270 posts categorized "Retail" Feed

European Regulators Fine Google $5 Billion For 'Breaching EU Antitrust Rules'

On Wednesday, European anti-trust regulators fined Google 4.34 billion Euros (U.S. $5 billion) and ordered the tech company to stop using its Android operating system software to block competition. ComputerWorld reported:

"The European Commission found that Google has abused its dominant market position in three ways: tying access to the Play store to installation of Google Search and Google Chrome; paying phone makers and network operators to exclusively install Google Search, and preventing manufacturers from making devices running forks of Android... Google won't let smartphone manufacturers install Play on their phones unless they also make its search engine and Chrome browser the defaults on their phones. In addition, they must only use a Google-approved version of Android. This has prevented companies like Amazon.com, which developed a fork of Android it calls FireOS, from persuading big-name manufacturers to produce phones running its OS or connecting to its app store..."

Reportedly, less than 10% of Android phone users download a different browser than the pre-installed default. Less than 1% use a different search app. View the archive of European Commission Android OS documents.

Yesterday, the European Commission announced on social media:

European Commission tweet. Google Android OS restrictions graphic. Click to view larger version

European Commission tweet. Vestager comments. Click to view larger version

And, The Guardian newspaper reported:

"Soon after Brussels handed down its verdict, Google announced it would appeal. "Android has created more choice for everyone, not less," a Google spokesperson said... Google has 90 days to end its "illegal conduct" or its parent company Alphabet could be hit with fines amounting to 5% of its daily [revenues] for each day it fails to comply. Wednesday’s verdict ends a 39-month investigation by the European commission’s competition authorities into Google’s Android operating system but it is only one part of an eight-year battle between Brussels and the tech giant."

According to the Reuters news service, a third EU case against Google, involving accusations that the tech company's AdSense advertising service blocks users from displaying search ads from competitors, is still ongoing.


The DIY Revolution: Consumers Alter Or Build Items Previously Not Possible. Is It A Good Thing?

Recent advances in technology allow consumers to alter, customize, or build locally items previously not possible. These items are often referred to as Do-It-Yourself (DIY) products. You've probably heard DIY used in home repair and renovation projects on television. DIY now happens in some unexpected areas. Today's blog post highlights two areas.

DIY Glucose Monitors

Earlier this year, CNet described the bag an eight-year-old patient carries with her everywhere daily:

"... It houses a Dexcom glucose monitor and a pack of glucose tablets, which work in conjunction with the sensor attached to her arm and the insulin pump plugged into her stomach. The final item in her bag was an iPhone 5S. It's unusual for such a young child to have a smartphone. But Ruby's iPhone, which connects via Bluetooth to her Dexcom monitor, allowing [her mother] to read it remotely, illustrates the way technology has transformed the management of diabetes from an entirely manual process -- pricking fingers to measure blood sugar, writing down numbers in a notebook, calculating insulin doses and injecting it -- to a semi-automatic one..."

Some people have access to these new technologies, but many don't. Others want more connectivity and better capabilities. So, some creative "hacking" has resulted:

"There are people who are unwilling to wait, and who embrace unorthodox methods. (You can find them on Twitter via the hashtag #WeAreNotWaiting.) The Nightscout Foundation, an online diabetes community, figured out a workaround for the Pebble Watch. Groups such as Nightscout, Tidepool and OpenAPS are developing open-source fixes for diabetes that give major medical tech companies a run for their money... One major gripe of many tech-enabled diabetes patients is that the two devices they wear at all times -- the monitor and the pump -- don't talk to each other... diabetes will never be a hands-off disease to manage, but an artificial pancreas is basically as close as it gets. The FDA approved the first artificial pancreas -- the Medtronic 670G -- in October 2017. But thanks to a little DIY spirit, people have had them for years."

CNet shared the experience of another tech-enabled patient:

"Take Dana Lewis, founder of the open-source artificial pancreas system, or OpenAPS. Lewis started hacking her glucose monitor to increase the volume of the alarm so that it would wake her in the night. From there, Lewis tinkered with her equipment until she created a closed-loop system, which she's refined over time in terms of both hardware and algorithms that enable faster distribution of insulin. It has massively reduced the "cognitive burden" on her everyday life... JDRF, one of the biggest global diabetes research charities, said in October that it was backing the open-source community by launching an initiative to encourage rival manufacturers like Dexcom and Medtronic to open their protocols and make their devices interoperable."

Convenience and affordability are huge drivers. As you might have guessed, there are risks:

"Hacking a glucose monitor is not without risk -- inaccurate readings, failed alarms or the wrong dose of insulin distributed by the pump could have fatal consequences... Lewis and the OpenAPS community encourage people to embrace the build-your-own-pancreas method rather than waiting for the tech to become available and affordable."

Are DIY glucose monitors a good thing? Some patients think so as a way to achieve convenient and affordable healthcare solutions. That might lead you to conclude anything DIY is an improvement. Right? Keep reading.

DIY Guns

Got a 3-D printer? If so, then you can print your own DIY gun. How did this happen? How did the USA get to here? Wired explained:

"Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun... he drove back to Austin and uploaded the blueprints for the pistol to his website, Defcad.com... In the days after that first test-firing, his gun was downloaded more than 100,000 times. Wilson made the decision to go all in on the project, dropping out of law school at the University of Texas, as if to confirm his belief that technology supersedes law..."

The law intervened. Wilson stopped, took down his site, and then pursued a legal remedy:

"Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First."

So, now you... anybody with an internet connection and a 3-D printer (and a computer-controlled milling machine for some advanced parts)... can produce their own DIY gun. No registration required. No licenses nor permits. No training required. And, that's anyone anywhere in the world.

Oh, there's more:

"The Department of Justice's surprising settlement, confirmed in court documents earlier this month, essentially surrenders to that argument. It promises to change the export control rules surrounding any firearm below .50 caliber—with a few exceptions like fully automatic weapons and rare gun designs that use caseless ammunition—and move their regulation to the Commerce Department, which won't try to police technical data about the guns posted on the public internet. In the meantime, it gives Wilson a unique license to publish data about those weapons anywhere he chooses."

As you might have guessed, Wilson is re-launching his website, but this time with blueprints for more DIY weaponry besides pistols: AR-15 rifles and semi-automatic weaponry. So, it will be easier for people to skirt federal and state gun laws. Is that a good thing?

You probably have some thoughts and concerns. I do. There are plenty of issues and questions. Are DIY products a good thing? Who is liable? How should laws be upgraded? How can society facilitate one set of DIY products and not the other? What related issues do you see? Any other notable DIY products?


Adidas Announced A 'Potential' Data Breach Affecting Online Shoppers in the United States

Adidas announced on June 28 a "potential" data breach affecting an undisclosed number of:

"... consumers who purchased on adidas.com/US... On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers. Adidas is committed to the privacy and security of its consumers' personal data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers. adidas is working with leading data security firms and law enforcement authorities to investigate the issue..."

The preliminary breach investigation found that contact information, usernames, and encrypted passwords were exposed or stolen. So far, no credit card or fitness information of consumers was "impacted." The company said it is continuing a forensic review and alerting affected customers.

While the company's breach announcement did not disclose the number of affected customer, CBS News reported that hackers may have stolen data about millions of customers. Fox Business reported that the Adidas:

"... hack was reported weeks after Under Armour’s health and fitness app suffered a security breach, which exposed the personal data of roughly 150 million users. The revealed information included the usernames, hashed passwords and email addresses of MyFitnessPal users."

It is critical to remember that this June 28th announcement was based upon a preliminary investigation. A completed breach investigation will hopefully determine and disclose any additional data elements exposed (or stolen), how the hackers penetrated the company's computer systems, which systems were penetrated, whether any internal databases were damaged/corrupted/altered, the total number of customers affected, specific fixes implemented so this type of breach doesn't happen again, and descriptive information about the cyber criminals.

This incident is also a reminder to consumers to never reuse the same password at several online sites. Cyber criminals are persistent, and will use the same password at several sites to see where else they can get in. It is no relief that encrypted passwords were stolen, because we don't yet know if the encryption tools were also stolen (making it easy for the hackers to de-encrypt the passwords). Not good.

We also don't yet know what "contact information" means. That could be first name, last name, phone, street address, e-mail address, mobile phone numbers, or some combination. If e-mail addresses were stolen, then breach victims could also experience phishing attacks where fraudsters try to trick victims into revealing bank account, sign-in credentials, and other sensitive information.

If you received a breach notice from Adidas, please share it below while removing any sensitive, identifying information.


When "Unlimited" Mobile Plans Are Anything But

My apologies to readers for the 10-day gap in blog posts. I took a few days off to attend a high school reunion in another state. Time passes more quickly than you think. It was good to renew connections with classmates.

Speaking of connections, several telecommunications companies appear to either ignore or not know the meaning of "unlimited" for mobile internet access. 9To5mac reported:

"Not content with offering one ‘unlimited’ plan which isn’t, and a second ‘beyond unlimited’ plan which also isn’t, Verizon has now decided the solution to this is a third plan. The latest addition is called ‘above unlimited’ and, you guessed it, it’s not... The carrier has the usual get-out clause, claiming that all three plans really are unlimited, it’s just that they reserve the right to throttle your connection speed once you hit the stated, ah, limits."

Some of the mobile plans limit video to low-resolution formats. Do you prefer to watch in 2018 low-resolution video formatted to 2008 (or earlier)? I think not. Do you want your connection slowed after you reach a data download threshold? I think not.

I look forward to action by the U.S. Federal Trade Commission (FTC) to enforce the definition of "unlimited," since the "light-touch" regulatory approach by the Federal Communications Commission (FCC) means that the FCC has abandoned its duties regarding oversight of internet service providers.

Caveat emptor, or buyer beware, definitely applies. Wise consumers read the fine print before purchase of any online services.


FBI Warns Sophisticated Malware Targets Wireless Routers In Homes And Small Businesses

The U.S. Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) warning consumers and small businesses that "foreign cyber actors" have targeted their wireless routers. The May 25th PSA explained the threat:

"The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic... The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer... VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."

The "VPN" acronym usually refers to a Virtual Private Network. Why use the VPNfilter name for a sophisticated computer virus? Wired magazine explained:

"... the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities."

The FBI's PSA advised users to, a) reboot (e.g., turn off and then back on) their routers; b) disable remote management features which attackers could take over to gain access; and c) update their routers with the latest software and security patches. For routers purchased independently, security experts advise consumers to contact the router manufacturer's tech support or customer service site.

For routers leased or purchased from an internet service providers (ISP), consumers should contact their ISP's customer service or technical department for software updates and security patches. Example: the Verizon FiOS forums site section lists the brands and models affected by the VPNfilter malware, since several manufacturers produce routers for the Verizon FiOS service.

It is critical for consumers to heed this PSA. The New York Times reported:

"An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the [VPNfilter] malware... A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency... To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.” Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device..."

Readers wanting technical details about VPNfilter, should read the Talos Intelligence blog post.

When consumers contact their ISP about router software updates, it is wise to also inquire about security patches for the Krack malware, which the bad actors have used recently. Example: the Verizon site also provides information about the Krack malware.

The latest threat provides several strong reminders:

  1. The conveniences of wireless internet connectivity which consumers demand and enjoy, also benefits the bad guys,
  2. The bad guys are persistent and will continue to target internet-connected devices with weak or no protection, including devices consumers fail to protect,
  3. Wireless benefits come with a responsibility for consumers to shop wisely for internet-connected devices featuring easy, continual software updates and security patches. Otherwise, that shiny new device you recently purchased is nothing more than an expensive "brick," and
  4. Manufacturers have a responsibility to provide consumers with easy, continual software updates and security patches for the internet-connected devices they sell.

What are your opinions of the VPNfilter malware? What has been your experience with securing your wireless home router?


Security Experts: Breach At Panera Bread Affected Millions. Questions Linger About Vulnerability Fix

Panera Bread logo Apparently, Panera Bread experienced a massive data breach, which the restaurant chain's management allegedly ignored for months. CSO Online reported:

"Panera Bread’s website leaked millions of customer records in plain text for at least eight months, which is how long the company blew off the issues reported by security researcher Dylan Houlihan... Houlihan shared copies of email exchanges with Panera Bread CIO John Meister – who at first accused Houlihan of trying to run a scam when he first reported the security vulnerability back in August 2017... Exactly eight months after reporting the issue to Panera Bread, Houlihan turned to KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken offline. Less than two hours later, Panera said it had fixed the problem."

Reportedly, the sensitive customer information leaked included usernames, first and last names, email addresses, phone numbers, home addresses, birthdays, the last four digits of saved credit card numbers, dietary restrictions, food preferences, and "social account integration information."

Security experts disagree about two key issues: a) whether or not the vulnerability was fixed, and b) the number of affected consumers. Panera Bread claimed about 10,000 customers were affected. Then, that number went up:

"After some more poking, Hold Security reported to Krebs that Panera didn’t just leak plain text records of 7 million customers; “the vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”

A check earlier today of the public-facing pages at Panera's website failed to find a breach notice, which companies usually provide after a data breach. Not good. Shoppers need to know. Many states have breach notification laws.

Panera's behavior doesn't inspire much confidence. It's internal breach-detection mechanisms seem to have failed, and its post-breach response seemed unprepared, unfocused, and disinterested. What do you think?


Amazon's Virtual Assistant Randomly Laughs. A Fix Is Underway

Image of Amazon Echo Dot virtual assistant
You may have read or viewed news reports about random, loud laughter by Amazon's virtual assistant products. Some users reported that the laughter was unprompted and with a different voice from the standard Alexa voice. Many users were understandably spooked.

Clearly, there is a problem. According to BuzzFeed, Amazon is aware of the problem and replied to its inquiry with this statement:

"In rare circumstances, Alexa can mistakenly hear the phrase 'Alexa, laugh.' We are changing that phrase to be 'Alexa, can you laugh?' which is less likely to have false positives, and we are disabling the short utterance 'Alexa, laugh.' We are also changing Alexa’s response from simply laughter to 'Sure, I can laugh,' followed by laughter..."

Hopefully, that will fix the #AlexaLaugh bug. No doubt, there will be more news to come about this.


Cozy Relationship Between The FBI And A Computer Repair Service Spurs 4th Amendment Concerns

Image of Geek Squad auto and two technicians. Click to view larger version The Electronic Frontier Foundation (EFF) has learned more about the relationship between Geek Squad, a computer repair service, and the U.S. Federal Bureau of Investigation (FBI). In a March 6th announcement, the EFF said it filed a:

"... FOIA lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights."

Founded in 1966, the Best Buy retail chain operates more than 1,500 stores in North America and employs more than 125,000 people. The chain sells home appliances and electronics both online and at stores in the United States, Canada, and Mexico. Located in about 1,100 Best Buy stores, Geek Squad provides repair services via phone, in-store, or at home. This means that Geek Squad employees configure and fix popular smart devices many consumers have purchased for their homes: cameras and camcorders, cell phones, computers and tablets, home theater, car electronics, home security (e.g., smart doorbells, smart locks, smart thermostats, wireless cameras), smart appliances (e.g., refrigerators, ovens, washing machines, dryers, etc.), smart speakers, video game consoles, wearables (e.g., fitness bands, smart watches), and more.

The 4th Amendment of the U.S. Constitution states:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

It is most puzzling how a broken computer translates into probable cause for a search. The FOIA request was prompted by the prosecution of a doctor in California, "who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility."

Logos for Best Buy and Geek Squad The FOIA request yielded documents which showed:

"... that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency’s “Cyber Working Group” at the company’s Kentucky repair facility... Another document records a $500 payment from the FBI to a confidential Geek Squad informant... over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs..."

The EFF announcement described that process in detail:

"... a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and in some cases try to obtain a warrant to search the device... For example, documents reflect that Geek Squad employees only alert the FBI when they happen to find illegal materials during a manual search of images on a device and that the FBI does not direct those employees to actively find illegal content. But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material... Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography..."

Finding child pornography and prosecuting perpetrators is a worthy goal, but the FBI-Geek Squad program seems to blur the line between computer repair and law enforcement. The program and FOIA documents raise several questions:

  1. What are the program details (e.g., training, qualifications for informants, payments, conditions for payments, scope, etc.) for financial rewarding Geek Squad employees for finding child pornography?
  2. What other computer/appliance repair vendors does the FBI operate similar programs with?
  3. What quality control measures does the program contain to prevent wrongful prosecutions?
  4. What penalties or consequences, if any, for Geek Squad employees who falsely reported child pornography claims?
  5. Is this Geek Squad program nationwide, or if not, in which states does it operate?
  6. In cases of suspected child pornography, what other information on targets' devices is collected and archived by the FBI through this program?
  7. Were/are whole hard drives copied and archived?
  8. How long is information archived?
  9. Does the program between the FBI and Geek Squad target other types of crime  and threats (e.g., terrorism)?
  10. What other law enforcement or security agencies does Geek Squad have cozy relationships with?

I'm sure there are more questions to be asked. What are your opinions?

Image of Geek Squad services promoted on Best Buy site


Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.


Burger King's Whopper Neutrality Ad. Sincere 'Net Neutrality' Support Or Slick Corporate Advertising?

If you haven't seen it, there is a Whopper Neutrality ad online by Burger King, explains net neutrality in a very easy-to-understand way. Blog post continues after the video:

A November, 2017 poll found that 52 percent of registered voters supported the current rules, including 55 percent of Democrats and 53 percent of Republicans. After that poll, the Commissioners at the FCC voted to killed net neutrality protections for consumers.

Some have questions whether the ad is sincere support of an issue consumers care about, or slick corporate advertising which capitalize on a hot topic. I like the ad. Anything that helps more consumers understand the issue, and what we've lost, is a good thing.

Another view of the ad by The Young Turks. Share your opinions below after the video:

Related posts about net neutrality:


The United States Has A Problem: Declining Foreign Visitors

Visit-usa-coalition-figure1
The United States has a problem: the number of international visitors is declining. What are companies doing to counter this, lost revenues, and other negative impacts? Bloomberg reported (bold emphasis added):

"... 10 business associations, including the U.S. Chamber of Commerce and the National Restaurant Association, have created a travel industry group aimed at reversing the growing unpopularity of the U.S. as a vacation destination. So [last week], some of its biggest players unveiled the "Visit U.S. Coalition" to spur the Trump administration into enacting friendlier visa and border-security policies at a time when federal agencies are doing the opposite... Since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors, a time when other nations such as Australia, Canada, China and the United Kingdom have marked sizable gains..."

Visit-usa-coaltion-figure3Foreign visitors spend their travel money here, which helps businesses in the USA. The amount of the travel decline is measurable:

"... the Commerce Department reported a 3.3 percent drop in traveler spending for last year, through November, the equivalent of $4.6 billion in losses and 40,000 jobs. The U.S. share of international long-haul travel fell to 11.9 percent last year, from 13.6 percent in 2015, according to the U.S. Travel Association, a slippage the group said equates to 7.4 million visitors and $32.2 billion in spending."

According to its website, the Visit U.S. Coalition includes the following founding members: American Gaming Association, American Hotel & Lodging Association, American Society of Association Executives, Asian American Hotel Owners Association, International Association of Exhibitions and Events, National Restaurant Association, National Retail Federation, Society of Independent Show Organizers, the U.S. Chamber of Commerce, and the U.S. Travel Association.

What does this mean? What might the consequences be?

First, if the foreign tourism decline continues, experience tells us that after prolonged revenue losses, affected industries (e.g., hotels, transportation, restaurants, retail shopping, etc.) and companies will layoff or terminate workers. Not good for workers. Not good for the United States economy.

Second, it's great that several companies have organized together into groups... trade associations for several industries; and then several trade associations organized into a coalition... what you might call an uber-trade association... to highlight their concerns, remain competitive, and advocate for their interests. You'd expect any administration which promised to be pro-business would listen these concerns.

Third, the freedom to organize is an important part of a democracy, and a competitive marketplace. Workers want this freedom, too. Sadly, too many corporate executives and politicians deny workers the same freedoms they want their businesses to enjoy. You've probably heard the claim: "corporations are people, my friend." I guess they are a special class of people with more freedom than flesh-and-blood persons.

What do you think of the foreign visitor travel decline?


Royal Caribbean Cruise Line And CPP-The Myers-Briggs Offer Travel Personality Quiz

Inc. Magazine warned in 2016, "ready or not, companies will soon be tracking your emotions." Most Facebook users already knows this. Also in 2016, the social networking site expanded several reaction buttons beyond its (in)famous "Like" button to cover several emotions (e.g., "Love," "Haha," "Wow," "Sad," "Angry"):

Facebook-emotions-buttons

Maybe you have used these reaction buttons. Companies do this because effective marketing appeals to emotions instead of reason.

Now, a popular cruise line has taken things a step further. Cruise Critic, a popular travel site, announced:

"... Royal Caribbean has teamed up with CPP-The Myers-Briggs Company to launch a quiz that offers cruise recommendations based on your personality type. The assessment tool, found on MyAdventurePersonality.com, asks users 13 questions as they pertain to personal behavior and preferences... Once the results are calculated, users will be designated a travel personality type, such as Expert Adventure Planner, Laidback Wanderer and Spontaneous Sightseer. They also will receive an itinerary recommendation best suited for their type, with planning tips."

What is the Myers'Briggs assessment tool? The Myers-Briggs Foundation site explains:

"The purpose of the Myers-Briggs Type Indicator® (MBTI®) personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. The essence of the theory is that much seemingly random variation in the behavior is actually quite orderly and consistent, being due to basic differences in the ways individuals prefer to use their perception and judgment... In developing the Myers-Briggs Type Indicator [instrument], the aim of Isabel Briggs Myers, and her mother, Katharine Briggs, was to make the insights of type theory accessible to individuals and groups... The identification of basic preferences of each of the four dichotomies specified or implicit in Jung's theory. The identification and description of the 16 distinctive personality types that result from the interactions among the preferences."

Indeed, this assessment tool became very accessible. The Seattle Times reported in 2013:

"Chances are you’ve taken the Myers-Briggs Type Indicator (MBTI), or will. Roughly 2 million people a year do. It has become the gold standard of psychological assessments, used in businesses, government agencies and educational institutions... More than 10,000 companies, 2,500 colleges and universities and 200 government agencies in the United States use the test... It’s estimated that 50 million people have taken the Myers-Briggs personality test since the Educational Testing Service first added the research to its portfolio in 1962... Organizations administer the MBTI assessment to employees in one of two ways. They either pay for someone in their human-resources department to become certified, then pay the materials costs each time employees take the test. Or, they contract with certified, independent training consultants or leadership coaches."

Selected questions from the MyAdventurePersonality site. Click to view larger version The travel quiz uses different and fewer (13 versus ~ 88) forced-choice questions than the MBTI. Plus, the travel quiz categorizes consumers into four travel personality types (versus 16 types by the MBTI). And, the MBTI tool is administered by certified professionals in an ethical manner. So, consumers shouldn't assume that the travel quiz is as rigorous as the MBTI. Admittedly, MyAdventurePersonality may add more questions and/or types in the future.

If you are considering the travel quiz, wise consumers always read the fine print, first. The MyAdventurePersonality site uses the same legal and privacy policies as the core Royal Caribbean cruise line site. So, consumers should know that whatever they submit to the travel quiz will probably be freely shared with other entities, since the Royal Caribbean Privacy Policy does not state any limitations.

The MyAdventurePersonality site may be a marketing gimmick to attract new customers and/or better target e-mail marketing campaigns to current and prospective cruise travelers.

Me? After 28 cruise ship vacations (with many on Royal Caribbean ships) to many areas of the planet, I know my travel needs and preferences very well. So, I doubt the quiz will tell me something I don't already know.

What do you think? Should companies uses these types of quizzes?


Smart Lock Maker Suspends Operations

Otto, a smart lock maker, has suspended operations. Sam Jadallah, the firm's CEO, announced the suspension just before the Consumer Electronics Show (CES). TechCrunch reported:

"The company made the decision just ahead of the holidays, a fact that founder and CEO Sam Jadallah recently made public with a lengthy Medium post now pinned to the top of the startup’s site... Jadallah told TechCrunch that the company’s lock made it as far as the manufacturing process, and is currently sitting in a warehouse, unable to be sold by a hardware startup that is effectively no longer operating... The long and short of it is that the company was about to be acquired by someone with a lot more resources and experience in bringing a product to market, only to have the rug apparently pulled out at the last minute..."

The digital door lock market includes a variety of types and technologies, such as biometrics, face recognition, iris recognition, palm recognition, voice recognition, fingerprint recognition, keypad locks, and magnetic stripe locks. Consumer Reports rated bothh door locks and smart locks.

Several digital locks are available at online retail sites, including products by August, Brilong, Kwikset, Samsung, and several other makers.


Futurism: Your Life Without Net Neutrality Protections

Federal communications Commission logo You've probably heard that Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), is leading his agency towards a vote on December 14, 2017 to kill net neutrality. How will consumers' online lives change? Futurism described what your online life will be like without net neutrality:

"You’re at work and want to check Facebook on your lunch break to see how your sister is doing. This is not exactly a straightforward task, as your company uses Verizon. You’re not about to ask your boss if they’d consider putting up the extra cash every month so that you can access social media in the office, so you’ll have to wait until you get home.

That evening, you log in to pay your monthly internet bill — or rather, bills.

See, there’s the baseline internet cost, but without net neutrality, you also have to pay a separate monthly fee for social media, another for "leisure" pages like Reddit and Imgur, and another still for liberal-leaning news sites — because your provider’s CEO is politically conservative. Not only is your bill confusing, you’re not sure you can really afford to access all these websites that, at one point in time, you took for granted.

In addition to the sites you can access if you pay for them, there are also websites that have just become lost to you. Websites that you once frequented, but that now, you aren’t even sure how to access anymore. You can’t even pay to access them. You used to like reading strange Wikipedia articles late at night and cruising for odd documentaries — but now, all those interests that once entertained and educated you in your precious and minimal free time are either behind yet another separately provided paywall or blocked entirely. You’ve started to ask around, see if your friends or coworkers with other providers have better access... but the story is pretty much always the same."

Net neutrality meme highlighting blocked content. Click to view larger version In short, without net neutrality:

  1. You will lose the freedom to use the internet bandwidth you've purchased monthly as you desire;
  2. Corporate internet service providers (ISPs) increase their their revenues and profits by adding tolls to each package in a sliced-and-diced approach to internet content;
  3. Your internet bill will become just as confusing, frustrating, and expensive as your cable-TV bill, where ISPs force you to buy several expensive packages of sites in order to access your favorite sites;
  4. The new, expensive tolls allow ISPs to decide what internet content you see and don't see. Sites or content producers unwilling to pay fees to ISPs will find their content blocked or relegated to "slow" speed lanes; and
  5. Both middle-class and poor online users will bear the brunt of the price increases.

If you think this can't happen in the United States, consider:

"Some countries are already living this reality. In New Zealand, Vodafone offers mobile internet packages that are comprised of different types of services. You might have to pay a certain amount to access social apps like Snapchat and Instagram, and a separate fee to chat with friends via Facebook Messenger and iMessage. A similar framework is used by Portugal’s MEO, where messaging, social media, music streaming, video streaming, and email are also split into separate packages.

Long ago, FCC Chairman Pai made his position clear. Breitbart News reported on April 28, 2017:

"Federal Communications Commission (FCC) Chairman Ajit Pai told Breitbart News in an exclusive interview that an open and free internet is vital for America in the 21st century. During a speech at the Newseum on Wednesday, Pai said he plans to roll back the net-neutrality regulations and to restore the light-touch regulatory system established by President Bill Clinton and Congressional Republicans by the 1996 Telecommunications Act... Chairman Pai said during his speech that the internet prospered before net neutrality was enacted... Breitbart News asked the FCC chief why he thinks that net neutrality is a problem, and why we must eliminate the rule. He said: "Number one there was no problem to solve, the internet wasn’t broken in 2015. In that situation, it doesn’t seem me that preemptive market-wide regulation is necessary. Number two, even if there was a problem, this wasn’t the right solution to adopt. These Title II regulations were inspired during the Great Depression to regulate Ma Bell which was a telephone monopoly. And the broadband market we have is very different from the telephone market of 1934. So, it seems to me that if you have 4,462 internet service providers and if a few of them are behaving in a way that is anti-competitive or otherwise bad for consumer welfare then you take targeted action to deal with that. You don’t declare the entire market anti-competitive and treat everyone as if they are a monopolist. Going forward we are going to propose eliminating that Title II classification and figure out the right way forward. The bottom line is, everyone agrees on the principles of a free and open internet what we disagree with is how many regulations are needed to preserve the internet." "

Note the language. Pai uses "free and open internet" to refer to freedoms for ISPs to do what they want; a slick attempt to co-opt language net neutrality proponentsused for freedoms for consumers go online where they want without additional fees. Pai's "Light touch" means fewer regulations for ISPS regardless of the negative consequences upon consumers. Pai's comments in April attempted to spin existing net neutrality laws as antiquated ("the telephone market of 1934"), when, in fact, net neutrality was established recently... in 2010. Even the same Breitbart News article admitted this:

"Net neutrality passed under former Democrat Tom Wheeler’s FCC in 2010."

Pai's exaggerations and falsehoods are astounding. Plenty of bogus claims by Pai and net neutrality critics. In January of this year, President Donald Trump appointed Ajit Pai, a former lawyer with Verizon, as the FCC Chairman. Earlier this year, CNN reported:

"More than 1,000 startups and investors have now signed an open letter to Pai opposing the proposal. The Internet Association, a trade group representing bigger companies like Facebook, Google, and Amazon, has also condemned the plan. "The current FCC rules are working for consumers and the protections need to be kept in tact," Michael Beckerman, president and CEO of the Internet Association, said at a press conference Wednesday."

Regular readers of this blog are aware that more than "a few" ISPs committed abused consumers and content producers. (A prior blog post listed many historical problems and abuses of consumers by some ISPs.) Also, consider this: Pai made his net-neutrality position clear long before the public submitted comments to the FCC this past summer. Sounds like he never really intended to listen to comments from the public. Not very open minded.

As bad it all of this sounds, it's even worse. How? An FCC Commissioner, 28 U.S. senators, and the New York State Attorney General (AG) have lobbied FCC Chairman Pai to delay the net neutrality vote planned by the FCC on December 14, due to clear and convincing evidence of the massive fraud of comments submitted to the FCC's online commenting system.

In short, the FCC's online comments system is corrupted, hacked, and unreliable. The group (e.g., FCC commissioner, 28 Senators, and NY State AG) also objects to the elimination of net neutrality on the merits.

The fraud evidence is pretty damning, but Chairman Pai seems intent upon going ahead with a vote to kill net neutrality despite the comments fraud. Why? How? Ars Technica reported on December 4th:

"FCC Chairman Ajit Pai says that net neutrality rules aren't needed because the Federal Trade Commission can protect consumers from broadband providers... When contacted by Ars, Pai's office issued this statement in response to the [delay request] letter: "This is just evidence that supporters of heavy-handed Internet regulations are becoming more desperate by the day as their effort to defeat Chairman Pai's plan to restore Internet freedom has stalled. The vote will proceed as scheduled on December 14."

I find the whole process deeply disturbing. First, only 28 U.S. Senators seem concerned about the massive comments fraud. Why aren't all 100 concerned? Second, why aren't any House members concerned? Third, President Trump hasn't said anything about it. (This makes one wonder if POTUS45 either doesn't care consumers are hurt, or is asleep at the wheel.) Elected officials in positions of responsibility seem willing to ignore valid concerns.

Logo-verizon-protestsMany consumers are concerned, and protests to keep net neutrality are scheduled for later today outside Verizon stores nationwide. What do you think?


Security Researchers Announce Another Method To Defeat Apple Face ID

Bkav-artificial-mask
You may remember, earlier this year Apple launched its iPhone X with Face ID feature for users to unlock their phones:

"Your face is now your password. Face ID is a secure and private new way to unlock, authenticate, and pay... Face ID is enabled by the TrueDepth camera and is simple to set up. It projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face."

Like it or not, there is no security system for your smartphone that can't be defeated. Mashable reported yesterday that security researchers have found another method to defeat Face ID:

"The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs. Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For

The Bkav researchers explained in a blog post how their crude mask defeated Face ID:

"Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes. Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores. The eyes are printed infrared images – the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."

The same blog post also explained how a three-dimensional model can defeat Face ID:

"Bkav researchers said that making 3D model is very simple. A person can be secretly taken photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object.

It can be said that, until now, Fingerprint is still the most secure biometric technology. Collecting a fingerprint is much harder than taking photos from a distance. Meanwhile, just by taking photos from a distance to create 3D objects as mentioned above, both Apple's Face ID and Samsung's Iris Scanner can be bypassed easily."

Experts advise consumers to continue using passcodes, especially for online banking apps. And high-value targets (e.g., senior corporate executives, government officials, politicians, attorneys, etc.) probably shouldn't use facial recognition features to unlock their mobile devices.

I guess that 3-D models will provide law enforcement (and spy agencies) with new ways to use their archived collections of facial images. The Guardian reported earlier this year:

"Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people."

What do you think?


German Regulator Bans Smartwatches For Children

VTech Kidizoom DX smartwatch for children. Select for larger version Parents: considering a smartwatch for your children or grandchildren? Consider the privacy implications first. Bleeping Computer reported on Friday:

"Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, has banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices." The ban was announced earlier today... parents are using their children's smartwatches to listen to teachers in the classroom. Recording or listening to private conversations is against the law in Germany without the permission of all recorded persons."

Some smartwatches are designed for children as young as four years of age. Several brands are available at online retailers, such as Amazon and Best Buy.

Why the ban? Gizmodo explained:

"Saying the technology more closely resembles a “spying device” than a toy... Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control. "

Clearly, this is another opportunity for parents to carefully research and consider smart device purchases for their family, to teach their children about privacy, and to not record persons without their permission.


Whole Foods Says Data Breach 'Resolved'

Whole Foods Market logo During the weekend, Whole Foods Markets announced in a customer notification update that it had "resolved" a recent data breach involving the unauthorized access of customers' payment information in certain stores. The customer notification update stated:

"Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity..."

Reportedly, the breach included about 100 locations. The company operates about 473 stores nationwide.

The breach method used by criminals and the types of payment information accessed:

"The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017."

Earlier this year, Amazon acquired Whole Foods for about $13.7 billion. Whole Foods said that Amazon.com systems do not connect to the payment systems at Whole Foods stores, and that transactions on the Amazon.com site were not affected. An October 20, 2017 press release repeated most of the same information as the customer notification.

Besides the replacement of affected point-of-sale terminals, the customer notification did not elaborate about exactly how the breach was "resolved," how the malware was installed in the terminals, nor how the resolution will keep this type of breach from happening again. Often, a resolution includes the hardening of certain computer systems, improved malware detection software, improved managerial oversight, and/or the training of employees. This seems especially important for retail stores with multiple, exposed payment terminals.

Within the Whole Foods website, its September 28, 2017 press release headline links to the same October 20th customer information update. It seems the company deleted the September press release. Why do this? It makes it difficult for readers to determine what's new or changed since the September 28 disclosure.

Plus, hacking details matter. As readers of this blog know, unattended, free-standing payment terminals in retail stores have long been high-value targets for criminals armed with skimming devices. Was the malware introduced locally (e.g., manually by a person) at each terminal or centrally through the company's computer network? Sadly, the update did not explain. Hopefully, future updates will.

Until then, it's hard for customers to trust that the breach was fully "resolved." Replacing the affected terminals is no guarantee that the malware won't be re-introduced into the replacement terminals. If I continue to shop there, I'll use cash. What do you think?


Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices

Image of butt plug, Hush by Lovense. Click to view larger version

In a blog post on Tuesday, security researcher Giovanni Mellini  discussed how easy it was to hack a Bluetooth-enabled butt plug. Why this Internet-connected sex toy? Mellini explained that after what started as a joke he'd bought a few weeks ago:

"... a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol. This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design."

Another security researcher, Simone Margaritelli had previously discussed a BLE scanner he wrote called BLEAH and how to use it to hack BLE-connected devices. Mellini sought to replicate Margaritelli's hack, and was successful:

"The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here). With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration... So we have all the elements to hack the sex toy with BLEAH... At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017."

Welcome, indeed, to 2017. The seems to be the year of hacked mobile devices. Too many news reports about devices with poor (or no) security: the encryption security flaw in many home wireless routers and devices, patched Macs still vulnerable to firmware hacks, a robovac maker's plans to resell interior home maps its devices created, a smart vibrator maker paid hefty fines to settle allegations it tracked users without their knowledge nor consent, security researchers hacked a popular smart speaker, and a bungled software update bricked many customers' smart door locks.

In 2016, security researchers hacked an internet-connected vibrator.

And, that's some of the reports. All of this runs counter to consumers' needs. In August, a survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built in. Are device makers listening?

Newsweek reported:

"Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products. "There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers." "

I have nothing against sex toys. Use one or not. I don't care. My concern: supposedly smart devices should have robust security to protect consumers' privacy.

Smart shoppers want persons they authorize -- and not unknown hackers -- to remotely control their vibrators. Thoughts? Comments?


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?