244 posts categorized "Social Networking" Feed

Microsoft To Buy Social Networking Site LinkedIn For $26.2 Billion

Microsoft logo Microsoft Corporation announced yesterday its plan to purchase the LinkedIn.com social networking site for $26.2 billion, or $196 per share. The Boards of Directors at both companies have approved the transaction. Microsoft will fund the acquisition with additional debt. The high-tech giant explained the acquisition in a blog post:

"LinkedIn is the world’s largest and most valuable professional network and continues to build a strong and growing business. Over the past year, the company has launched a new version of its mobile app that has led to increased member engagement; enhanced the LinkedIn newsfeed to deliver better business insights; acquired a leading online learning platform called Lynda.com to enter a new market; and rolled out a new version of its Recruiter product to its enterprise customers. These innovations have resulted in increased membership, engagement and financial results, specifically:

- 19 percent growth year over year (YOY) to more than 433 million members worldwide,
- 9 percent growth YOY to more than 105 million unique visiting members per month,
- 49 percent growth YOY to 60 percent mobile usage,
- 34 percent growth YOY to more than 45 billion quarterly member page views, and
- 101 percent growth YOY to more than 7 million active job listings."

LinkedIn.com logo 128 million (of the 433 million total) users are in the United States. For 2015, LinkedIn's GAAP (Generally Accepted Accounting Principles) net loss was $166 million. In 2014, the social site lost $15.7 million. The company's Talent Solutions business generates the most revenues, followed by advertising on the site and in the mobile app, and then the site's premium subscription service for memebers.

Microsoft CEO Satya Nadella said In an e-mail to staff:

"This deal brings together the world’s leading professional cloud with the world’s leading professional network... I wanted to share with you how I think about acquisitions overall. To start, I consider if an asset will expand our opportunity — specifically, does it expand our total addressable market? Is this asset riding secular usage and technology trends? And does this asset align with our core business and overall sense of purpose?

The answer to all of those questions with LinkedIn is squarely yes. We are in pursuit of a common mission centered on empowering people and organizations. Along with the new growth in our Office 365 commercial and Dynamics businesses this deal is key to our bold ambition to reinvent productivity and business processes. Think about it: How people find jobs, build skills, sell, market and get work done and ultimately find success requires a connected professional world. It requires a vibrant network that brings together a professional’s information in LinkedIn’s public network with the information in Office 365 and Dynamics. This combination will make it possible for new experiences such as a LinkedIn newsfeed that serves up articles based on the project you are working on and Office suggesting an expert to connect with via LinkedIn to help with a task you’re trying to complete. As these experiences get more intelligent and delightful, the LinkedIn and Office 365 engagement will grow. And in turn, new opportunities will be created for monetization through individual and organization subscriptions and targeted advertising."

LinkedIn went public in 2011. Mashable reported about a possible consolidation in the social networking industry. More sites may be acquired:

"Many of the flashy social networks that Wall Street once fawned over — even if it didn't understand what exactly they do — are now looking for the exit door as the mood sours. LinkedIn, like Twitter and Yelp, has seen its stock obliterated throughout much of the year as social media firms (other than Facebook) are experiencing slower growth, and investors are experiencing less patience... In February, LinkedIn stock was nearly halved overnight after a single disappointing earnings report. The plunge was so severe that the company's CEO had to give a pep talk to his team and later gave away his bonus to employees suffering from financial whiplash... Twitter, arguably the second most anticipated social media IPO after Facebook, has seen its market cap fall to less than $10 billion in recent weeks..."

And, there are three related privacy issues. First, LinkedIn had a massive data breach in 2012, affecting 117 million persons. Hopefully, the acquisition will also help the social networking site improve its data security. If not, the profitability slide will likely continue.

Second, it is important to remember that during any corporate acquisition, the acquiring company gets the assets of the acquired company. Assets usually include databases of information about customers, current employees, former employees, and contractors. If you use LinkedIn or did business with the social site and never did business with Microsoft, then Microsoft will soon have your sensitive personal and payment information.

Third, the acquisition reinforces the impression that Microsoft bought in entirely to big data. Like Google, it wishes to collect as much information as possible about as many people as possible. Big data matters, especially to cloud services vendors.

Agree? Comments?


Social Networking Sites With The Largest Number of News Users

Recently, some friends and I were discussing the wisdom of getting your news from social networking websites (e.g., Facebook, Twitter, Snapchat, Youtube, LinkedIn, etc.) instead of directly from news media sites. Apparently, many consumers get their news from such sites.

The Pew Research Center reported that most adults in the United States, 62 percent, get their news from social networking sites. The corresponding statistic in 2012 was 49 percent. Fewer social media site users get their news from other platforms: local television (46 percent), cable TV (31 percent), nightly network TV (30 percent), news websites/apps (28 percent), radio (25 percent), and print newspapers (20 percent). 

Pew analyzed which social networking sites were used the most for news, and whether consumers used multiple sites to obtain news. The Pew Research Center found:

"Two-thirds of Facebook users (66 percent) get news on the site, nearly six-in-ten Twitter users (59 percent) get news on Twitter, and seven-in-ten Reddit users get news on that platform. On Tumblr, the figure sits at 31 percent..."

The corresponding statistics are 23 percent for Instagram, 21 percent for Youtube, 19 percent for LinkedIn, and 17 percent at Snapchat. The implications:

"Facebook is by far the largest social networking site, reaching 67% of U.S. adults. The two-thirds of Facebook users who get news there, then, amount to 44% of the general population. YouTube has the next greatest reach in terms of general usage, at 48% of U.S. adults. But only about a fifth of its users get news there, which amounts to 10% of the adult population. That puts it on par with Twitter, which has a smaller user base (16% of U.S. adults) but a larger portion getting news there."

About audience overlap, Pew found that most people (64 percent) get their news from one social media site. 26 percent get their news from two social media sites, and 10 percent get their news from three social media sites. Pew also found that more users at Reddit, Twitter, and LinkedIn seek out news versus stumbling across it by accident:

  Percent of news users of each
site who mostly get news online
Social Networking Site While doing
other things
Because they're
looking for it
Instagram 63 37
Facebook 62 38
Youtube 58 41
LinkedIn 46 51
Twitter 45 54
Reddit 42 55

Who are the news users at the five largest social sites with news users? The users vary by site:

"... while there is some crossover, each site appeals to a somewhat different group. Instagram news consumers stand out from other groups as more likely to be non-white, young and, for all but Facebook, female. LinkedIn news consumers are more likely to have a college degree than news users of the other four platforms; Twitter news users are the second most likely."

The demographic data:

Pew-social-news-users

Some of you are probably wondering about Google+ and Pinterest. Pew removed three social media sites because:

"... Pinterest, which has been shown to have a small portion of users who use it for news; Myspace, which has largely transitioned to a music site; and Google+, which through its recent transformations is being phased out as a social networking site."

The survey was conducted from January 12 to February 8, 2016 and included 4,654 respondents (4,339 by web and 315 by mail). The methodology included a randomly-selected subset of U.S. adults (6,301 total web-based persons and 474 total mail persons.


User Reports Facebook Changed Members' Ad Settings Without Notice Nor Consent

If you use Facebook.com, this is for you.

David Carroll, an associate professor of media design at Parsons School of Design, posted the warning below on Twitter. I checked my Facebook settings and this specific advertisement setting had indeed been changed. So, check yours today. It's fast and easy. It will take at most half a minute to check and change it.

What's driving this activity by the social network? The Washington Post summarized the situation well when it discussed new ad features the site introduced in 2014:

"Things are about to get better for Facebook customers! Not you. You are not a Facebook customer. Advertisers are Facebook customers. You are part of the Facebook product... Facebook, at its moneymaking core, is a system for showing ads to people... why we’re seeing this is because Facebook is not a social network. It is an advertising network... And it seems to be banking on what is always banks on: our unwillingness to change any default settings or think about the flip side of data sharing."

Now, go check and restore your ad settings to maintain privacy.

Tweet by David Carroll. Click to view larger version


Emails And Passwords For Sale From The Massive Tumblr Data Breach

Tumblr logo Things seem to be getting worse as Tumbler, a blogging platform Yahoo acquired in 2013. First, Tumblr announced on May 12 a possible data breach, which stated:

"We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

That early May announcement directed users to reset their passwords, and use secure https connections. It didn't state the number of affected accounts. Well, now we know more.

Softpedia reported on May 30 that valid Tumblr passwords are available online for sale:

"Independent security researcher Troy Hunt revealed today that he received a data dump that contains 65,469,298 emails and hashed passwords, which the anonymous donor said belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin ($225)..."

That's 65.4 million passwords compromised. A massive breach affecting about one out of every eight Tumblr users. The good news: Tumblr had encyrpted its users' passwords. The bad news: the hackers have broken the encryption. That means Tumblr users probably should, a) change their passwords again, and b) inquire what Tumblr is doing to better protect sensitive information so this doesn't happen again.

It seems that Tumblr's breach detection and security processes are both lacking. Softpedia also reported:

"Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum."

Hmmm. It seems that several social networking sites need to improve their defenses.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Study: Many Sharing Economy Companies Not There Yet On Privacy And Transparency

Uber logo You've probably heard of the term, "sharing economy" (a/k/a digital economy). It refers to a variety of companies that link buyers and sellers online. These companies include taxi-like ride-sharing services (e.g., Uber, Lyft), home sharing services (e.g., Home Away, Airbnb, VRBO), delivery services (e.g., Postmates), and on-demand labor services (e.g., TaskRabbit).

The 2016 "Who Has Your Back?" report by the Electronic Frontier Foundation (EFF) focused upon companies in the sharing economy, and their policies and practices for inquiries by law enforcement. Prior annual reports included social networking websites, email providers, Internet service providers (ISPs), cloud storage providers, and other companies. The EFF observed that companies in the sharing economy:

"... also collect sensitive information about the habits of millions of people across the United States. Details about what consumers buy, where they sleep, and where they travel are really just scratching the surface of this data trove. These apps may also obtain detailed records of where your cell phone is at a given time, when you are logged on or active in an app, and with whom you communicate.

It’s not just the purchasers in the gig economy who have to trust their data to the startups developing these apps. Individuals offering services are users just like the buyers, and also leave behind a digital trail as (or more) detailed than that of the purchasers. From Lyft drivers to Airbnb hosts to Instacart shoppers, people providing services are entrusting enormous amounts of data to these apps... As with any rich trove of data, law enforcement is increasingly turning to the distributed workforce as part of their investigations. That’s not necessarily a bad thing, but we need to know how and when these companies actually stand up for user privacy..."

So, it is sensible and appropriate to evaluate how well (or poorly) these companies protect consumers' privacy and communicate their activities. The EFF found overall:

"Many sharing economy companies have not yet stepped up to meet accepted tech industry best practices related to privacy and transparency, according to our analysis of their published policies. This analysis is specific to government access requests for user data, and within that context we see ample room for improvement by this budding industry... however, some gig economy companies leading the field on this issue...

Regarding ride-sharing companies, the EFF found:

"We analyzed 10 companies as part of this report. Of them, both Uber and Lyft earned credit in all of the categories we examined. We commend these two companies for their transparency around government access requests, commitments to protecting Fourth Amendment rights in relation to user communications and location data, advocacy on the federal level for user privacy, and commitment to providing users with notice about law enforcement requests. These two companies are setting a strong example for other distributed workforce companies... In contrast, another ride-sharing company, Getaround, received no stars in this year’s report."

TripAdvisor logo The EFF also found improvements by home-sharing companies (links added):

"... FlipKey (owned by TripAdvisor) has adopted several policies related to government access of user data. FlipKey requires a warrant for user content or location data and promises to inform users of law enforcement access requests. It is also a member of the Digital Due Process Coalition, fighting for reform to outdated communications privacy law. Of the home sharing companies we reviewed, FlipKey does the most to stand up for user privacy against government demands.

Only two other companies from our research set earned credit in any categories: Airbnb and Instacart, each earning credit in three categories. Both of these companies require a warrant for content, publish law enforcement guidelines, and are members of the Digital Due Process Coalition..."

Airbnb logo The Digital Due Process Coalition (DDPC) seeks reforms to the Electronic Communications Privacy Act (ECPA) because:

"Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986... As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together..."

DDPC members include Adobe, Airbnb, Amazon.com, Apple, AT&T, Dell, Dropbox, eBay, Facebook, IBM, Intel, Lyft, Reddit, Snapchat, and many more well-known brands.

Postmates logo The EFF report also found (links added):

"... half of the companies we reviewed—Getaround, Postmates, TaskRabbit, Turo, and VRBO—received no credit in any of our categories. This finding is disappointing... most of the companies we analyzed were not yet publishing transparency reports. Only two companies in the field—Lyft and Uber—have published reports outlining how many law enforcement access requests they’ve received. As a result, the general public has little insight into how often the government is pressuring gig economy companies for access to user data. This concerns us, as one way to make surveillance without due process worse is to allow it to happen entirely in secret. Publicizing reports of law enforcement access requests can help illuminate patterns of overzealous policing, shine a light on efforts by companies to resist overly broad requests, and perhaps give pause to law enforcement officials who might otherwise seek to grab more user data than they need..."

Read the 2016 EFF "Who Has Your Back?" executive summary, or the full report (Adobe PDF). Kudos to the EFF for providing a very timely and valuable report. What are your opinions.


Facebook Tweaks Its Display Algorithm For Members' News Feeds

Facebook logo If you use Facebook, then you probably know that the social networking site uses a formula, or algorithm to display status messages in users' News Feeds. The site doesn't display all content in your News Feed by your "friends" nor by companies, brands, or groups you follow.

Facebook explained the recent tweak to its display algorithm for users' News Feeds:

"... we ask thousands of people to rate their experience every day and tell us how we can improve what they see when they check Facebook — we call this our Feed Quality Program... we’ve found that there are stories people don’t like or comment on that they still want to see, such as articles about a serious current event, or sad news from a friend. Based on this finding, we previously updated News Feed’s ranking to factor in how much time you spend reading a post within News Feed, regardless of whether you opened the article... we’re learning that the time people choose to spend reading or watching content they clicked on from News Feed is an important signal that the story was interesting to them. We are adding another factor to News Feed ranking so that we will now predict how long you spend looking at an article in the Facebook mobile browser or an Instant Article after you have clicked through from News Feed. This update to ranking will take into account how likely you are to click on an article and then spend time reading it..."

So, the algorithm now uses time spend reading a post to decide what it thinks will be relevant to you -- and then display that. If you don't spend time reading content from a particular source, then Facebook probably won't display it in your News Feed.

Want to see in your News Feed everything your "friends" posted? You can't. Do your "friends" see everything you posted? Nope. To see everything, you'll have to visit the Timeline for each "friend," business, group, or brand you're connected with. To get around this, some users "tag" their friends in the Comments section of status messages so they don't miss something important.

What are your opinions of Facebook's algorithm?


Voter Tracking, Data Collection, Analysis, And Privacy

While the New Hampshire primary and Iowa caucuses have passed, there are many more upcoming primaries this year before the general election in November. These primaries represent data collection opportunities for companies to learn more about voters. Marketplace reported:

"One company is tracking voter characteristics through some likely sources — their phones. Dstillery is a big data intelligence company that sells targeted advertising information about consumers to big companies like Microsoft and Comcast. But in the Iowa primary, the company tried its hand at compiling voter traits... people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa... people who watched and supported NASCAR also happened to support Donald Trump and Hillary Clinton..."

Dstillery's has an impressive list of clients: AT&T, Cablevision, Comcast, DirecTV, Hulu, Sprint, T-Mobile, Verizon, Vonage, and many more. If you remember your college statistics classes, then you know that a correlation does not man causation. Things may happen together but it doesn't mean one causes the other. Being a NASCAR fan doesn't mean a voter will vote for certain candidates. Voting for certain candidates does not mean you will be a NASCAR fan.

This "big data" collection is also a reminder of how much we consumers share on social networking sites. All a consumer has to do is "Like" a brand (e.g., NASCAR, one of these top-10 barbeque grills, a particular politician, etc.) on Facebook.com, or "Follow" that brand (or politician) on Twitter and it is pretty easy for a big data intelligence company to collect, analyze, and compare voters preferences. (Facebook knows far more about you than you realize.) Even if you didn't "Like" or "Follow" a brand, the data collection is still pretty easy. All a big data intelligence firm has to do is troll through the metadata attached to photos you took with your phone and posted online: racetracks on Instagram, NASCAR cakes on Pinterest, or whatever else. You get the idea. The metadata attached to your photos recorded where and when you were (e.g., geo-location of the racetrack), the background scene (e.g., stands, pits, etc.), and the people (e.g., emblems on their clothes). This blog post explains what happens when you stop "Liking" posts and comments on Facebook.

The data analysis is also pretty easy because many most of you gave your mobile phone numbers to social networking sites so you could use their mobile apps. Both social networking sites and data brokers have two crucial data elements (e.g., your birth date, your phone number) to match, merge, and purge data about you. So, political campaigns (via data brokers and big data intelligence firms they hire) can understand pretty easily who actually voted, and for whom, at a particular voting location.

Is this a good thing? I guess your answer to that depends upon how much privacy you want associated with your voting activity. What you do within the voting booth may be private, but there are many players performing surveillance outside the booth to reveal what you did in the booth. And, if you aren't careful what you say in front of Internet-of-Things devices installed in your home (e.g., toys, smart televisions, smart speakers or search robots, etc.), then the data collection is probably even more extensive.

Is this a good thing?


Safer Internet Day: Do Your Part

Safer Internet Day 2016 logo Today is Safer Internet Day (SID) #SID2016. This event occurs every year in February to promote safer and more responsible use of online technology and mobile phones, especially among children. This year's theme is:

"Play your part for a better Internet"

There are events in 100 countries worldwide. The European Commission’s Safer Internet Programme started the event, which has continued under the Connecting Europe Facility (CEF). This is the 13th annual event. According to its press release:

"Last year’s celebrations saw more than 19,000 schools and 28 million people involved in SID actions across Europe, while over 60 million people were reached worldwide..."

Hans Martens, Digital Citizenship Programme Manager at European Schoolnet and Coordinator of the Insafe Network said:

“The theme of ‘Play your part for a better internet’ truly reflects how stakeholders from across the world can and should work together to build a trusted digital environment for all. This approach is at the core of the Better Internet for Kids agenda, and we look forward to seeing many exciting onitiatives and collaborations, both on the day of SID itself and beyond."

Sophos, a security firm, described six safety tips for families. That includes learning to spot phishing scams to avoid password-stealing computer viruses and ransomware. Children need to learn how to create strong passwords, and never use these weak passwords. Read about several SID events in California, including teens brainstorming ways to fight online bullying and teens helping adults.

To learn more, watch the video below and then visit SaferInternetDay.org for events in your country.

Or, watch the video on Youtube.


Membership On Social Networking Sites Requires Diligence

Facebook logo Recently, a friend posted this message on Facebook:

"I need advice. I looked in my Facebook notifications and received a notification that someone I don't even know shared my post. I looked at the post on this person's timeline and it has a picture of my female cousin and it has me tagged with her and a caption that she is my wifey with a little wedding ring icon. What??!! What's going on?"

My response with advice:

  1. Review your list of friends and delete people you don't know,
  2. Review the privacy settings on your account. You can set them to provide notice when anyone tags you in a photo. Along with that notice you can approve or decline each photo-tag request,
  3. Go to the existing, offending photos and remove that tag with your name,
  4. Contact offline the person that tagged you in the photo to verify that it was indeed that person. Sometimes, spammers or criminals create bogus accounts pretending to be a friend so they can access your account and steal personal information.
  5. When you contact that person offline, you can ask them not to tag you in any future photos. You have that right. It's your image. If he/she complies, fine. If not, delete them from your friends list,
  6. Make sure all of your posts have the "Friends Only" setting. Facebook will often inherit the "Public" setting on re-posts, which opens you to spammers, criminals, and trolls,
  7. Understand the issues associated with facial-recognition software on Facebook. Zuckerberg and the executives at Facebook have implemented a strategy of "friction-less sharing." That's great for Facebook and not necessarily good for you,
  8. Don't accept new Friend Requests from people you don't know. Finally,
  9. Realize that your information on Facebook is only secure as your friend with the weakest security settings in his/her profile, or none. Those persons probably violate #6.

So, maintaining a presence with privacy on social networking sites requires diligence. If you're not up to the task or don't want to do it, then don't join that social networking site (or delete your account on an existing site). What would you recommend?


Hello Barbie Doll Cited As A Threat At Security Conference

Image of the upcoming Hello Barbie doll. Click to view larger image At a recent cyber-security conference at New York University, a MasterCard executive raised concerns about the WiFi-enabled Barbie doll. The New York Post newspaper reported:

"The chief executive of MasterCard on Friday singled out the $75 Mattel doll as a security threat — the second time the tech-smart Barbie has run into trouble. Ajay Banga said hackers can gain control of Barbie’s voice and then “talk” to a child. The hackers can then win the confidence of the kid and, under certain circumstance, attempt to gain access to your home..."

Regular readers of this blog are familiar with the security issues from Internet-connected toys, such as this doll, which also contain a voice-recognition interfaces. As Banga accurately emphasized, a criminal can hack the toy and ask the child what valuables the family owns, plus when the home will be vacant. Adolescents and toddlers are too young to understand security concepts, what not to disclose to strangers, and when a toy asks inappropriate questions.

Think of it this way, criminals regularly use phone spam to trick adults into revealing sensitive personal and financial information. It would probably be easier to trick young children. With Internet-connected devices in homes, criminals can easily bypass do-not-call registries.

Banga also mentioned that MasterCard is a favorite target of hackers, with 15,000 attempted hacks daily. That reinforces the observation that criminals go where the money is. The newspaper also reported:

"Several of the most prominent names in cybersecurity said during the conference that most people aren’t aware of the growing number of cybersecurity threats that they’re exposed to as manufacturers keep making products that hook up to the Internet. One of the biggest vulnerabilities is the so-called “Internet of things” — everything from TVs to refrigerators to vending machines that automatically connect to the Internet, and then transmit data to another source."


The Most Discussed Topics On Facebook During 2015

Facebook logo What did Facebook members discuss the most during 2015? It wasn't all lolcats, music, selfies, and humor. The social networking giant published its list of most discussed global topics:

  1. U.S. Presidential Election
  2. November 13 Attacks in Paris
  3. Syrian Civil War & Refugee Crisis
  4. Nepal Earthquakes
  5. Greek Debt Crisis
  6. Marriage Equality
  7. Fight Against ISIS
  8. Charlie Hebdo Attack
  9. Baltimore Protests
  10. Charleston Shooting & Flag Debate

Are You A Lab Rat, Social Addict, And Crash Test Dummy? Facebook Acted Like You Are

Facebook logo After unannounced tests in 2014 when Facebook manipulated its customers' news feeds without notice nor consent, users complained bitterly. Well, Facebook has done it again. Either executives at the social networking giant haven't learned from their 2014 experience, or don't care.

This time, the unannounced test included Android app users where Facebook intentionally crashed their apps. Forbes magazine reported:

"Facebook conducted secret tests to determine the magnitude of its Android users’ Facebook addiction, according to a new report published yesterday. Like a bunch of crash test dummies, users of the Facebook app for Android were (several years ago) subject to intentional Facebook for Android app crashes without being informed of the tests. These tests were reportedly conducted so Facebook could determine user resilience to app deprivation–that is, whether users would find ways to use Facebook on their Android devices without the Google Play store app..."

Similarly, the dating service OKCupid irritated its users in 2014 after secret tests. People don't like being treated like lab rats. Ethically-challenged executives don't seem to understand this.

Supposedly, Facebook wanted to know if those Android app users would get replacement apps from other sources, or use the browser interface. Reportedly, Facebook has one billion Android app users. The news article didn't say whether Facebook performed similar tests on Apple iPhone app users. It seems wise to assume so.

The news report didn't mention whether Facebook slowed or manipulated the browser interface to see if users would switch to one of its mobile apps. It seems wise to assume so.

What are your opinions of the secret tests? Is this an acceptable "cost" for a service that promises to remain free?


Those Quizzes On Facebook. How Accurate Are They?

If you use Facebook, then you've probably seen the quizzes. There are dozens of them, and they are popular. You can easily spot them because they have similar titles: "What [blank] are you?" or "Analyze Your [blank]." Invariably, the quizzes collect your personal information, and often that of people you are connected with.

How accurate are these quizzes? Below is a clue, including the results after a user submitted their (unique) profile photo for analysis:

Click to view larger image


Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?


Update: FTC Complaint Against Weight-Loss Marketer For Allegedly Using "Gag Clauses"

Roca Labs Inc. logo After the U.S. Federal Trade Commission (FTC) filed a complaint against it for allegedly using gag clauses to silence negative online reviews by customers, Roca Labs, the weight-loss marketer, has responded. MediaPost's Daily Online Examiner reported:

"The company, which sells weight-loss products, argues in court papers filed earlier this month that the FTC lacks the power "to dictate the terms of private contracts between private parties." The company adds: "The FTC’s intention to ban all manner of anti disparagement clauses is overkill and appears to be a knee-jerk reaction to a particular practice of Roca Labs. ...The regulation of public comment through on-line reviews is a complicated and multi-faceted problem that must balance the rights of consumers and businesses in the ever-changing landscape of internet commerce." Roca filed its papers in response to the FTC's request for an injunction..."

Last Thursday, U.S. District Court Judge Mary Scriven in Florida issued an order granting the FTC's preliminary injunction to stop Roca labs from silencing customers' online reviews. Yelp and other review sites sided with the FTC in a friend-of-court brief.Some reviewers posted information about the FTC complaint on the Roca Labs page within the Yelp site.

For review sites to be trustworthy, they must include positive, negative, and neutral reviews of products and services. What are your opinions of gag clauses?


Recording Ourselves To Death

Deaths from sharks versus selfies

This is not a joke. Related reading:


FTC Sues Weight-Loss Marketer For Alleged Use Of "Gag Clauses," Threats, And Lawsuits To Prevent Negative Reviews By Customers

Roca Labs Inc. logo The U.S. Federal Trade Commission (FTC) filed a complaint in Federal court against a weight-loss marketer alleging:

"...  that Roca Labs, Inc.; Roca Labs Nutraceutical USA, Inc.; and their principals have sued and threatened to sue consumers who shared their negative experiences online or complained to the Better Business Bureau, stating that the consumers violated the non-disparagement provisions of the “Terms and Conditions” they supposedly agreed to when they bought the products. The FTC alleges that these gag clause provisions, and the defendants’ related warnings, threats, and lawsuits, harm consumers by unfairly barring purchasers from sharing truthful, negative comments about the defendants and their products."

Roca labs Inc. is based in Sarasota, Florida. The complaint named both Don Juravin, President of Roca Labs Nutraceutical USA (RLNU) and owner of Roca Labs Inc. (RLI), and George C. Whiting, President, Secretary, treasurer, and Director at RLI, as a co-defendants. The websites operated by the defendants include RocaLabs.com, Mini-Gastric-Bypass.me, and GastricBypassNoSurgery.com.

I was curious what an alleged "gag clause" contains. The complaint listed one:

"You agree that regardless of your personal experience with RL, you will not disparage RL and/or any of its employees, products or services. This means that you will not speak, publish, cause to be published, print, review, blog, or otherwise write negatively about RL, or its products or employees in any way. This encompasses all forms of media, including and especially the internet. This paragraph is to protect RL and its current and future customers from the harm of libelous or slanderous content in any form, and thus, your acceptance of the [Terms] prohibits you from taking any action that negatively impacts RL, its reputation, products, services, management, or employees. We make it clear that RL and its Regimen may not be for everyone, and in that regard, the foregoing clause is meant to prevent “one person from ruining it for everyone.” Should any customer violate this provision, as determined by RL in its sole discretion, you will be provided with seventy-two (72) hours to retract the content in question. If the content remains, RL would be obliged to seek all legal remedies to protect its name, products, current customers, and future customers.

If you breach this Agreement, as determined by RL in its sole discretion, all discounts will be waived and you agree to pay the full price for your product. In addition, we retain all legal rights and remedies against the breaching customer for breach of contract and any other appropriate causes of action."

Wow! This is a stark reminder for consumers to read the terms and conditions policy at websites before purchasing online. And, it's always good to be aware of companies that allegedly uses monetary threats, lawsuits, and "gag clauses" to squash consumers from using their First Amendment rights. Some physicians have tried to squash patients' rights with a "mutual agreement to maintain privacy" document.

Download the complaint (Adobe PDF): FTC v. Roca Labs Inc. et. al.


Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."


Payment Scam Dupes Airbnb Customer. Was There A Data Breach?

Airbnb logo Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.