranging investigation of free-data programs. Under these programs, wireless companies offer their customers the ability to stream music, video, and the like free from any data limits. They are very popular among consumers, particularly lower-income Americans... Following the presidential election, we terminated this investigation before the FCC was able to take any formal action. But we shouldn’t leave the Internet conduct standard on the books for a future Commission to make mischief.

And third, we are seeking comment on how we should approach the so-called bright-line rules adopted in 2015. But you won’t just have to take my word about what is in the Notice of Proposed Rulemaking. I will be publicly releasing the entire text of the document tomorrow afternoon..."

This should not be a surprise. We've heard much of this before from Congresswoman Blackburn, the author of the recently passed House legislation to roll back consumers' online privacy protection. Blackburn said the same about FCC reclassification; that it was bad, and that the internet wasn't broken. Well it was broken prior to to 2014, and in several specific ways.

The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. Rural consumers and low-income areas lacked broadband services. There were numerous complaints by consumers about usage Based Internet Pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General invited residents to check their broadband speed with this tool. Tim Berners-Lee, the founder of the internet, cited in March three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information. With all of this evidence, how can Pai and Blackburn claim the internet wasn't broken?

There are more examples. Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress. Given all of this, something had to be done. The FCC stepped up to the plate and acted when it was legally able to; and reclassified broadband after open hearings. Then, the FCC adopted new privacy rules in November, 2016. Proposed rules were circulated prior to adoption. It was done in the open. It made sense.

Meanwhile, the rollback of FCC broadband privacy rules is very unpopular among consumers. Comments by Pai and Blackburn seem to ignore both that and key events (listed above) in broadband history. That is practicing the "revisionist history" Pai said in his speech he disliked. That leaves me questioning whether they can be trusted to develop reasonable solutions that serve the interests of consumers.

With their victory last month to roll back the FCC's online privacy protections, pro-big-telecom advocates claim they are acting in consumers' best interests. What bull. With that rollback, consumers are no longer in control of their information. (The opt-in and other controls were killed.) Plus, we live in a capitalist society where the information that describes us is valuable property. That's why so many companies want to collect it. Consumers should be in control of their online privacy and the information that describes them, not corporate ISPs.

Corporate ISPs' next target is "net neutrality." Pai referred to it in the "bright lines" portion of his speech. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and when ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Pai claimed this was unclear. Again, more bull. The FCC's no blocking, no throttling, and no paid prioritization position was crystal clear.

Without net neutrality, ISPs decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs would likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

Pai and Blackburn claim that net neutrality (and privacy) kills innovation. I guess that depends how you define "innovation." If you define innovation as the ability of ISPs to carve up the internet to maximize they profits where consumers pay more, then it should be killed. That's not innovation. That's customer segmentation by price and paid prioritization.

In his speech, Pai provided an appealing explanation about how ISPs spent less on infrastructure. He neglected to mention that decreased infrastructure spending was a choice by ISPs. They could have cut expenses elsewhere and continued infrastructure spending, but they didn't. Instead, ISPs chose the path we see: utilize a compliant, sympathetic Republican-led Congress and White House to get what they wanted -- the ability to charge higher broadband prices -- and use slick, misleading language to appear to be consumer friendly.

Take action today to defend net neutrality protections. Fight For The Future The Pai-led FCC isn't consumer friendly. The GOP-led Congress isn't, either. Regardless of how they spin it. Don't be fooled.

Anyone paying attention already knows this. Concerned citizens fought for and won net neutrality in 2014. Sadly, we might fight the net neutrality fight again.

It will be an uphill fight for two reasons. First, Republicans control the White House, House of Representatives, and Senate. Second, the Trump Administration is working simultaneously on rollbacks for several key issues (e.g., health care, immigration, wall along Mexican border, tax reform, environment, education, terrorism, etc.), making it easier to distract opponents with other issues (and with outrageous midnight tweets). Yet, people demonstrated last week at an open FCC meeting. (Video is also available here.) Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.

Some elected officials have already committed to defend net neutrality protections:

What about your elected officials? Have they made a commitment to defend net neutrality? Ask them. Don't be silent. Now is not the time to sit on the sideline and wait for others to do the fighting for you.


Security Experts State Privacy Issues With Proposed NHTSA Rules For Vehicle Automation

The Center For Democracy & Technology (CDT) and four cryptographers have stated their security and privacy concerns regarding proposed rules by the National Highway Traffic Safety Administration (NHTSA) for vehicle automation and communications. In a CDT blog post, Chief Technologist Lorenzo Hall stated that the group's concerns about NHTSA's:

"... proposed rulemaking to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, which intends to mandate and standardize vehicle-to-vehicle (V2V) communications for new light vehicles... Our comments highlight our concern that NHTSA’s proposal standard may not contain adequate measures to protect consumer privacy from third parties who may choose to listen in on the Basic Safety Message (BSM) broadcast by vehicles. Inexpensive real-time tracking of vehicles is not a distant future hypothetical. Vehicle tracking will be exploited by a multitude of companies, governments, and criminal elements for a variety of purposes such as vehicle repossession, blackmail, gaining an advantage in a divorce settlement, mass surveillance, commercial espionage, organized crime, burglary, or stalking.

Our concern is that the privacy protections currently proposed for V2V communications may be easily circumvented by any party determined to perform large-scale real-time tracking of multiple vehicles at once. This poses a serious costs for both individual privacy and society at large..."

FMVSS Standards include regulations automobile and vehicle manufacturers must comply with. Read the proposed FMVSS Rule 150 in the Federal Register. The proposed rule specifies how vehicles will automatically broadcast Basic Safety Messages (BSM).

The group's detailed submission (Adobe PDF) to the U.S. Department of Transportation (DOT) described specific privacy concerns. One example:

"2.1 Linking a vehicle to an individual
The NPRM proposes that vehicle location accurate to within 1.5 meters be included in every BSM. Such high accuracy is sufficient to identify a vehicle’s specific parking spot. Assuming a suburban environment where the parking spot is a driveway, this information is enough to identify the owners or tenants... Vehicles can be further disambiguated among members of a household or people sharing parking spots by when they leave and where they go. For instance, shift workers, 9-to-5 office workers, high school students, and stay-at-home parents will all have different, distinguishable patterns of vehicle use. Even among office commuters, the first few turns after leaving the driveway will be very useful for disambiguating people working at different locations..."

So, when you leave home and the route you take can easily identify individuals. You don't have to be the registered owner of the car. Yes, your smartphone broadcasts to the nearest cellular tower and that identifies your location, but not as precisely. Privacy is needed because the bad guys -- stalkers, criminals -- could also use BSMs to spy upon individuals.

The security experts found the proposed BSM privacy statement by NHTSA to be one-sided and incomplete:

"The examples of third-party collection provided in paragraph (b) of the privacy statement mention only benign collection for beneficial purposes, such as accident avoidance, transit maintenance, or valuable commercial services. They selectively highlight the socially beneficial uses of V2V information without mentioning commercial services [which] may not [be] valuable for consumers; or other potential, detrimental, or even criminal uses. This is especially troubling..."

The CDT and security experts recommended that due to the privacy risks described:

"... we firmly believe that, unless a considerably more privacy-conscious proposal is put forward, consumers should be given the choice to opt-in or opt-out (without a default opt-in), and should be made clearly aware of what they are opting in to..."

I agree. A totally sensible and appropriate approach. The group's detailed submission also compared several vehicle tracking methods:

"... physically following a car or placing a GPS device on it, do not allow for mass tracking of most vehicles in a given area. Some options, such as cellphone tracking or toll collection history, require specialized access to a private infrastructure. Cellular data does not provide precise position information to just anyone who listens in... Moreover, cellular technology is evolving rapidly — today it provides more privacy than in the past... license-plate-based tracking requires a line of sight to a given vehicle, and thus is usually neither pervasive nor real-time. A vehicle can be observed driven or parked, but not tracked continuously unless followed. Only a few vehicles can be observed by a camera at any given time. Thus, license-plate-based tracking provides only episodic reports of locations for most vehicles. In contrast, because receiving the BSM does not require a line of sight and the BSM is transmitted ten times per second, multiple vehicles can be tracked simultaneously, continuously, and in real time.

The Privacy Technical Analysis Report concluded that the only option other than BSMs that may be viable for large-scale real-time tracking without any infrastructure access is via toll transponders."

License-plate tracking and the cameras used are often referred to as Automated License Plate Readers (ALPR). Law enforcement uses four types of ALPR technologies: mobile cameras, stationary cameras, semi-stationary cameras, and ALPR databases.

So, BSM provides large-scale real-time tracking. And, while toll transponders provide consumers with a convenient method to pay and zoom through tolls, the technology can be used to track you. Read the full CDT blog post.


Researchers: Thousands of Android Apps Collude To Spy on Users

Got an Android phone or tablet? Considering an Android phone? Then, pay close attention. Researchers have found that more than 20,000 pairs of Android apps work together to spy on users: collect, track, and share information without notice nor consent. The Atlantic magazine explained:

"Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone... A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data... Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information. When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data..."

Researchers at Southern Illinois University and at Virginia Tech collaborated on the highly technical report titled, "Collusive Data Leak And More: Large-Scale Threat Analysis of Inter-App Communications" (Adobe PDF). The report compared DIALDroid to other inter-app analysis tools, and analyzed whether the data leaks were intentional or unintentional (e.g., due to poor design).

The vulnerabilities the researchers found seem three-fold. First, there is the stealth collusion described above. Second, how the data collected and where it is sent are problematic. The Atlantic article explained:

"When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS."

Third, the vulnerabilities apply to apps operating on corporate networks. The researchers warned in their technical report:

"User Applications. Although DIALDroid is for marketplace owners, Android users can also benefit from this tool. For example, enterprise users can check possible inter-app collusions using DI-ALDroid before allowing certain apps to be installed on the devices of their employees. Moreover, a large-scale public database similar to ours, when regularly updated, can be queried by users to find out possible inter-app communications to or from a particular app."

"Marketplace owners" refers to organizations running online app stores. "Enterprise users" refers to information technology (I.T.) professionals managing (and securing) internal organization networks containing highly sensitive, confidential, and/or proprietary information. Corporate, government, health care organizations, and law firms immediately come to mind.

Prior blog posts and firmware reports have identified numerous vulnerabilities with Android devices. Now, we know a little more about how some apps work together secretly. Add this new item to the list of vulnerabilities.

Android phones may be cheaper than other brands, but that comes at a very steep cost. What are your opinions?


Poll Finds Republicans Rollback of Broadband Privacy Very Unpopular

A recent poll found that the Republican rollback of broadband privacy rules is very unpopular. Very unpopular. The poll included 1,000 Americans, and the results cut across age, gender, and political affiliations. Despite this, President Trump signed the privacy-rollback legislation on April 3. Since then, many consumers have sought online tools to protect their privacy.

Vox reported the survey results:

Image of Yougov poll results about Republican rollback of broadband privacy. Click to view larger version

Late last week, several Republicans in the House of Representatives sent a letter (Adobe PDF) to Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), urging the FCC to regulate broadband service providers. The letter read, in part:

"We write to ensure that the Federal Communications Commission (FCC) stands ready to protect consumer privacy... The Federal Trade Commission (FTC) has long been the standard bearer for striking the right balance of consumer protection with a pro-innovative construct that encourages consumer choice, opportunities, and new jobs... An FCC approach that mirrors the FTC will continue to protect consumers in this tumultuous time... Until such time as the FCC rectifies the Title II reclassification that inappropriately removed ISPs from the FTC's jurisdiction, we urge the FCC to hold Internet service providers (ISPs) to their privacy promises..."

The letter was signed by Greg Walden (Chairman, Committee on Energy & Commerce), Marsha Blackburn (Chairman, Subcommittee on Communications & Technology), and 48 other representatives.

Tumultuous times? The tumult was created by the rollback of privacy rules -- a situation created by Republicans. All would have been fine if they'd left the FCC's broadband privacy rules in place; rules consumers clear want -- rules that keep users in control of their online privacy.

Representative Blackburn and her fellow Republicans either doesn't know history or have chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that creating the tumult they now claim to want to solve.

Clearly, Representative Blackburn and others are happy to comply with the wishes of their corporate donors -- who don't want broadband classified as a utility. Internet access is a basic consumer need for work, entertainment, and school -- just like water, electricity, and natural gas (for cooking). Internet access is a utility, like it or not. The FCC under Chairman Wheeler had the right consumer-friendly approach, despite the spin by Blackburn and others.

What are your opinions?


President Trump Signed Legislation Revoking FCC's Broadband Privacy Rules. Lots Of Consequences

Late yesterday, President Trump signed legislation revoking broadband privacy rules adopted by the Federal Communications Commission (FCC). The rules would have kept consumers in control of their information online. Instead, internet service providers (ISPs) are free to collect, archive, and share at will without notice nor consent information about consumers' online activities (e.g., far more than browsing histories).

The legislation narrowly passed both in the Senate (50 - 48) and in the House (210 - 205). Proponents of the legislation claimed duplicate legislation. Representative Marsha Blackburn (R-Tenn.), who introduced the legislation in the House, said plenty recently according to Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason: consumers have lost control over their personal information.

And, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that.

There are plenty of consequences. To regain some online privacy lost due to the new legislation, many consumers have considered Virtual Private Networks (VPNs) and other online tools to prevent ISPs from spying on them. VPNs are not a cure-all. ISPs can still block or throttle consumers' VPN connection, and VPNs won't protect e-mail nor internet-of-things devices installed in homes.

Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. The impact upon consumers: less online privacy and higher internet prices. Consumers are forced to spend more money on VPN and other tools.

Blackburn and others claimed that the U.S. Federal Trade Commission (FTC) should regulate ISPs. Regulation by the FTC is not a slam-dunk. AdAge reported:

"If the FTC does regain its oversight, the result is likely to be weaker privacy protections than what the FCC intended with its rules, as well as a relatively clear path for telcos to pursue their data-revenue-generating goals... One legal peak to climb: precedent set by a U.S district court ruling siding with AT&T against the FTC last year which carved out an exemption for companies that provide bundled phone and ISP services which effectively protected AT&T from FTC regulations protecting consumers from unfair or deceptive practices.

Even if the FTC eventually garners ISP jurisdiction, argued [Gigi Sohn, a senior counselor to former FCC Chairman Tom Wheeler], "it will lead to some privacy protection but much weaker than what people just lost." She pointed to FTC Chairman Ohlausen's high bar for showing harm against consumers before actions against companies are taken, noting, "She wants to see harm first. Well, rules protect you before you're harmed." "

Despite the claims by Blackburn and others, the bottom line is:

"... what we're left with is a period of uncertainty where the carriers may do certain things but it's unclear. Does the FCC have jurisdiction or does the FTC have jurisdiction?"

The Los Angeles Times reported:

"The FTC is empowered to bring lawsuits against companies that violate its privacy guidelines, but it has no authority to create new rules for industry. It also cannot enforce its own guidelines against Internet providers because of a government rule that places those types of companies squarely within the jurisdiction of the FCC and out of the reach of the FTC. As a result, Internet providers exist in a "policy gap" in which the only privacy regulators for the industry operate at the state, not federal, level, analysts say."

Ambiguity. Lack of clarity. Policy gap. None of those are good for business, or for consumers.

Read more about President Trump's signing of the legislation at C/Net and Reuters.


Tools For Consumers To Regain Some Online Privacy. Higher Internet Prices Likely

Now that the Republican-led Congress and President Trump have dismantled broadband privacy rules, internet service providers (ISPs) are free to collect, archive, and share at will without disclosure consumers' complete online activities (e.g., far more than browsing histories) to maximize their profits. Just about all of your online activities are harvested by ISPs, not just your browsing histories. Readers of this blog may remember the Deep-Packet Inspection software some ISPs installed on their servers to track their customers' online usage without notice nor consent.

To combat this, many consumers seek technical solutions, such as a virtual private network (VPN), to maintain as much privacy online as possible. Consumers will need to locate VPN and other tools than run on several devices (e.g., phones, tablets, laptops, desktops, etc.) and browsers (e.g., Firefox, Opera, etc.). Resources about several tools including VPNs:

Reviews and comparisons about VPN providers:

Some recommended, paid VPNs run on several platforms including Apple brand devices: F-Secure Freedome, Private Internet Access, and SurfEasy. Some VPNs offer a lower monthly price for a longer contract term. Look for pricing that covers multiple devices.

All of the above resources contain links to specific VPN brands. Experts recommend that consumers shop around for a paid VPN, since many of the free VPNs collect and resell consumers' information to make money. Some VPN providers offer phone customer service and support. This may be especially helpful for inexperienced users.

If a (free or paid) VPN saves usage logs of its customers' online activity and shares those logs with others (e.g., advertisers, affiliates, marketing partners, law enforcement, etc.), then that totally defeats the purpose of using a VPN service for privacy. So wise consumers shop around, read the terms of service, and read the privacy policy before signing up for a VPN.

Just like anti-virus software, several VPNs running on the same device can cause problems. So, you'll need to spend time sorting that out, too.

Sadly, VPNs are not a cure-all. Your ISP can still block or throttle your connection. Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. And, VPNs won't protect internet-of-things devices (e.g., appliances, refrigerators, thermostats, security systems, televisions, etc.) connected in to the WiFi router in your home. Tech Dirt reported:

"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."

Note: VPN services don't protect e-mail. ISPs user a different set of servers for e-mail (e.g., SMTP, SMTPS) versus web browsing (e.g., HTTP, HTTPS). You might consider a secure e-mail service like ProtonMail. You might find this review of ProtonMail helpful.

Do you use Gmail? Remember Google scans both inbound and outbound e-mail messages supposedly to serve up relevant ads. While a certain amount of message scanning is appropriate to identify spam and malware, last month a federal court judge rejected a proposed settlement offer with non-Gmail users who had filed a class-action lawsuit because their e-mail messages had been scanned by Google (and they couldn't opt out of the scanning).

So, internet costs for consumers are going up with thanks to privacy-busting legislation passed by a Republican-led Congress. Consumers will pay more, perhaps an additional $50 - $80 yearly for VPN services, on top of already high monthly internet prices -- with a marginal increase in privacy; not the better, more complete solution consumers would have received with the FCC broadband privacy rules. Add in the value of your time spent shopping around for VPN and privacy tools, and the price increase is even greater.

Plus, monthly internet costs for consumers could go far higher if ISPs charge for online privacy. Is that possible you ask? Yep. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. Congress seems happy to oblige corporate ISPs and stick it to consumers.

Petition to keep FCC broadband privacy rules and nullify Senate Joint Resolution 34 Mad about all of this? You probably are, too. I am. Be sure to tell your Senators and House representatives that voted to revoke FCC online privacy rules. Tell them you dislike the higher prices you're forced to pay to maintain privacy online.

Do any VPN providers act as fronts for government intelligence and spy agencies? I do not have the resources to determine this. Perhaps, some enterprising white-hat users can shed some light on this.

What online privacy resources have you found?


Congress Passed Joint Resolution To Revoke New Online Privacy Rules By The FCC. Plenty of Consequences

On Tuesday, the U.S. House of Representatives approved legislation to revoke new online privacy rules the U.S. Federal Communications Commission (FCC) adopted in 2016 to protect consumers by govern the data collection and sharing of consumers' personal information by Internet Service providers (ISPs). Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the new broadband privacy rules, which they viewed as burdensome.

Congress quickly complied. The new legislation consisted of two companion bills: Senate Joint Resolution 34 (S.J. Res. 34) and House Joint Resolution 86 (H.J. Res. 86). The House vote was close: 210 to 205 with 215 Republican representatives voting for S.J. Res. 34. 190 Democratic and 15 Republican representatives voted against it. Consumers can view H.J. Res. 86 votes by their elected officials.

Representative Marsha Blackburn (R-Tenn.) introduced the legislation in the House. Blackburn said plenty in an interview published on Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? Really? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason on his list: consumers have lost control over their personal information.

Plus, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act; and it did. Congress held hearings, too.

Advertisement in the New York Times newspaper after the Senate vote. Click to view larger version The Senate passed S.J. Res. 34 about a week before the House vote Tuesday. The Senate vote was also close: 50 to 48. Senator Jeff Flake (R-Arizona) introduced the legislation in the Senate, and he repeated the same over-reach claims:

"The FCC’s midnight regulation has the potential to limit consumer choice, stifle innovation, and jeopardize data security by destabilizing the internet ecosystem. Passing my resolution is the first step toward restoring a consumer-friendly approach to internet privacy regulation that empowers consumers to make informed choices on if and how their data can be shared. It will not change or lessen existing consumer privacy protections.”

Consumers can view S.J. Res 34 votes by their elected officials. The press release by Senator Flake's office also stated:

"Flake’s resolution, S.J.Res. 34, would not change or lessen existing consumer privacy regulations. It is designed to block an attempt by the Federal Communications Commission (FCC) to expand its regulatory jurisdiction and impose prescriptive data restrictions on internet service providers. These restrictions have the potential to negatively impact consumers and the future of internet innovation."

Federal communications Commission logo Flake's spin of "midnight regulation" is unfair and inaccurate. The new FCC privacy rules were proposed in April 2016, and enacted in October. That provided plenty of time for discussion and input from consumers, experts, and companies. In March 2016, the FCC released a broadband privacy Fact Sheet, which explained the need for the new privacy rules:

"Telephone networks have had clear, enforceable privacy rules for decades, but broadband networks currently do not... An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time. Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers – including private information such as a chronic medical condition or financial problems. A consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."

To distinguish spin from facts, it is critical to read the FCC announcement of its new broadband privacy rules from last year:

"Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information."

Sounds clear, reasonable, and appropriate. Not perfect, but an improvement of what was before. Addressed transparency concerns, too. To summarize, the new FCC broadband privacy rules kept consumers in control of their sensitive personal information. By revoking those rules, Congress is effectively telling consumers they shouldn't be in control of their own information and ISPs should be in control.

Do you want to be in control of your personal information online? I do, and I suspect you do, too.

Think about the consequences. Once the legislation is signed by President Trump, ISPs will be free to collect, use, and share information describing your online activities. Your ISP is in a unique position because it can scan all un-encrypted data flowing through your internet connection. That typically includes: a) the websites you visit and apps you use; b) which items in "a" you use repeatedly, when and how long; c) the searches you perform online at search engine sites, and via personal assistants, d) activity generated by appliances, televisions, thermostats, security systems, and other devices connected to your home WiFi; and d) the geo-location or where in the physical world your perform online activities. (Besides your smartphone, several devices including your car, fitness bands, smart watches, and wearables collect and share your geo-location data.) Perhaps most importantly, your ISP won't need your consent and probably won't tell you what it is sharing and with whom.

Think about the consequences.

It's not just porn. Your online activities reveal plenty: 1) appointment confirmation emails from your doctor reveal the type of doctor and imply certain medical conditions or procedures; 2) online visits to your bank(s) reveal the types of money and the location of your bank accounts; 3) online activities by your CHILDREN reveal much, including the types of toys and devices they use; 4) work-from-home can reveal proprietary information your employer does not want disclosed; and 5) simple curiosity becomes dangerous. Example: a rash appears on your skin, so you surf over to WebMD to read about symptoms and what it might be. Or, maybe you're reading about a condition of an elderly parentor family member. Problem is: your ISP can infer from your online activities conditions and diseases relate to you, even though they may not. Another example: health care organizations have to comply with HIPPA regulations to protect patients' privacy. Many patients use online healthcare portals by their hospital to coordinate care by several doctors and surgeons. Will your ISP honor HIPPA regulations? They probably won't.

Think about the consequences.

All of that information collected about your online activities could be used against you someday... when you apply for a job, when you sign up for insurance, when you apply for a loan, when you try to adopt a baby or child. Remember, two huge industries exist to help companies buy, sell, and trade information (data brokers); the second (data mining) to help companies merge, manipulate, and analyze the data they've collected and bought.

Comcast logo Think about the consequences. Your ISP may not allow you to decline (e.g., opt out of) the data collection, tracking, usage, and sharing. Or your ISP may charge more fees for online privacy. Don't think that can't happen. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. So, with Congress' latest action, consumers may soon see price increases and higher monthly internet and wireless bills.

Some consumers are worried, and are exploring technical solutions to thwart ISPs that snoop. The problem: there is no cure-all solution. Some people are angry. To show lawmakers how terrible their decision was, a crowd-funding campaign was started to raise money to buy (and then publish publicly) the internet histories of leading Republicans (e.g., Senate Majority Leader Mitch McConnell, House Speaker Paul Ryan, House Representative Marsh Blackburn) and FCC members who voted for and support the privacy-busting legislation. So, we may then learn which members of Congress watch the most porn.

Lawmakers in some states are already responding to voters' online privacy concerns. In Illinois, lawmakers have introduced two items of legislation: the Geolocation Privacy Protection Act (GPPA) and the Right To Know Act (RTKA). Lawmakers in Nevada introduced geolocation privacy legislation. More states will likely follow.

With the FCC broadband privacy rules revoked, there are five creepy things your ISP could do. What are your opinions of Congress revoking FCC broadband privacy rules?

[Editor's note: this blog post was revised on Friday, March 31 with links to new legislation in Illinois and Nevada.]


Minnesota Judge Signed Warrant For Users' Google Search Data About A Person's Name

A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.

The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.

During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.

The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?

The Minneapolis Star-Tribune newspaper reported:

"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "

Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.

This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.

Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.

What are your opinions?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


Can Customs and Border Officials Search Your Phone? These Are Your Rights

[Editor's note: today's guest post is by the reporters at ProPublica. Past actions by CBP, including the search of a domestic flight, have raised privacy concerns among many citizens. Informed consumers know their privacy rights before traveling. This news article first appeared on March 13 and is reprinted with permission.]

by Patrick G. Lee, ProPublica

A NASA scientist heading home to the U.S. said he was detained in January at a Houston airport, where Customs and Border Protection officers pressured him for access to his work phone and its potentially sensitive contents.

Last month, CBP agents checked the identification of passengers leaving a domestic flight at New York's John F. Kennedy Airport during a search for an immigrant with a deportation order.

And in October, border agents seized phones and other work-related material from a Canadian photojournalist. They blocked him from entering the U.S. after he refused to unlock the phones, citing his obligation to protect his sources.

These and other recent incidents have revived confusion and alarm over what powers border officials actually have and, perhaps more importantly, how to know when they are overstepping their authority.

The unsettling fact is that border officials have long had broad powers -- many people just don't know about them. Border officials, for instance, have search powers that extend 100 air miles inland from any external boundary of the U.S. That means border agents can stop and question people at fixed checkpoints dozens of miles from U.S. borders. They can also pull over motorists whom they suspect of a crime as part of "roving" border patrol operations.

Sowing even more uneasiness, ambiguity around the agency's search powers -- especially over electronic devices -- has persisted for years as courts nationwide address legal challenges raised by travelers, privacy advocates and civil-rights groups.

We've dug out answers about the current state-of-play when it comes to border searches, along with links to more detailed resources.

Doesn't the Fourth Amendment protect us from "unreasonable searches and seizures"?

Yes. The Fourth Amendment to the Constitution articulates the "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." However, those protections are lessened when entering the country at international terminals at airports, other ports of entry and subsequently any location that falls within 100 air miles of an external U.S. boundary.

How broad is Customs and Border Protection's search authority?

According to federal statutes, regulations and court decisions, CBP officers have the authority to inspect, without a warrant, any person trying to gain entry into the country and their belongings. CBP can also question individuals about their citizenship or immigration status and ask for documents that prove admissibility into the country.

This blanket authority for warrantless, routine searches at a port of entry ends when CBP decides to undertake a more invasive procedure, such as a body cavity search. For these kinds of actions, the CBP official needs to have some level of suspicion that a particular person is engaged in illicit activity, not simply that the individual is trying to enter the U.S.

Does CBP's search authority cover electronic devices like smartphones and laptops?

Yes. CBP refers to several statutes and regulations in justifying its authority to examine "computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players, and any other electronic or digital devices."

According to current CBP policy, officials should search electronic devices with a supervisor in the room, when feasible, and also in front of the person being questioned "unless there are national security, law enforcement, or other operational considerations" that take priority. For instance, if allowing a traveler to witness the search would reveal sensitive law enforcement techniques or compromise an investigation, "it may not be appropriate to allow the individual to be aware of or participate in a border search," according to a 2009 privacy impact assessment by the Department of Homeland Security.

CBP says it can conduct these searches "with or without" specific suspicion that the person who possesses the items is involved in a crime.

With a supervisor's sign-off, CBP officers can also seize an electronic device -- or a copy of the information on the device -- "for a brief, reasonable period of time to perform a thorough border search." Such seizures typically shouldn't exceed five days, although officers can apply for extensions in up to one-week increments, according to CBP policy. If a review of the device and its contents does not turn up probable cause for seizing it, CBP says it will destroy the copied information and return the device to its owner.

Can CBP really search my electronic devices without any specific suspicion that I might have committed a crime?

The Supreme Court has not directly ruled on this issue. However, a 2013 decision from the U.S. Court of Appeals for the Ninth Circuit -- one level below the Supreme Court -- provides some guidance on potential limits to CBP's search authority.

In a majority decision, the court affirmed that cursory searches of laptops -- such as having travelers turn their devices on and then examining their contents -- does not require any specific suspicions about the travelers to justify them.

The court, however, raised the bar for a "forensic examination" of the devices, such as using "computer software to analyze a hard drive." For these more powerful, intrusive and comprehensive searches, which could provide access to deleted files and search histories, password-protected information and other private details, border officials must have a "reasonable suspicion" of criminal activity -- not just a hunch.

As it stands, the 2013 appeals court decision legally applies only to the nine Western states in the Ninth Circuit, including California, Arizona, Nevada, Oregon and Washington. It's not clear whether CBP has taken the 2013 decision into account more broadly: The last time the agency publicly updated its policy for searching electronic devices was in 2009. CBP is currently reviewing that policy and there is "no specific timeline" for when an updated version might be announced, according to the agency.

"Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives," the court's decision said. "It is little comfort to assume that the government -- for now -- does not have the time or resources to seize and search the millions of devices that accompany the millions of travelers who cross our borders. It is the potential unfettered dragnet effect that is troublesome."

During the 2016 fiscal year, CBP officials conducted 23,877 electronic media searches, a five-fold increase from the previous year. In both the 2015 and 2016 fiscal years, the agency processed more than 380 million arriving travelers.

Am I legally required to disclose the password for my electronic device or social media, if CBP asks for it?

That's still an unsettled question, according to Liza Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. "Until it becomes clear that it's illegal to do that, they're going to continue to ask," she said.

The Fifth Amendment says that no one shall be made to serve as "a witness against himself" in a criminal case. Lower courts, however, have produced differing decisions on how exactly the Fifth Amendment applies to the disclosure of passwords to electronic devices.

Customs officers have the statutory authority "to demand the assistance of any person in making any arrest, search, or seizure authorized by any law enforced or administered by customs officers, if such assistance may be necessary." That statute has traditionally been invoked by immigration agents to enlist the help of local, state and other federal law enforcement agencies, according to Nathan Wessler, a staff attorney with the ACLU's Speech, Privacy and Technology Project. Whether the statute also compels individuals being interrogated by border officials to divulge their passwords has not been directly addressed by a court, Wessler said.

Even with this legal uncertainty, CBP officials have broad leverage to induce travelers to share password information, especially when someone just wants to catch their flight, get home to family or be allowed to enter the country. "Failure to provide information to assist CBP may result in the detention and/or seizure of the electronic device," according to a statement provided by CBP.

Travelers who refuse to give up passwords could also be detained for longer periods and have their bags searched more intrusively. Foreign visitors could be turned away at the border, and green card holders could be questioned and challenged about their continued legal status.

"People need to think about their own risks when they are deciding what to do. US citizens may be comfortable doing things that non-citizens aren't, because of how CBP may react," Wessler said.

What is some practical advice for protecting my digital information?

Consider which devices you absolutely need to travel with, and which ones you can leave at home. Setting a strong password and encrypting your devices are helpful in protecting your data, but you may still lose access to your devices for undefined periods should border officials decide to seize and examine their contents.

Another option is to leave all of your devices behind and carry a travel-only phone free of most personal information. However, even this approach carries risks. "We also flag the reality that if you go to extreme measures to protect your data at the border, that itself may raise suspicion with border agents," according to Sophia Cope, a staff attorney at the Electronic Frontier Foundation. "It's so hard to tell what a single border agent is going to do."

The EFF has released an updated guide to data protection options here.

Does CBP recognize any exceptions to what it can examine on electronic devices?

If CBP officials want to search legal documents, attorney work product or information protected by attorney-client privilege, they may have to follow "special handling procedures," according to agency policy. If there's suspicion that the information includes evidence of a crime or otherwise relates to "the jurisdiction of CBP," the border official must consult the CBP associate/assistant chief counsel before undertaking the search.

As for medical records and journalists' notes, CBP says its officers will follow relevant federal laws and agency policies in handling them. When asked for more information on these procedures, an agency spokesperson said that CBP has "specific provisions" for dealing with this kind of information, but did not elaborate further. Questions that arise regarding these potentially sensitive materials can be handled by the CBP associate/assistant chief counsel, according to CBP policy. The agency also says that it will protect business or commercial information from "unauthorized disclosure."

Am I entitled to a lawyer if I'm detained for further questioning by CBP?

No. According to a statement provided by CBP, "All international travelers arriving to the U.S. are subject to CBP processing, and travelers bear the burden of proof to establish that they are clearly eligible to enter the United States. Travelers are not entitled to representation during CBP administrative processing, such as primary and secondary inspection."

Even so, some immigration lawyers recommend that travelers carry with them the number for a legal aid hotline or a specific lawyer who will be able to help them, should they get detained for further questioning at a port of entry.

"It is good practice to ask to speak to a lawyer," said Paromita Shah, associate director at the National Immigration Project of the National Lawyers Guild. "We always encourage people to have a number where their attorney can be reached, so they can explain what is happening and their attorney can try to intervene. It's definitely true that they may not be able to get into the actual space, but they can certainly intervene."

Lawyers who fill out this form on behalf of a traveler headed into the United States might be allowed to advocate for that individual, although local practices can vary, according to Shah.

Can I record my interaction with CBP officials?

Individuals on public land are allowed to record and photograph CBP operations so long as their actions do not hinder traffic, according to CBP. However, the agency prohibits recording and photography in locations with special security and privacy concerns, including some parts of international airports and other secure port areas.

Does CBP's power to stop and question people extend beyond the border and ports of entry?

Yes. Federal statutes and regulations empower CBP to conduct warrantless searches for people travelling illegally from another country in any "railway car, aircraft, conveyance, or vehicle" within 100 air miles from "any external boundary" of the country. About two-thirds of the U.S. population live in this zone, including the residents of New York City, Los Angeles, Chicago, Philadelphia and Houston, according to the ACLU.

As a result, CBP currently operates 35 checkpoints, where they can stop and question motorists traveling in the U.S. about their immigration status and make "quick observations of what is in plain view" in the vehicle without a warrant, according to the agency. Even at a checkpoint, however, border officials cannot search a vehicle's contents or its occupants unless they have probable cause of wrongdoing, the agency says. Failing that, CBP officials can ask motorists to allow them to conduct a search, but travelers are not obligated to give consent.

When asked how many people were stopped at CBP checkpoints in recent years, as well as the proportion of those individuals detained for further scrutiny, CBP said they didn't have the data "on hand" but that the number of people referred for secondary questioning was "minimum." At the same time, the agency says that checkpoints "have proven to be highly effective tools in halting the flow of illegal traffic into the United States."

Within 25 miles of any external boundary, CBP has the additional patrol power to enter onto private land, not including dwellings, without a warrant.

Where can CBP set up checkpoints?

CBP chooses checkpoint locations within the 100-mile zone that help "maximize border enforcement while minimizing effects on legitimate traffic," the agency says.

At airports that fall within the 100-mile zone, CBP can also set up checkpoints next to airport security to screen domestic passengers who are trying to board their flights, according to Chris Rickerd, a policy counsel at the ACLU's National Political Advocacy Department.

"When you fly out of an airport in the southwestern border, say McAllen, Brownsville or El Paso, you have Border Patrol standing beside TSA when they're doing the checks for security. They ask you the same questions as when you're at a checkpoint. 'Are you a US citizen?' They're essentially doing a brief immigration inquiry in the airport because it's part of the 100-mile zone," Rickerd said. "I haven't seen this at the northern border."

Can CBP do anything outside of the 100-mile zone?

Yes. Many of CBP's law enforcement and patrol activities, such as questioning individuals, collecting evidence and making arrests, are not subject to the 100-mile rule, the agency says. For instance, the geographical limit does not apply to stops in which border agents pull a vehicle over as part of a "roving patrol" and not a fixed checkpoint, according to Rickerd of the ACLU. In these scenarios, border agents need reasonable suspicion that an immigration violation or crime has occurred to justify the stop, Rickerd said. For stops outside the 100-mile zone, CBP agents must have probable cause of wrongdoing, the agency said.

The ACLU has sued the government multiple times for data on roving patrol and checkpoint stops. Based on an analysis of records released in response to one of those lawsuits, the ACLU found that CBP officials in Arizona failed "to record any stops that do not lead to an arrest, even when the stop results in a lengthy detention, search, and/or property damage."

The lack of detailed and easily accessible data poses a challenge to those seeking to hold CBP accountable to its duties.

"On the one hand, we fight so hard for reasonable suspicion to actually exist rather than just the whim of an officer to stop someone, but on the other hand, it's not a standard with a lot of teeth," Rickerd said. "The courts would scrutinize it to see if there's anything impermissible about what's going on. But if we don't have data, how do you figure that out?"

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Berners-Lee: 3 Reasons Why The Internet Is In Serious Trouble

Most people love the Internet. It's a tool that has made life easier and more efficient in many ways. Even with all of those advances, the founder of the Internet listed three reasons why our favorite digital tool is in serious trouble:

  1. Consumers have lost control of their personal information
  2. It's too easy for anyone to publish misinformation online
  3. Political advertising online lacks transparency

Tim Berners-Lee explained the first reason:

"The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services. But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with whom to share it. What’s more, we often do not have any way of feeding back to companies what data we’d rather not share..."

Given appointees in the U.S. Federal Communications Commission (FCC) by President Trump, it will likely get worse as the FCC seeks to revoke online privacy and net neutrality protections for consumers in the United States. Berners-Lee explained the second reason:

"Today, most people find news and information on the web through just a handful of social media sites and search engines. These sites make more money when we click on the links they show us. And they choose what to show us based on algorithms that learn from our personal data that they are constantly harvesting. The net result is that these sites show us content they think we’ll click on – meaning that misinformation, or fake news, which is surprising, shocking, or designed to appeal to our biases, can spread like wildfire..."

Fake news has become so widespread that many public libraries, schools, and colleges teach students how to recognize fake news sites and content. The problem is more widespread and isn't limited to social networking sites like Facebook promoting certain news. It also includes search engines. Readers of this blog are familiar with the DuckDuckGo search engine for both online privacy online and to escape the filter bubble. According to its public traffic page, DuckDuckGo gets about 14 million searches daily.

Most other search engines collect information about their users and that to serve search results items related to what they've searched upon previously. That's called the "filter bubble." It's great for search engines' profitability as it encourages repeat usage, but is terrible for consumers wanting unbiased and unfiltered search results.

Berners-Lee warned that online political advertising:

"... has rapidly become a sophisticated industry. The fact that most people get their information from just a few platforms and the increasing sophistication of algorithms drawing upon rich pools of personal data mean that political campaigns are now building individual adverts targeted directly at users. One source suggests that in the 2016 U.S. election, as many as 50,000 variations of adverts were being served every single day on Facebook, a near-impossible situation to monitor. And there are suggestions that some political adverts – in the US and around the world – are being used in unethical ways – to point voters to fake news sites, for instance, or to keep others away from the polls. Targeted advertising allows a campaign to say completely different, possibly conflicting things to different groups. Is that democratic?"

What do you think of the assessment by Berners-Lee? Of his solutions? Any other issues?


Your Smart TV Is A Blabbermouth. How To Stop Its Spying On You

Internet-connected televisions, often referred to as "smart TVs," collect a wide variety of information about consumers. The devices track the videos you watch from several sources: cable, broadband, set-top box, DVD player, over-the-air broadcasts, and streaming devices. The devices collect a wide variety of information about consumers, including items such as as sex, age, income, marital status, household size, education level, home ownership, and household value. The TV makers sell this information to third parties, such as advertisers and data brokers.

Some people might call this "surveillance capitalism."

Reliability and trust with smart devices are critical for consumers. Earlier this month, Vizio agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC).

What's a consumer to do to protect their privacy? This C/Net article provides good step-by-step instructions to turn off or to minimize the tracking by your smart television. The instructions include several smart TV brands: Samsung, Vizio, LG, Sony, and others. Sample instructions for one brand:

"Samsung: On 2016 TVs, click the remote's Home button, go to Settings (gear icon), scroll down to Support, then down to Terms & Policy. Under "Interest Based Advertisement" click "Disable Interactive Services." Under "Viewing Information Services" unclick "I agree." And under "Voice Recognition Services" click "Disable advanced features of the Voice Recognition services." If you want you can also disagree with the other two, Nuance Voice Recognition and Online Remote Management.

On older Samsung TVs, hit the remote's Menu button (on 2015 models only, then select Menu from the top row of icons), scroll down to Smart Hub, then select Terms & Policy. Disable "SynchPlus and Marketing." You can also disagree with any of the other policies listed there, and if your TV has them, disable the voice recognition and disagree with the Nuance privacy notice described above."

Browse the step-by-step instructions for your brand of television. If you disabled the tracking features on your smart TV, how did it go? If you used a different resource to learn about your smart TV's tracking features, please share it below.


Advocacy Groups And Legal Experts Denounce DHS Proposal Requiring Travelers To Disclose Social Media Credentials

U.S. Department of Homeland Security logo Several dozen human rights organizations, civil liberties advocates, and legal experts published an open letter on February 21,2017 condemning a proposal by the U.S. Department of Homeland Security to require the social media credentials (e.g., usernames and passwords) of all travelers from majority-Muslim countries. This letter was sent after testimony before Congress by Homeland Security Secretary John Kelly. NBC News reported on February 8:

"Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. "We want to get on their social media, with passwords: What do you do, what do you say?" he told the House Homeland Security Committee. "If they don't want to cooperate then you don't come in."

His comments came the same day judges heard arguments over President Donald Trump's executive order temporarily barring entry to most refugees and travelers from Syria, Iraq, Iran, Somalia, Sudan, Libya and Yemen. Kelly, a Trump appointee, stressed that asking for people's passwords was just one of "the things that we're thinking about" and that none of the suggestions were concrete."

The letter, available at the Center For Democracy & Technology (CDT) website, stated in part (bold emphasis added):

"The undersigned coalition of human rights and civil liberties organizations, trade associations, and experts in security, technology, and the law expresses deep concern about the comments made by Secretary John Kelly at the House Homeland Security Committee hearing on February 7th, 2017, suggesting the Department of Homeland Security could require non-citizens to provide the passwords to their social media accounts as a condition of entering the country.

We recognize the important role that DHS plays in protecting the United States’ borders and the challenges it faces in keeping the U.S. safe, but demanding passwords or other account credentials without cause will fail to increase the security of U.S. citizens and is a direct assault on fundamental rights.

This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism."

The letter was signed by about 75 organizations and individuals, including the American Civil Liberties Union, the American Library Association, the American Society of Journalists & Authors, the American Society of News Editors, Americans for Immigrant Justice, the Brennan Center for Justice at NYU School of Law, Electronic Frontier Foundation, Human Rights Watch, Immigrant Legal Resource Center, National Hispanic Media Coalition, Public Citizen, Reporters Without Borders, the World Privacy Forum, and many more.

The letter is also available here (Adobe PDF).


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


GOP Legislation In Congress To Revoke Consumer Privacy And Protections

Logo for Republican Party, also known as the GOP The MediaPost Policy Blog reported:

"Republican Senator Jeff Flake, who opposes the Federal Communications Commission's broadband privacy rules, says he's readying a resolution to rescind them, Politico reports. Flake's confirmation to Politico comes days after Rep. Marsha Blackburn (R-Tennessee), the head of the House Communications Subcommittee, said she intends to work with the Senate to revoke the privacy regulations."

Blackburn's name is familiar. She was a key part of the GOP effort in 2014 to keep state laws in place to limit broadband competition by preventing citizens from forming local broadband providers. To get both higher speeds and lower prices compared to offerings by corporate internet service providers (ISPs), many people want to form local broadband providers. They can't because 20 states have laws preventing broadband competition. A worldwide study in 2014 found the consumers in the United States get poor broadband value: pay more and get slower speeds. Plus, the only consumers getting good value were community broadband customers. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. That FCC effort failed. To encourage competition and lower prices, several Democratic representatives introduced the Community Broadband Act in 2015.That legislation went nowhere in a GOP-controlled Congress.

Pause for a moment and let that sink in. Blackburn and other GOP representatives have pursued policies where we consumers all pay more for broadband due to the lack of competition. The GOP, a party that supposedly dislikes regulation and prefers free-market competition, is happy to do the opposite to help their corporate donors. The GOP, a party that historically has promoted states' rights, now uses state laws to restrict the freedoms of constituents at the city, town, and local levels. And, that includes rural constituents.

Too many GOP voters seem oblivious to this. Why Democrats failed to capitalize on this broadband issue, especially during the Presidential campaign last year, is puzzling. Everyone needs broadband: work, play, school, travel, entertainment.

Now, back to the effort to revoke the FCC's broadband privacy rules. Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the broadband privacy rules. That letter said in part:

"... in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order."

The new privacy rules by the FCC require broadband providers (a/k/a ISPs) to obtain affirmative “opt-in” consent from consumers before using and sharing consumers' sensitive information; specify the types of information that are sensitive (e.g., geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications); stop using and sharing information about consumers that have opted out of information sharing; meet transparency requirements to clearly notify customers about the information collection sharing and how to change their opt-in or opt-out preferences, prohibit "take-it-or-leave-it" offers where ISPs can refuse to serve customers who don't consent to the information collection and sharing; and comply with "reasonable data security practices and guidelines" to protect the sensitive information collected and shared.

The new FCC privacy rules are common sense stuff, but clearly these companies view common-sense methods as a burden. They want to use consumers' information however they please without limits, and without consideration for consumers' desire to control their own personal information. And, GOP representatives in Congress are happy to oblige these companies in this abuse.

Alarmingly, there is more. Lots more.

The GOP-led Congress also seeks to roll back consumer protections in banking and financial services. According to Consumer Reports, the issue arose earlier this month in:

"... a memo by House Financial Services Committee Chairman Rep. Jeb Hensarling (R-Tex), which was leaked to the press yesterday... The fate of the database was first mentioned [February 9th] when Bloomberg reported on a memo by Hensarling, an outspoken critic of the CFPB. The memo outlined a new version of the Financial CHOICE Act (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs), a bill originally advanced by the House Financial Services Committee in September. The new bill would lead to the repeal of the Consumer Complaint Database. It would also eliminate the CFPB's authority to punish unfair, deceptive or abusive practices among banks and other lenders, and it would allow the President to handpick—and fire—the bureau's director at will."

Banks have paid billions in fines to resolve a variety of allegations and complaints about wrongdoing. Consumers have often been abused by banks. You may remember the massive $185 million fine for the phony accounts scandal at Wells Fargo. Or, you may remember consumers forced to use prison-release cards. Or, maybe you experienced debt collection scams. And, this blog has covered extensively much of the great work by the CFPB which has helped consumers.

Does these two legislation items bother you? I sincerely hope that they do bother you. Contact your elected officials today and demand that they support the FCC privacy rules.