257 posts categorized "Retail" Feed

President Trump Signed Legislation Revoking FCC's Broadband Privacy Rules. Lots Of Consequences

Late yesterday, President Trump signed legislation revoking broadband privacy rules adopted by the Federal Communications Commission (FCC). The rules would have kept consumers in control of their information online. Instead, internet service providers (ISPs) are free to collect, archive, and share at will without notice nor consent information about consumers' online activities (e.g., far more than browsing histories).

The legislation narrowly passed both in the Senate (50 - 48) and in the House (210 - 205). Proponents of the legislation claimed duplicate legislation. Representative Marsha Blackburn (R-Tenn.), who introduced the legislation in the House, said plenty recently according to Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason: consumers have lost control over their personal information.

And, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that.

There are plenty of consequences. To regain some online privacy lost due to the new legislation, many consumers have considered Virtual Private Networks (VPNs) and other online tools to prevent ISPs from spying on them. VPNs are not a cure-all. ISPs can still block or throttle consumers' VPN connection, and VPNs won't protect e-mail nor internet-of-things devices installed in homes.

Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. The impact upon consumers: less online privacy and higher internet prices. Consumers are forced to spend more money on VPN and other tools.

Blackburn and others claimed that the U.S. Federal Trade Commission (FTC) should regulate ISPs. Regulation by the FTC is not a slam-dunk. AdAge reported:

"If the FTC does regain its oversight, the result is likely to be weaker privacy protections than what the FCC intended with its rules, as well as a relatively clear path for telcos to pursue their data-revenue-generating goals... One legal peak to climb: precedent set by a U.S district court ruling siding with AT&T against the FTC last year which carved out an exemption for companies that provide bundled phone and ISP services which effectively protected AT&T from FTC regulations protecting consumers from unfair or deceptive practices.

Even if the FTC eventually garners ISP jurisdiction, argued [Gigi Sohn, a senior counselor to former FCC Chairman Tom Wheeler], "it will lead to some privacy protection but much weaker than what people just lost." She pointed to FTC Chairman Ohlausen's high bar for showing harm against consumers before actions against companies are taken, noting, "She wants to see harm first. Well, rules protect you before you're harmed." "

Despite the claims by Blackburn and others, the bottom line is:

"... what we're left with is a period of uncertainty where the carriers may do certain things but it's unclear. Does the FCC have jurisdiction or does the FTC have jurisdiction?"

The Los Angeles Times reported:

"The FTC is empowered to bring lawsuits against companies that violate its privacy guidelines, but it has no authority to create new rules for industry. It also cannot enforce its own guidelines against Internet providers because of a government rule that places those types of companies squarely within the jurisdiction of the FCC and out of the reach of the FTC. As a result, Internet providers exist in a "policy gap" in which the only privacy regulators for the industry operate at the state, not federal, level, analysts say."

Ambiguity. Lack of clarity. Policy gap. None of those are good for business, or for consumers.

Read more about President Trump's signing of the legislation at C/Net and Reuters.


Tools For Consumers To Regain Some Online Privacy. Higher Internet Prices Likely

Now that the Republican-led Congress and President Trump have dismantled broadband privacy rules, internet service providers (ISPs) are free to collect, archive, and share at will without disclosure consumers' complete online activities (e.g., far more than browsing histories) to maximize their profits. Just about all of your online activities are harvested by ISPs, not just your browsing histories. Readers of this blog may remember the Deep-Packet Inspection software some ISPs installed on their servers to track their customers' online usage without notice nor consent.

To combat this, many consumers seek technical solutions, such as a virtual private network (VPN), to maintain as much privacy online as possible. Consumers will need to locate VPN and other tools than run on several devices (e.g., phones, tablets, laptops, desktops, etc.) and browsers (e.g., Firefox, Opera, etc.). Resources about several tools including VPNs:

Reviews and comparisons about VPN providers:

Some recommended, paid VPNs run on several platforms including Apple brand devices: F-Secure Freedome, Private Internet Access, and SurfEasy. Some VPNs offer a lower monthly price for a longer contract term. Look for pricing that covers multiple devices.

All of the above resources contain links to specific VPN brands. Experts recommend that consumers shop around for a paid VPN, since many of the free VPNs collect and resell consumers' information to make money. Some VPN providers offer phone customer service and support. This may be especially helpful for inexperienced users.

If a (free or paid) VPN saves usage logs of its customers' online activity and shares those logs with others (e.g., advertisers, affiliates, marketing partners, law enforcement, etc.), then that totally defeats the purpose of using a VPN service for privacy. So wise consumers shop around, read the terms of service, and read the privacy policy before signing up for a VPN.

Just like anti-virus software, several VPNs running on the same device can cause problems. So, you'll need to spend time sorting that out, too.

Sadly, VPNs are not a cure-all. Your ISP can still block or throttle your connection. Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. And, VPNs won't protect internet-of-things devices (e.g., appliances, refrigerators, thermostats, security systems, televisions, etc.) connected in to the WiFi router in your home. Tech Dirt reported:

"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."

Note: VPN services don't protect e-mail. ISPs user a different set of servers for e-mail (e.g., SMTP, SMTPS) versus web browsing (e.g., HTTP, HTTPS). You might consider a secure e-mail service like ProtonMail. You might find this review of ProtonMail helpful.

Do you use Gmail? Remember Google scans both inbound and outbound e-mail messages supposedly to serve up relevant ads. While a certain amount of message scanning is appropriate to identify spam and malware, last month a federal court judge rejected a proposed settlement offer with non-Gmail users who had filed a class-action lawsuit because their e-mail messages had been scanned by Google (and they couldn't opt out of the scanning).

So, internet costs for consumers are going up with thanks to privacy-busting legislation passed by a Republican-led Congress. Consumers will pay more, perhaps an additional $50 - $80 yearly for VPN services, on top of already high monthly internet prices -- with a marginal increase in privacy; not the better, more complete solution consumers would have received with the FCC broadband privacy rules. Add in the value of your time spent shopping around for VPN and privacy tools, and the price increase is even greater.

Plus, monthly internet costs for consumers could go far higher if ISPs charge for online privacy. Is that possible you ask? Yep. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. Congress seems happy to oblige corporate ISPs and stick it to consumers.

Petition to keep FCC broadband privacy rules and nullify Senate Joint Resolution 34 Mad about all of this? You probably are, too. I am. Be sure to tell your Senators and House representatives that voted to revoke FCC online privacy rules. Tell them you dislike the higher prices you're forced to pay to maintain privacy online.

Do any VPN providers act as fronts for government intelligence and spy agencies? I do not have the resources to determine this. Perhaps, some enterprising white-hat users can shed some light on this.

What online privacy resources have you found?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


Smart Mouse Traps: A Good Deal For Consumers?

Rentokil logo Rentokil, a pest control company, has introduced in the United Kingdom a new pest-control device for consumers wanting the latest WiFi technology. The company introduced ResiConnect, an Internet-connected mouse trap. A Rentokil representative explained to the Register UK newspaper:

“This is a trap that’s connected to the internet, essentially. Whereas there are other standard traps on the market that just catch and kill the mouse, that mouse can be caught in that trap for several weeks or several months. What this does is sends us a signal to notify us the trap has been activated, which allows us to respond... What this allows us to do is catch, kill and contain the mouse... and provide the best solution to the customer as well.”

Rentokil technician and vehicle Reportedly, the device sells for about £1,300, or about U.S. $1,300. Last summer, Rentokil Initial Plc announced a partnership with Google and PA Consulting Group (PA) to deploy globally the company's:

"... innovative digital pest control products and, in the future, to the development of ‘next generation’ services to offer customers new levels of proactive risk management against the threat of pest infestation... Rentokil has developed and begun to roll out its range of connected rodent control products particularly to customers in the tightly regulated food and pharmaceutical industries. In the field today, Rentokil has over 20,000 digital devices running in 12 countries which have now sent more than 3 million pieces of data.

The new digital pest control services use connected rodent devices with embedded sensors and mobile connectivity. The units communicate with Rentokil’s online ‘Command Centre’ and when they've caught a rodent, the technician is automatically alerted while customers are kept informed through myRentokil, the industry’s leading online portal... Built on Google’s Cloud Platform, and delivered by PA using Agile techniques, this technology is highly scalable and is now ready to be deployed more widely to existing and new customers from Q4 2016 and to other parts of the company..."

It seems that Rentokil is making available to consumers smart traps similar to those already deployed in the commercial market, such as fast food restaurants with multiple locations. Rentokil sells in the United States a device that uses radar to detect and capture mice. This raises the question: do consumers really need a smart mouse trap?

I have direct experience with mice. The building where I live is contains condominiums, and I have the responsibility to pay the condo association's monthly bills (e.g., water, insurance, and electricity), plus hire vendors and contractors, as needed, for repairs and maintenance. That includes pest control companies. Last week, our pest-control vendor deployed bait traps (e.g., poison and glue strips) in all units, plus the basement (with utilities and storage areas).

Obviously, owners of retail stores with multiple locations (e.g., fast food restaurants) would benefit from smart mouse traps. It seems cost-prohibitive to send (and pay for) technicians to visit each store and check multiple traps, while only selective traps would have caught rodents.

First, the benefit for residential customers sees marginal. Internet-connected mouse trap might appeal to squeamish consumers, who are afraid or unsure what to do, but it's hard to beat the convenience and low cost of a phone call. For our condo association, it was easy to know when a trap has caught a mouse. You heard the squeaking.

For us, the rodent removal process was easy. After a quick phone call the evening the mouse was caught, a pest-control technician arrived the next morning. The company sent a technician that was already in the area for nearby service calls. The technician removed the mouse stuck on a glue strip, checked, and re-baited several traps. That visit was included in the price we paid, and the phone call cost was negligible.

Second, the price seems expensive. The $1,600 price for a smart mouse trap equals about three years of what our condo association pays for pest control services.

Reliability and trust with smart devices are critical for consumers. A recent global study found that 44 percent of consumers are concerned about financial information theft via smart home devices, and 37 percent are concerned about identity theft.

Informed shoppers know that not all smart devices are built equally. Some have poor security features or lack software upgrades. These vulnerabilities create opportunities for bad guys to hack and infect consumers' home WiFi networks with malware to steal passwords and money, create spam, and use infected devices as part of DDoS attacks targeting businesses. (Yes, even the hosting service for this blog was targeted.) So, it is wise to understand any smart trap's software and security features before purchase.

What do you think? Are smart mouse traps worthwhile?


FCC Announced Approval ot LTE-U Mobile Devices

On Wednesday, the Office of Engineering and Technology (OET) within the U.S. Federal Communications announced the authorization of unlicensed wireless (a/k/a LTE-U) devices to operate in the 5 GHz band:

"This action follows a collaborative industry process to ensure LTE-U with Wi-Fi and other unlicensed devices operating in the 5 GHz band. The Commission’s provisions for unlicensed devices are designed to prevent harmful interference to radio communications services and stipulate that these devices must accept any harmful interference they receive. Industry has developed various standards within the framework of these rules such as Wi-Fi, Bluetooth and Zigbee that are designed to coexist in shared spectrum. These and other unlicensed technologies have been deployed extensively and are used by consumers and industry for a wide variety of applications.

LTE-U is a specification that was developed and supported by a group of companies within the LTE-U Forum... The LTE-U devices that were certified today have been tested to show they meet all of the FCC’s rules. We understand that the LTE-U devices were evaluated successfully under the co-existence test plan. However, this is not an FCC requirement and similar to conformity testing for private sector standards the co-existence test results are not included in the FCC’s equipment certification records."

ComputerWorld explained in 2015 the strain on existing wireless capabilities and why several technology companies pursued the technology:

"According to the wireless providers and Qualcomm, the technology will make use of the existing unlicensed spectrum most commonly used for Wi-Fi. LTE-U is designed to deliver a similar capability as Wi-Fi, namely short-range connectivity to mobile devices.

As billions of mobile devices and Web video continue to strain wireless networks and existing spectrum allocations, the mobile ecosphere is looking for good sources of spectrum. The crunch is significant, and tangible solutions take a long time to develop... as former FCC Chairman Julius Genachowski and FCC Commissioner Robert McDowell recently remarked, “mobile data traffic in the U.S. will grow sevenfold between 2014 and 2019” while “wearable and connected devices in the U.S. will double” in that same period."

Some cable companies, such as Comcast, opposed LTE-U based upon concerns about the technology conflicting with existing home WiFi. According to Computerworld:

"In real-world tests so far, LTE-U delivers better performance than Wi-Fi, doesn’t degrade nearby Wi-Fi performance and may in fact improve the performance of nearby Wi-Fi networks."

Reportedly, in August 2016 Verizon viewed the testing as "fundamentally unfair and biased." Ajit Pai, the new FCC Chairman, said in a statement on Wednesday:

"LTE-U allows wireless providers to deliver mobile data traffic using unlicensed spectrum while sharing the road, so to speak, with Wi-Fi. The excellent staff of the FCC’s Office of Engineering and Technology has certified that the LTE-U devices being approved today are in compliance with FCC rules. And voluntary industry testing has demonstrated that both these devices and Wi-Fi operations can co-exist in the 5 GHz band. This heralds a technical breakthrough in the many shared uses of this spectrum.

This is a great deal for wireless consumers, too. It means they get to enjoy the best of both worlds: a more robust, seamless experience when their devices are using cellular networks and the continued enjoyment of Wi-Fi, one of the most creative uses of spectrum in history..."


Your Smart TV Is A Blabbermouth. How To Stop Its Spying On You

Internet-connected televisions, often referred to as "smart TVs," collect a wide variety of information about consumers. The devices track the videos you watch from several sources: cable, broadband, set-top box, DVD player, over-the-air broadcasts, and streaming devices. The devices collect a wide variety of information about consumers, including items such as as sex, age, income, marital status, household size, education level, home ownership, and household value. The TV makers sell this information to third parties, such as advertisers and data brokers.

Some people might call this "surveillance capitalism."

Reliability and trust with smart devices are critical for consumers. Earlier this month, Vizio agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC).

What's a consumer to do to protect their privacy? This C/Net article provides good step-by-step instructions to turn off or to minimize the tracking by your smart television. The instructions include several smart TV brands: Samsung, Vizio, LG, Sony, and others. Sample instructions for one brand:

"Samsung: On 2016 TVs, click the remote's Home button, go to Settings (gear icon), scroll down to Support, then down to Terms & Policy. Under "Interest Based Advertisement" click "Disable Interactive Services." Under "Viewing Information Services" unclick "I agree." And under "Voice Recognition Services" click "Disable advanced features of the Voice Recognition services." If you want you can also disagree with the other two, Nuance Voice Recognition and Online Remote Management.

On older Samsung TVs, hit the remote's Menu button (on 2015 models only, then select Menu from the top row of icons), scroll down to Smart Hub, then select Terms & Policy. Disable "SynchPlus and Marketing." You can also disagree with any of the other policies listed there, and if your TV has them, disable the voice recognition and disagree with the Nuance privacy notice described above."

Browse the step-by-step instructions for your brand of television. If you disabled the tracking features on your smart TV, how did it go? If you used a different resource to learn about your smart TV's tracking features, please share it below.


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


Are Smart Television Makers Gaming The Energy-Efficiency Tests?

After yesterday's blog post about the settlement agreement by VIZIO with the U.S. Federal Trade Commission (FTC) and the New Jersey Attorney General, a reader mentioned an Economist article about smart televisions. It seems there is an ongoing investigation into whether or not manufacturers, similar to the Volkswagon emissions scandal, misrepresented the energy-efficiency test results of their televisions.

The Economist reported:

"South Korea’s Samsung and LG, along with Vizio, a Californian firm, stand accused of misrepresenting the energy efficiency of large-screen sets. Together, they sell over half of all TVs in America. In September 2016 the Natural Resources Defense Council (NRDC), an environmental group, published research on the energy consumption of TVs, showing that those made by Samsung, LG and Vizio performed far better during short government tests than they did the rest of the time. Some TVs consumed double the amount of energy suggested by manufacturers’ marketing bumpf. America’s Department of Energy (DoE) has also conducted tests of its own that have turned up big inconsistencies.

Not all TV-makers are at fault: the NRDC found no difference in energy-consumption levels for TVs made by Sony and Philips. But class-action lawsuits have already been filed against the three companies highlighted by the tests—the latest was lodged against Samsung in New York on January 30th. The industry is now waiting to see whether regulators will take action... Televisions made by Samsung and LG (but not Vizio) appear to recognize the test clip that the American government uses to rate energy consumption and to advise consumers on how much it will cost to operate the set over a whole year. The DoE’s ten-minute test clip has a lot of motion and scene changes in short succession, with each clip lasting only 2.3 seconds before flashing to a new one (most TV content is made up of scenes that last more than double that length). During these tests the TVs’ backlight dims, resulting in substantial energy savings. For the rest of the time, during typical viewing conditions, the backlight stays bright..."

If true, then those new televisions many consumers bought may cost them a lot more energy and electricity costs. The September 2016 NRDC press release:

"There are flaws in the government’s method for testing the energy use of televisions and three major TV manufacturers representing half of the U.S. market appear to be exploiting them, which could cost owners of recently purchased models an extra $1.2 billion on their utility bills... The global standard video clip on which the DOE test method is based is eight years old and needs a major overhaul. DOE should update its test method with more realistic video content... It appears that some major manufacturers have modified their TV designs to get strong energy-use marks during government testing but they may not perform as well in consumers’ homes. These ‘under the hood’ changes dramatically increase a TV’s energy use and environmental impact, usually without the user’s knowledge. While this may not be illegal, it smacks of bad-faith conduct that falls outside the intent of the government test method designed to accurately measure TV energy use..."

The consequences and impacts go far beyond possible bad-faith conduct:

"The latest version of ultra high-definition (UHD) TVs used approximately 30 to 50 percent more energy when playing content produced with High Dynamic Range (HDR) than conventional UHD content... With millions of televisions purchased annually across America, all of this extra energy use has a major impact on national energy consumption, consumer utility bills, and the environment..."

You can learn more about the DoE test procedures here. What are your opinions of this?


VIZIO To Pay $2.2 Million To Settle Privacy Charges About Its Smart TVs

VIZIO Inc. logo Today's blog post highlights how easy it is for manufacturers to make and sell smart-home devices that spy on consumers without notice nor consent. VIZIO, Inc., one of the largest makers of smart televisions, agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC) and the State of New Jersey Attorney General. The FTC announcement explained:

"... starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value... VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices... VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws."

The FTC complaint (Adobe PDF) named as defendants VIZIO, Inc. and VIZIO Inscape Services, LLC, its wholly-owned subsidiary. VIZIO has designed and sold televisions in the United States since 2002, and has sold more than 11 million Internet-connected televisions since 2010. The complaint also mentioned:

"... the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (“ACR”) software to detect the content on internet-connected televisions and monitors."

This merits emphasis because consumers thinking that they can watch DVD or locally recorded content in the privacy of their home with advertisers knowing it really can't because the ACR software can easily identify, archive, and transmit it. The complaint also explained:

"Through the ACR software, VIZIO’s televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to VIZIO servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts... the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely. Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items."

That's impressive. The ACR software enabled VIZIO to know and collect information about other devices (e.g., computers, tablets, phones, printers) connected to your home WiFi network. Then, besides the money consumers paid for their VIZIO smart TVs, the company also made money by reselling the information it collected to third parties... probably data brokers and advertisers. You'd think that the company might lower the price of its smart TVs given that additional revenue stream, but I guess not.

Now, here is where VIZIO created problems for itself:

"Consumers that purchased new VIZIO televisions beginning in August 2014, with ACR tracking preinstalled and enabled by default, received no onscreen notice of the collection of viewing data. For televisions that were updated in February 2014 to install default ACR tracking after purchase, an initial pop-up notification appeared on the screen that said: "The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See www.vizio.com/privacy for more details. This message will time out in 1 minute." This notification provided no information about the collection of viewing data or ACR software. Nor did it directly link to the settings menu or privacy policy... In March 2016, while Plaintiffs’ investigations were pending, [VIZIO and VIZIO Inscape] sent another pop-up notification to televisions that, for the first time, referenced the collection of television viewing data. This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu... In all televisions enabled with ACR tracking, VIZIO televisions had a setting, available through the settings menu, called “Smart Interactivity.” This setting included the description: “Enables program offers and suggestions.” Similarly, in the manual for some VIZIO televisions, a section entitled “Smart Interactivity” described the practice as “Your TV can display program-related information as part of the broadcast.” Neither description provided information about the collection of viewing data..."

30 seconds? Really?! If a consumer left the room to grab a bite to eat or visit the bathroom for a bio break, they easily missed this pop-up message. No notice? Neither are good. VIZIO released a statement about the settlement:

"VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs.  Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors... the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang."

Terms of the settlement agreement and the Court Order (Adobe PDF) require VIZIO to:

"A. Prominently disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information;

B. Obtain the consumer’s affirmative express consent (1) at the time the disclosure...

C. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.

D. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers..."

The Order also defines that disclosure must be visual, audible, in all formats which VIZIO uses, in easy-to-understand language, and not contradicted by any legal statements elsewhere. Terms of the settlement require VIZIO to pay $1.5 million to the FTC, $1.0 million to the New Jersey Division of Consumer Affairs (which includes a $915,940.00 civil penalty and $84,060.00 for attorneys’ fees and investigative costs). VIZIO will not have to pay $300,000 due to the N.j> Division of consumer affairs it the company complies with court order, and does not engage in acts that violate the New Jersey Consumer Fraud Act (CFA) during the next five years.

Additional terms of the settlement agreement require VIZIO to destroy information collected before March 1, 2016, establish and implement a privacy program, designate one or several employees responsible for that program, identify and risks of internal processes that cause the company to collect consumer information it shouldn't, design and implement a program to address those risks, develop and implement processes to identify service providers that will comply with the privacy program, and hire an independent third-party to audit the privacy program every two years.

I guess the FTC and New Jersey AG felt this level of specificity was necessary given VIZIO's past behaviors. Kudos to the FTC and to the New Jersey AG for enforcing and protecting consumers' privacy. Given the rapid pace of technological change and the complexity of today's devices, oversight is required. Consumers simply don't have the skills nor resources to do these types of investigations.

What are your opinions of the VIZIO settlement?


74 Percent of US Broadband Households Have Internet-Connected Televisions

According to new research from The Diffusion Group (TDG), 74 percent of US households had Internet-connected televisions at year-end 2016. In 2013, 50 percent of households had Internet-connected televisions. Michael Greeson, TDG President and Director of Research, said:

"At 74% penetration, connected TV use is squarely in the Late Mainstream phase of its trajectory. Barring any major disruption in TV technology or market conditions, growth will slow each year as the solution reaches saturation... Broadband pay-TV services are particularly well positioned to leverage this utility, which permits scale at much lower costs."

TDG first noted in 2004 that the penetration of connected televisions would closely follow broadband (a/k/a high-speed Internet) services.

Chart by TDG of Internet-connected televisions in the United States. Click to view larger version


FTC Lawsuit Claims D-Link Products Have Inadequate Security

Do you use D-Link modem/routers or routers? Do you have or plan to buy smart home appliances or electronics (a/k/a the Internet of Things or IoT) you want to connect via your home WiFi network to these or other brand routers? Are you concerned about the security of IoT devices? If you answered yes to any of these questions, then today's blog post is for you.

The U.S. Federal Trade Commission (FTC) has filed a complaint against Taiwan-based D-Link Corporation and its U.S. subsidiary alleging the tech company didn't do enough to make its products secure from hacking. The FTC announcement stated that its complaint alleged:

"... that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras... D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as: a) "hard-coded" login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed; b) a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet; c) the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and d) leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information."

Besides the D-Link shopping site, the company's products are available at many online stores, including Best Buy, Target, Walmart, and Amazon. The FTC complaint (Adobe PDF) stated 5 Counts describing in detail the alleged security lapses, some of  which allegedly contradict advertising claims. The redacted complaint did not list specific product model numbers. Apple Insider reported:

"The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet."

If these allegations are true, then item "C" is troubling. it raises questions about how and why a private key code were available on a public, unprotected server and for so long. It raises questions why this information wasn't encrypted. Access codes on a public server may help government intelligence agencies perform their tasks, but it suggests insufficient security for consumers. Access codes and login credentials are the holy grail for criminals. This is the information they seek in order to hack accounts and hijack devices.

Consumers connect via home routers a variety of IoT or smart devices: security systems, cameras, baby monitors, thermostats, home electronics, home appliances, toys, lawn mowers, and more. If true, the vulnerabilities could allow criminals to case home furnishings, eavesdrop on conversations, watch residents' patterns and discover when they are away from home, disable security systems, access tax and financial records, redirect users' Internet usage to fraudulent sites, and more.

The risks are real. A prior blog post discussed some of the security issues with IoT devices. Home routers have been hijacked and used to shut down targeted sites. ZDNet warned in May 2015:

"According to a report released by cybersecurity firm Incapsula on Wednesday, lax security practices concerning small office and home office (SOHO) routers has resulted in tens of thousands of routers becoming hijacked -- ending up as slave systems in the botnet network. Distributed denial-of-service (DDoS) attacks are a common way to disrupt networks and online services. The networks are often made up of compromised PCs, routers and other devices. Attackers control the botnet through a command and control center (C&C) in order to flood specific domains with traffic... ISPs, vendors and users themselves -- who do not lay down basic security foundations such as changing default passwords and keeping networks locked -- have likely caused the slavery of "hundreds of thousands [...] more likely millions" of routers now powering DDoS botnets which can cause havoc for both businesses and consumers..."

And a December 7, 2016 report by Incapsula listed about 18 vendors, including D-Link, that were susceptible to the Mirai malware used by botnets. So, the threat is real. Home routers have already been hijacked by bad guys to attack sites.

D-Link posted on its site a response to the FTC complaint:

"D-Link Systems, Inc. will vigorously defend itself against the unwarranted and baseless charges made by the Federal Trade Commission (FTC)... D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices. Notably, the complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed “at risk” to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries."

That response raises more questions. Breaches involve unauthorized persons accessing computers and/or networks. Clearly, botnets are collections of hijacked devices controlled by unauthorized persons using malware. The Incapsula reports clearly documented this. So, how are hijacked home routers and IoT devices with malware not breaches? And, botnets are designed to attack targeted sites, and not necessarily the hijacked routers and devices. So, the "actual substantial injuries" argument falls apart.

Aware consumers don't want their smart televisions, refrigerators, dishwashers, home security systems, baby monitors, cameras, and other devices hijacked by bad guys. The whole situation seems to provide two important reminders for consumers: 1) protect your IoT devices, and 2) be informed shoppers.

Protecting your IoT devices means changing the default passwords, especially on your routers and disabling remote access features. Informed shoppers Inquire before purchase about software security updates for IoT devices. Are those updates included in the product price, available in a separate subscription, or not at all? There are plenty of examples of smart home products with vulnerabilities and questionable security. Informed shoppers know before purchase.

If the product offers a separate subscription for software security updates, the money spent will be well worth it to protect your sensitive personal and financial information, to protect your family's privacy, and to avoid hijacked devices. If the product lacks software security updates, you want to know what you're buying and maybe barter for a lower price. Me? I'd keep shopping for alternatives with better security.

Protect your WiFi-connected home electronics, devices, and appliances. Don't contribute to Internet security problems.

Since most consumers lack the technical expertise to understand and detect breaches on their IoT devices, I am grateful for the FTC enforcement action; and for its guidelines in 2015 for companies offering IoT devices. Plus, the FTC is concerned with industry-wide threats that could hamper commerce. Perhaps, an economist can calculate the negative impacts upon commerce, the U.S. economy, and GDP from botnet attacks.

What are your opinions of the FTC lawsuit against D-Link Corporation? Of the security of IoT devices?


Win $25K In The FTC Internet-Of-Things Home Inspector Challenge

For the holidays, many consumers gave or received devices for their homes that are WiFi-connected, often referred to as the "Internet of Things" (IoT). Those devices include Internet routers, security cameras, home security systems, and a variety of appliances and electronics: televisions, refrigerators, clothes washers, lighting, heating/cooling systems, toys, DVRs, and more. Residences outfitted with these devices are often referred to as "Smart Homes" or "Connected Homes."

Experts forecast 50 billion devices globally by 2020. Plus, utilities have already installed smart meters in homes that regularly transmit consumers' water/oil/gas usage to their utility providers. Protecting those devices against hackers is critical.

U.S. Federal Trade Commission logo While the FTC has published guidelines for manufacturers of IOT devices, those guidelines aren't mandatory. The privacy threats of IoT devices are known, and researchers have warned about the vulnerabilities in specific products.

To help consumers manage their WiFi-connected home devices, the U.S. Federal Trade Commission (FTC) announced a prize competition called the "IoT Home Inspector Challenge." The FTC will award the $25,000 top prize to the solution that best helps consumers protect their IoT devices against vulnerabilities and to manage passwords (e.g., replace factory-defaults) for all home devices. Up to three honorable mention prizes of $3,000 each area also available.

Consumers working individually, or in teams, can register and submit entries beginning March 1, 2017. The deadline for entries is May 22, 2017. Winners will be announced on July 27, 2017. To be considered, entries must meet the following criteria:

  • Provide a technical solution, rather than a policy or legal solution
  • Work on home IoT devices that currently exist on the market
  • Protect information it collects both in transit and at rest,
  • Explain how the tool or solution will avoid or mitigate any additional security risks that the tool itself might introduce into the consumer’s home by (example, software upgrades)

The judges will rate each entry based upon how well it addresses the following four components:

  1. Recognize what IoT devices are operating in the consumer’s home. This may be automatic or provide instructions for consumer input,
  2. Determine what software version is already on those IoT devices. Again, this may be automatic or provide instructions for consumer input,
  3. Determine the latest software version each home IoT device should have, and
  4. Assist with updates.

Visit the FTC IoT Home Inspector Challenge site for complete details about the competition, including contest rules, judges, FAQs, and the registration/submission process.


Health App Developer Settles With FTC For Deceptive Marketing Claims

The U.S. Federal Trade Commission (FTC) announced a settlement agreement with Aura Labs, Inc. regarding alleged deceptive claims about its product: the Instant Blood Pressure App. Aura sold the app from at least June 2014 to at least July 31, 2015 at the Apple App Store and at the Google Play marketplace for $3.99 (or $4.99). Sales of the app totaled about $600,000 during this period. Ryan Archdeacon, the Chief Executive Officer and President of Aura, was named as a co-defendant in the suit.

The FTC alleged that the defendants violated the FTC Act. The complaint alleged deceptive marketing claims by Aura about its blood pressure app:

"Although Defendants represent that the Instant Blood Pressure App measures blood pressure as accurately as a traditional blood pressure cuff and serves as a replacement for a traditional cuff, in fact, studies demonstrate clinically and statistically significant deviations between the App’s measurements and those from a traditional blood pressure cuff."

iMedicalApps reported on March 2, 2016:

"A study presented today at the American Heart Association EPI & Lifestyle (AHA EPI) meeting in Phoenix has shown the shocking inaccuracy of a popular medical app, Instant Blood Pressure... Back in 2014, we raised concerns about the Instant Blood Pressure medical app which claimed to measure blood pressure just by having users put their finger over their smartphone’s camera and microphone over their heart presumably to use something akin to a pulse wave velocity... Dr. Timothy Plante, a fellow in general internal medicine at Johns Hopkins, led the study in which a total of 85 participants were recruited to test the accuracy of the Instant Blood Pressure app... When looking at individuals with low blood pressure or high blood pressure, they found that the Instant Blood Pressure app gave falsely normal values. In other words, someone with high blood pressure who used the app would be falsely reassured their blood pressure was normal... the sensitivity for high blood pressure was an abysmal 20%. These results, while striking, should not be surprising. This medical app had no publicly available validation data, despite reassurance from the developer back in 2014 that such data was forthcoming. The use of things like pulse wave velocity as surrogates for blood pressure has been tried and is fraught with problems..."

The FTC complaint listed the problems with an online review posted in the Apple App Store:

"Defendant Ryan Archdeacon left the following review of the Instant Blood Pressure App in the Apple App Store: "Great start by ARCHIE1986 – Version – 1.0.1 – Jun 11, 2014. This app is a breakthrough for blood pressure monitoring. There are some kinks to work out and you do need to pay close attention to the directions in order to get a successful measurement but all-in-all it’s a breakthrough product. For those having connection problems, consider trying again. I have experienced a similar issue. It is also great that the developer is committed to continual improvements. This is a great start!!!" That the review was left by the Chief Executive Officer and President of Aura was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

The complaint also cited problems with endorsements posted at Aura's web site:

"At times material to this Complaint, the What People Think portion of Defendants’ website contained three endorsements, including the following endorsement from relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux: "This is such a smart idea that will benefit many of us in monitoring our health in an easy and convenient way." That the endorsement was left by relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

Terms of the settlement prohibit the defendants from making such unsubstantiated claims in the future, refund money to affected customers, reimburse plaintiffs for the costs of this lawsuit, and additional unspecified items. The FTC announcement also stated that the court order imposed:

"... a judgment of $595,945.27, which is suspended based on the defendants’ inability to pay. The full amount will become due, however, it they are later found to have misrepresented their financial condition."

Copies of the complaint are available at the FTC site and here (Adobe PDF). Kudos tot he FTC for its enforcement action. Product claims and endorsements should be truthful and accurate. And consumers still need to do research before purchase. Just because there's an app for it doesn't mean the results promised are guaranteed.

Got an unresolved problem with a product, service, or app? Consumers can file a complaint online with the FTC. What are your opinions of the Aura-FTC settlement? Of claims by app developers?


How To Spot Fake News And Not Get Duped

You may have heard about the "pizzagate" conspiracy -- fake news about a supposed child-sex ring operating from a pizzeria in Washington, DC. A heavily armed citizen drove from North Carolina to the pizzeria to investigate to investigate the bogus child-sex ring supposedly run by Presidential candidate Hillary Clinton. The reality: no sex ring. That citizen had been duped by fake news. Shots were fired, and thankfully nobody was hurt.

CBS News reported that the pizzagate conspiracy had been promoted by Michael G. Flynn, son of retired General Michael T. Flynn, Donald Trump's pick for national security adviser. As a result, the younger Flynn resigned Tuesday from President-Elect Trump's transition team.

I use the phrase "fake news" for several types of misleading content: propaganda, unproven or fact-free conspiracy theories, disinformation, and clickbait. The pizzagate incident highlighted two issues: a) fake news has consequences, and b) many people don't know how to distinguish real news from fake news. So, while political operatives reportedly have used a combination of fake news, ads, and social media to both encourage supporters to vote and discourage opponents from voting, there clearly are other real-life consequences.

To help people spot fake news, NPR reported:

"Stopping the proliferation of fake news isn't just the responsibility of the platforms used to spread it. Those who consume news also need to find ways of determining if what they're reading is true. We offer several tips below. The idea is that people should have a fundamental sense of media literacy. And based on a study recently released by Stanford University researchers, many people don't."

The report is enlightening. In the "Evaluating Information: The Cornerstone of Civic Online Reasoning" report, researchers at Stanford University tested about 7,804 students in 12 states between January 2015 and June 2016. They found:

"... at each level—middle school, high school, and college—these variations paled in comparison to a stunning and dismaying consistency. Overall, young people’s ability to reason about the information on the Internet can be summed up in one word: bleak. Our “digital natives” may be able to flit between Facebook and Twitter while simultaneously uploading a selfie to Instagram and texting a friend. But when it comes to evaluating information that flows through social media channels, they are easily duped... We would hope that middle school students could distinguish an ad from a news story. By high school, we would hope that students reading about gun laws would notice that a chart came from a gun owners’ political action committee. And, in 2016, we would hope college students, who spend hours each day online, would look beyond a .org URL and ask who’s behind a site that presents only one side of a contentious issue. But in every case and at every level, we were taken aback by students’ lack of preparation... Many [people] assume that because young people are fluent in social media they are equally savvy about what they find there. Our work shows the opposite."

This is important for both individuals and the future of the nation because:

"For every challenge facing this nation, there are scores of websites pretending to be something they are not. Ordinary people once relied on publishers, editors, and subject matter experts to vet the information they consumed. But on the unregulated Internet, all bets are off... Never have we had so much information at our fingertips. Whether this bounty will make us smarter and better informed or more ignorant and narrow-minded will depend on our awareness of this problem and our educational response to it. At present, we worry that democracy is threatened by the ease at which disinformation about civic issues is allowed to spread and flourish."

While the study focused upon students, but older persons have been duped, too. The suspect in the pizzeria incident was 28 years old. The Stanford report focused upon what teachers and educators can do to better prepare students. According to the researchers, additional solutions are forthcoming.

What can you do to spot fake news? Don't wait for sites and/or social media to do it for you. Become a smarter consumer. The NPR report suggested:

  1. Pay attention to the domain and URL
  2. Read the "About Us" section of the site
  3. Look at the quotes in a story
  4. Look at who said the quotes

All of the suggestions require readers to take the time to understand the website, publication, and/or publisher. A little skepticism is healthy. Also verify the persons quoted and whether the persons quoted are who the article claims. And, verify that any images used actually relate to the event.

We all have to be smarter consumers of news in order to stay informed and meet our civic duties, which includes voting. Nobody wants to vote for politicians that don't represent their interests because they've been duped. To the above list, I would add:

  • Read news wires. These sites include the raw, unfiltered news about who, when, where, and what happened. Some suggested sources: : Associated Press (AP), Reuters, and United Press International (UPI)
  • Learn to recognize advertisements
  • Learn the differences between different types of content: news, opinion, analysis, satire/humor, and entertainment. Reputable sites will label them to help readers.

If you don't know the differences and can't spot each type, then you are likely to get duped.


The List of Fake News Sites

New York Magazine reported:

"As Facebook and now Google face scrutiny for promoting fake news stories, Melissa Zimdars, a communication and media professor from Merrimack College in Massachusetts, has compiled a handy list of websites you should think twice about trusting. “Below is a list of fake, false, regularly misleading, and otherwise questionable ‘news’ organizations that are commonly shared on Facebook and other social media sites,” Zimdars explains. “Many of these websites rely on ‘outrage’ by using distorted headlines and decontextualized or dubious information in order to generate likes, shares, and profits.” (Click here to see the list.)

Be warned: Zimdars’s list is expansive in scope, and stretches beyond the bootleg sites (many of them headquartered in Macedonia) that write fake news for the sole reason of selling advertisements. Right-wing sources and conspiracy theorists like Breitbart and Infowars appear alongside pure (but often misinterpreted) satire like the Onion and The New Yorker’s Borowitz Report."

For consumers seeking "hard" news (e.g., the raw who, what, when, and where something happened), some sources: Associated Press (AP), Reuters, and United Press International (UPI). What sources do you use for "hard" news?


Phone Calls, Apple iCloud, Cloud Services, And Your Privacy

A security firm has found a hidden feature that threatens the privacy of Apple iPhone and iCloud users. Forbes magazine reported:

"Whilst it was well-known that iCloud backups would store call logs, contacts and plenty of other valuable data, users should be concerned to learn that their communications records are consistently being sent to Apple servers without explicit permission, said Elcomsoft CEO Vladimir Katalov. Even if those backups are disabled, he added, the call logs continue making their way to the iCloud, Katalov said... All FaceTime calls are logged in the iCloud too, whilst as of iOS 10 incoming missed calls from apps like WhatsApp and Skype are uploaded..."

Reportedly, the feature is automatic and the only option for users wanting privacy is to not use Apple iCloud services. That's not user-friendly.

Should you switch from Apple iCloud to a commercial service? Privacy risks are not unique to Apple iCloud. Duane Morris LLP explained the risks of using cloud services such as Dropbox, SecuriSync, Citrix ShareFile, and Rackspace:

"Users of electronic file sharing and storage service providers are vulnerable to hacking... Dropbox as just one example: If a hacker was to get their hands on your encryption key, which is possible since Dropbox stores the keys for all of its users, hackers can then steal your personal information stored on Dropbox. Just recently, Dropbox reported that more than 68 million users’ email addresses and passwords were hacked and leaked onto the Internet... potentially even more concerning is the fact that because these service providers own their own servers, they also own any information residing on them. Hence, they can legally access any data on their servers at any time. Additionally, many of these companies house their servers outside of the United States, which means the use, operation, content and security of such servers may not be protected by U.S. law. Furthermore, consider the policies regarding the sharing of your information with third parties. Among others, Dropbox has said that if subpoenaed, it will voluntarily disclose your information to a third party, such as the Internal Revenue Service."

Regular readers of this blog know what that means. Many government entities, such as law enforcement and intelligence agencies besides the IRS issue subpoenas.

This highlights the double-edged sword from syncing and file-sharing across multiple devices (e.g., phone, laptop, desktop, tablet). Sure, is a huge benefit to have all of your files, music, videos, contacts, and data easily and conveniently available regardless of which device you use. Along with that benefit comes the downside privacy and security risks: data stored in cloud services is vulnerable to hacking and subject to government warrants, subpoenas, and court actions. As Duane Morris LLP emphasized, it doesn't matter whether your data is encrypted or not.

Also, Forbes magazine reported:

"Katalov believes automated iCloud storage of up-to-date logs would be beneficial for law enforcement wanting to get access to valuable iPhone data. And, he claimed, Apple hadn’t properly disclosed just what data was being stored in the iCloud and, therefore, what information law enforcement could demand."

Well, law enforcement, intelligence agencies, and cyber-criminals now know what information to demand.


Some Android Phones Infected With Surveillance Malware Installed In Firmware

Security analysts recently discovered surveillance malware in some inexpensive smartphones that run the Android operating system (OS) software. The malware secretly transmits information about the device owner and usage to servers in China. The surveillance malware was installed in the phones' firmware. The New York Times reported:

"... you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered pre-installed software in some Android phones... International customers and users of disposable or prepaid phones are the people most affected by the software... The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature."

Shanghai ADUPS Technology Company (ADUPS) is privately owned and based in Shanghai, China. According to Bloomberg, ADUPS:

"... provides professional Firmware Over-The-Air (FOTA) update services. The company offers a cloud-based service, which includes cloud hosts and CDN service, as well as allows manufacturers to update all their device models. It serves smart device manufacturers, mobile operators, and semiconductor vendors worldwide."

Firmware is a special type of software store in read-only memory (ROM) chips that operates a device, including how it controls, monitors, and manipulates data within a device. Kryptowire, a security firm, discovered the malware. The Kryptowire report identified:

"... several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example)... These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information... Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed."

So, the malware was powerful, sophisticated, and impossible for consumers to detect.

This incident provides several reminders. First, there were efforts earlier this year by the U.S. Federal Bureau of Investigation (FBI) to force Apple to build "back doors" into its phones for law enforcement. Reportedly, it is unclear what specific law enforcement or intelligence services utilized the data streams produced by the surveillance malware. It is probably wise to assume that the Ministry of State Security, China's intelligence agency, had or has access to data streams.

Second, the incident highlights supply chain concerns raised in 2015 about computer products manufactured in China. Third, the incident indicates how easily consumers' privacy can be compromised by data breaches during a product's supply chain: manufacturing, assembly, transport, and retail sale.

Fourth, the incident highlights Android phone security issues raised earlier this year. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Fifth, the incident highlights the need for automakers and software developers to ensure the security of both connected cars and driverless cars.

Sixth, the incident raises questions about how and what, if anything, President Elect Donald J. Trump and his incoming administration will do about this trade issue with China. The Trump-Pence campaign site stated about trade with China:

"5. Instruct the Treasury Secretary to label China a currency manipulator.

6. Instruct the U.S. Trade Representative to bring trade cases against China, both in this country and at the WTO. China's unfair subsidy behavior is prohibited by the terms of its entrance to the WTO.

7. Use every lawful presidential power to remedy trade disputes if China does not stop its illegal activities, including its theft of American trade secrets - including the application of tariffs consistent with Section 201 and 301 of the Trade Act of 1974 and Section 232 of the Trade Expansion Act of 1962..."

This incident places consumers in a difficult spot. According to the New York Times:

"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.” Ms. Lim [an attorney that represents Adups] said she did not know how customers could determine whether they were affected."

Until these supply-chain security issues get resolved it is probably wise for consumers to inquire before purchase where their Android phone was made. There are plenty of customer service sites for existing Android phone owners to determine the country their device was made in. Example: Samsung phone info.

Should consumers avoid buying Android phones made in China or Android phones with firmware made in China? That's a decision only you can make for yourself. Me? When I changed wireless carriers in July, I switched an inexpensive Android phone I'd bought several years ago to an Apple iPhone.

What are your thoughts about the surveillance malware? Would you buy an Android phone?


Facebook Says it Will Stop Allowing Some Advertisers to Exclude Users by Race

Facebook logo [Editor's note: Today's guest post was originally published by ProPublica on November 11, 2016. It is reprinted with permission. This prior post explained the problems with Facebook's racial advertising filters.]

by Julia Angwin, ProPublica

Facing a wave of criticism for allowing advertisers to exclude anyone with an "affinity" for African-American, Asian-American or Hispanic people from seeing ads, Facebook said it would build an automated system that would let it better spot ads that discriminate illegally.

Federal law prohibits ads for housing, employment and credit that exclude people by race, gender and other factors.

Facebook said it would build an automated system to scan advertisements to determine if they are services in these categories. Facebook will prohibit the use of its "ethnic affinities" for such ads.

Facebook said its new system should roll out within the next few months. "We are going to have to build a solution to do this. It is not going to happen overnight," said Steve Satterfield, privacy and public policy manager at Facebook.

He said that Facebook would also update its advertising policies with "stronger, more specific prohibitions" against discriminatory ads for housing, credit and employment.

In October, ProPublica purchased an ad that targeted Facebook members who were house hunting and excluded anyone with an "affinity" for African-American, Asian-American or Hispanic people. When we showed the ad to a civil rights lawyer, he said it seemed like a blatant violation of the federal Fair Housing Act.

After ProPublica published an article about its ad purchase, Facebook was deluged with criticism. Four members of Congress wrote Facebook demanding that the company stop giving advertisers the option of excluding by ethnic group.

The federal agency that enforces the nation's fair housing laws said it was "in discussions" with Facebook to address what it termed "serious concerns" about the social network's advertising practices.

And a group of Facebook users filed a&n class-action lawsuit against Facebook, alleging that the company's ad-targeting technology violates the Fair Housing Act and the Civil Rights Act of 1964.

Facebook's Satterfield said that today's changes are the result of "a lot of conversations with stakeholders."

Facebook said the new system would not only scan the content of ads, but could also inject pop-up notices alerting buyers when they are attempting to purchase ads that might violate the law or Facebook's ad policies.

"We're glad to see Facebook recognizing the important civil rights protections for housing, credit and employment," said Rachel Goodman, staff attorney with the racial justice program at the American Civil Liberties Union. "We hope other online advertising platforms will recognize that ads in these areas need to be treated differently."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Connected Cars: 4 Tips For Drivers To Stay Safe Online

With the increasing dominance of the Internet of Things (IoT), connected cars are becoming more ubiquitous than ever. We’ve long heard warnings from the media about staying safe online, but few consumers consider data hacks and other security compromises while driving a car connected to the internet.

According to the inforgraphic below from Arxan, an app protection company, 75 percent of all cars shipped globally will have internet connectivity by 2020, and current connected cars have more than 100 million lines of code. Connected features are designed to improve safety, fuel efficiency, and overall convenience. These features range from Bluetooth, WiFi, cellular network connections, keyless entry systems, to deeper “cyberphysical” features like automated braking, and parking and lane assist.

More Features Means More Vulnerability
However, with this increasing connectivity comes risks from malicious hacking. Today, connected cars have many attack points malicious hackers can exploit, including the OBD2 port used to connect third-party devices, and the software running on infotainment systems.

According to Arxan, some of the more vulnerable attack points are mobile apps that unlock vehicles and start a vehicle remotely, diagnostic devices, and insurance dongles, including the ones insurance companies give to monitor and reward safe drivers. These plug into the OBD2 port, but hackers could essentially access any embedded system in the car after lifting cryptographic keys, as the Arxan page on application protection for connected cars describes.

Vulnerabilities are usually demonstrated in conferences like Black Hat. Example: in 2010, researchers at the University of Washington and the University of California San Diego hacked a car that had a variety of wireless capabilities. The vulnerable attack points they targeted included its Bluetooth, the cellular radio, an Android app on the owner’s phone that was connected to the car’s network, and an audio file burned onto a CD in the car’s stereo. In 2013, hackers Charlie Miller and Chris Valasek hijacked the steering and brake systems of both a Ford Escape and Toyota Prius with only their laptops.

How To Protect Yourself
According to the FBI and Department of Transportation in a public service announcement, it’s crucial that consumers following the following recommendations to best protect themselves:

  1. Keep your vehicle’s software up to date
  2. Stay aware of recalls that require manual security patches to your car’s code
  3. Avoid unauthorized changes to your car’s software
  4. Use caution when plugging insecure devices into the car’s ports and network

With the latest remote hack of a Tesla Model S, it seems that the response time between finding out about a breach and issuing a patch to correct it is thankfully getting shorter. As more automakers become tech-oriented like Tesla, they will also need to cooperate with OEMs to make sure the operating-system software in their vehicles is designed securely. It seems, this will take time, coordination with vendors, and money to bring these operations in house.

Arxan connected vehicles infographic

What do you do to protect your Internet-connected vehicle? What security tools and features would you prefer automakers and security vendors provide?