88 posts categorized "Travel" Feed

The United States Has A Problem: Declining Foreign Visitors

Visit-usa-coalition-figure1
The United States has a problem: the number of international visitors is declining. What are companies doing to counter this, lost revenues, and other negative impacts? Bloomberg reported (bold emphasis added):

"... 10 business associations, including the U.S. Chamber of Commerce and the National Restaurant Association, have created a travel industry group aimed at reversing the growing unpopularity of the U.S. as a vacation destination. So [last week], some of its biggest players unveiled the "Visit U.S. Coalition" to spur the Trump administration into enacting friendlier visa and border-security policies at a time when federal agencies are doing the opposite... Since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors, a time when other nations such as Australia, Canada, China and the United Kingdom have marked sizable gains..."

Visit-usa-coaltion-figure3Foreign visitors spend their travel money here, which helps businesses in the USA. The amount of the travel decline is measurable:

"... the Commerce Department reported a 3.3 percent drop in traveler spending for last year, through November, the equivalent of $4.6 billion in losses and 40,000 jobs. The U.S. share of international long-haul travel fell to 11.9 percent last year, from 13.6 percent in 2015, according to the U.S. Travel Association, a slippage the group said equates to 7.4 million visitors and $32.2 billion in spending."

According to its website, the Visit U.S. Coalition includes the following founding members: American Gaming Association, American Hotel & Lodging Association, American Society of Association Executives, Asian American Hotel Owners Association, International Association of Exhibitions and Events, National Restaurant Association, National Retail Federation, Society of Independent Show Organizers, the U.S. Chamber of Commerce, and the U.S. Travel Association.

What does this mean? What might the consequences be?

First, if the foreign tourism decline continues, experience tells us that after prolonged revenue losses, affected industries (e.g., hotels, transportation, restaurants, retail shopping, etc.) and companies will layoff or terminate workers. Not good for workers. Not good for the United States economy.

Second, it's great that several companies have organized together into groups... trade associations for several industries; and then several trade associations organized into a coalition... what you might call an uber-trade association... to highlight their concerns, remain competitive, and advocate for their interests. You'd expect any administration which promised to be pro-business would listen these concerns.

Third, the freedom to organize is an important part of a democracy, and a competitive marketplace. Workers want this freedom, too. Sadly, too many corporate executives and politicians deny workers the same freedoms they want their businesses to enjoy. You've probably heard the claim: "corporations are people, my friend." I guess they are a special class of people with more freedom than flesh-and-blood persons.

What do you think of the foreign visitor travel decline?


Royal Caribbean Cruise Line And CPP-The Myers-Briggs Offer Travel Personality Quiz

Inc. Magazine warned in 2016, "ready or not, companies will soon be tracking your emotions." Most Facebook users already knows this. Also in 2016, the social networking site expanded several reaction buttons beyond its (in)famous "Like" button to cover several emotions (e.g., "Love," "Haha," "Wow," "Sad," "Angry"):

Facebook-emotions-buttons

Maybe you have used these reaction buttons. Companies do this because effective marketing appeals to emotions instead of reason.

Now, a popular cruise line has taken things a step further. Cruise Critic, a popular travel site, announced:

"... Royal Caribbean has teamed up with CPP-The Myers-Briggs Company to launch a quiz that offers cruise recommendations based on your personality type. The assessment tool, found on MyAdventurePersonality.com, asks users 13 questions as they pertain to personal behavior and preferences... Once the results are calculated, users will be designated a travel personality type, such as Expert Adventure Planner, Laidback Wanderer and Spontaneous Sightseer. They also will receive an itinerary recommendation best suited for their type, with planning tips."

What is the Myers'Briggs assessment tool? The Myers-Briggs Foundation site explains:

"The purpose of the Myers-Briggs Type Indicator® (MBTI®) personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. The essence of the theory is that much seemingly random variation in the behavior is actually quite orderly and consistent, being due to basic differences in the ways individuals prefer to use their perception and judgment... In developing the Myers-Briggs Type Indicator [instrument], the aim of Isabel Briggs Myers, and her mother, Katharine Briggs, was to make the insights of type theory accessible to individuals and groups... The identification of basic preferences of each of the four dichotomies specified or implicit in Jung's theory. The identification and description of the 16 distinctive personality types that result from the interactions among the preferences."

Indeed, this assessment tool became very accessible. The Seattle Times reported in 2013:

"Chances are you’ve taken the Myers-Briggs Type Indicator (MBTI), or will. Roughly 2 million people a year do. It has become the gold standard of psychological assessments, used in businesses, government agencies and educational institutions... More than 10,000 companies, 2,500 colleges and universities and 200 government agencies in the United States use the test... It’s estimated that 50 million people have taken the Myers-Briggs personality test since the Educational Testing Service first added the research to its portfolio in 1962... Organizations administer the MBTI assessment to employees in one of two ways. They either pay for someone in their human-resources department to become certified, then pay the materials costs each time employees take the test. Or, they contract with certified, independent training consultants or leadership coaches."

Selected questions from the MyAdventurePersonality site. Click to view larger version The travel quiz uses different and fewer (13 versus ~ 88) forced-choice questions than the MBTI. Plus, the travel quiz categorizes consumers into four travel personality types (versus 16 types by the MBTI). And, the MBTI tool is administered by certified professionals in an ethical manner. So, consumers shouldn't assume that the travel quiz is as rigorous as the MBTI. Admittedly, MyAdventurePersonality may add more questions and/or types in the future.

If you are considering the travel quiz, wise consumers always read the fine print, first. The MyAdventurePersonality site uses the same legal and privacy policies as the core Royal Caribbean cruise line site. So, consumers should know that whatever they submit to the travel quiz will probably be freely shared with other entities, since the Royal Caribbean Privacy Policy does not state any limitations.

The MyAdventurePersonality site may be a marketing gimmick to attract new customers and/or better target e-mail marketing campaigns to current and prospective cruise travelers.

Me? After 28 cruise ship vacations (with many on Royal Caribbean ships) to many areas of the planet, I know my travel needs and preferences very well. So, I doubt the quiz will tell me something I don't already know.

What do you think? Should companies uses these types of quizzes?


Uber's Ripley Program To Thwart Law Enforcement

Uber logo Uber is in the news again, and not in a good way. TechCrunch reported:

"Between spring 2015 until late 2016 the ride-hailing giant routinely used a system designed to thwart police raids in foreign countries, according to Bloomberg, citing three people with knowledge of the system. It reports that Uber’s San Francisco office used the protocol — which apparently came to be referred to internally as ‘Ripley’ — at least two dozen times. The system enabled staff to remotely change passwords and “otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices”, it reports. We’ve also been told — via our own sources — about multiple programs at Uber intended to prevent company data from being accessed by oversight authorities... according to Bloomberg Uber created the system in response to raids on its offices in Europe: Specifically following a March 2015 raid on its Brussel’s office in which police gained access to its payments system and financial documents as well as driver and employee information; and after a raid on its Paris office in the same week."

In November of last year, reports emerged that the popular ride-sharing service experienced a data breach affecting 57 million users. Regulators said then that Uber tried to cover it up.

In March of last year, reports surfaced about Greyball, a worldwide program within Uber to thwart code enforcement inspections by governments. TechCrunch also described uLocker:

"We’ve also heard of the existence of a program at Uber called uLocker, although one source with knowledge of the program told us that the intention was to utilize a ransomware cryptolocker exploit and randomize the tokens — with the idea being that if Uber got raided it would cryptolocker its own devices in order to render data inaccessible to oversight authorities. The source said uLocker was being written in-house by Uber’s eng-sec and Marketplace Analytics divisions..."

Geez. First Greyball. Then Reipley and uLocker. And these are the known programs. This raises the question: how many programs are there?

Earlier today, Wired reported:

"The engineer at the heart of the upcoming Waymo vs Uber trial is facing dramatic new allegations of commercial wrongdoing, this time from a former nanny. Erika Wong, who says she cared for Anthony Levandowski’s two children from December 2016 to June 2017, filed a lawsuit in California this month accusing him of breaking a long list of employment laws. The complaint alleges the failure to pay wages, labor and health code violations... In her complaint, Wong alleges that Levandowski was paying a Tesla engineer for updates on its electric truck program, selling microchips abroad, and creating new startups using stolen trade secrets. Her complaint also describes Levandowski reacting to the arrival of the Waymo lawsuit against Uber, strategizing with then-Uber CEO Travis Kalanick, and discussing fleeing to Canada to escape prosecution... Levandowski’s outside dealings while employed at Google and Uber have been central themes in Waymo’s trade secrets case. Waymo says that Levandowski took 14,000 technical files related to laser-ranging lidar and other self-driving technologies with him when he left Google to work at Uber..."

Is this a corporation or organized crime? It seems difficult to tell the difference. What do you think?


Report: Air Travel Globally During 2017 Was The Safest Year On Record

The Independent UK newspaper reported:

"The Dutch-based aviation consultancy, To70, has released its Civil Aviation Safety Review for 2017. It reports only two fatal accidents, both involving small turbo-prop aircraft, with a total of 13 lives lost. No jets crashed in passenger service anywhere in the world... The chances of a plane being involved in a fatal accident is now one in 16 million, according to the lead researcher, Adrian Young... The report warns that electronic devices in checked-in bags pose a growing potential danger: “The increasing use of lithium-ion batteries in electronics creates a fire risk on board aeroplanes as such batteries are difficult to extinguish if they catch fire... The UK has the best air-safety record of any major country. No fatal accidents involving a British airline have happened since the 1980s. The last was on 10 January 1989... In contrast, sub-Saharan Africa has an accident rate 44 per cent worse than the global average, according to the International Air Transport Association (IATA)..."

Read the full 2017 aviation safety report by To70. Below is a chart from the report.

Accident Data Chart from To70 Air Safety Review for 2017. Click to view larger version


Uber: Data Breach Affected 57 Million Users. Some Say A Post Breach Coverup, Too

Uber logo Uber is in the news again. And not in a good way. The popular ride-sharing service experienced a data breach affecting 57 million users. While many companies experience data breaches, regulators say Uber went further and tried to cover it up.

First, details about the data breach. Bloomberg reported:

"Hackers stole the personal data of 57 million customers and drivers... Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers..."

Second, details about the coverup:

"... the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers... At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet."

Geez. Not tell regulators about a breach? Not tell affected users? 48 states have data breach notification laws requiring various levels of notifications. Consumers need notice in order to take action to protect themselves and their sensitive personal and payment information.

Third, Uber executives learned about the breach soon thereafter:

"Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack."

Reportedly, breach victims with stolen drivers license information will be offered free credit monitoring and identity theft services. Uber said that no Social Security numbers and credit card information was stolen during the breach, but one wonders if Uber and its executives can be trusted.

The company has a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit descrbing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool. TechCrunch reported that Uber:

"... reached a settlement with [New York State Attorney General] Schneiderman’s office in January 2016 over its abuse of private data in a rider-tracking system known as “God View” and its failure to disclose a previous data breach that took place in September 2014 in a timely manner."

Several regulators are investigating Uber's latest breach and alleged coverup. CNet reported:

"The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says... In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach."

The Financial Times reported that the U.K. Information Commissioner's Office is investigating the incident, along with the National Crime Agency and the National Cyber Security Centre. New data protection rules will go into effect in May, 2018 which will require companies to notify regulators within 72 hours of a cyber attack, or incur fines of up to 20 million Euro-dollars or 4 percent of annual global revenues.

Let's summarize the incident. It seems that a few months after settling a lawsuit about a data breach and its data security practices, the company had another data breach, paid the hackers to keep quiet about the breach and what they stole, and then allegedly chose not to tell affected users nor regulators about it, as required by prior settlement agreements, breach laws in most states, and breach laws in some international areas. Geez. What chutzpah!

What are your opinions of the incident? Can Uber and its executives be trusted?


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


Bungled Software Update Renders Customers' Smart Door Locks Inoperable

Image of Lockstate RemoteLock 6i device. Click to view larger version A bungled software update by Lockstate, maker of WiFi-enabled door locks, rendered many customers' locks inoperable -- or "bricked." Lockstate notified affected customers in this letter:

"Dear Lockstate Customer,
We notified you earlier today of a potential issue with your LS6i lock. We are sorry to inform you about some unfortunate news. Your lock is among a small subset of locks that had a fatal error rendering it inoperable. After a software update was sent to your lock, it failed to reconnect to our web service making a remote fix impossible...

Many AirBnb operators use smart locks by Lockstate to secure their properties. In its website, Lockstate promotes the LS6i lock as:

"... perfect for your rental property, home or office use. This robust WiFi enabled door lock allows users to lock or unlock doors remotely, know when people unlock your door, and even receive text alerts when codes are used. Issue new codes or delete codes from your computer or phone. Even give temporary codes to guests or office personnel."

Reportedly, about 200 Airbnb customers were affected. The company said 500 locks were affected. ArsTechnica explained how the bungled software update happened:

"The failure occurred last Monday when LockState mistakenly sent some 6i lock models a firmware update developed for 7i locks. The update left earlier 6i models unable to be locked and no longer able to receive over-the-air updates."

Some affected customers shared their frustrations on the company's Twitter page. Lockstate said the affected locks can still be operated with physical keys. While that is helpful, it isn't a solution since customers rely upon the remote features. Affected customers have two repair options: 1) return the back portion of the lock (repair time about 5 to 7 days), or 2) request a replace (response time about 14 to 18 days).

The whole situation seems to be another reminder of the limitations when companies design smart devices with security updates delivered via firmware. And, a better disclosure letter by Lockstate would have explained corrections to internal systems and managerial processes, so this doesn't happen again during another software update.

What are your opinions?


Google And Massachusetts Transportation Department Provide GPS Signals In Tunnels

Smartphone users love their phones. That includes Global Positioning System (GPS) navigation services for driving directions. However, those driving directions don't work in tunnels where phones can't get GPS signals. That is changing.

Google and the Massachusetts Department of Transportation (MassDOT) have entered a partnership to provide GPS navigation services for drivers inside tunnels. If you've familiar with Boston, then you know that portions of both Interstate 93 and the Massachusetts Turnpike include tunnels. The ABC affiliate in Boston, WCVB reported last month that the partnership, part of the Connected Citizens Program, will:

"... install beacons inside Boston's tunnels to help GPS connection stay strong underground. Around 850 beacons are being installed, free of charge, as a part of an ongoing partnership between the state and the traffic app... Installation is scheduled to be complete by the end of July... The beacons are not limited to improving their own app's signal. As long as you are using Bluetooth, they are able to help improve any traffic app's connection."

For those unfamiliar with the technology, beacons are low-powered transmitters which, in this particular application, are installed in the tunnels' walls and provide geographic location information usable by drivers' (or passengers') smartphones passing by (assuming the phones' Bluetooth features are enabled).

Bluetooth beacons are used in a variety of applications and locations. The Privacy SOS blog explained:

"... They’re useful in places where precise location information is necessary but difficult to acquire via satellite. For that reason, they’ve been field tested in museums such as New York’s Metropolitan Museum of Art and airports like London Gatwick. At Gatwick, beacons deliver turn-by-turn directions to users’ phones to help them navigate the airport terminals..."

Within large airports such as Gatwick, the technology can present more precise geolocation data of nearby dining and shopping venues to travelers. According to Bluetooth SIG, Inc., the community of 30,000 companies that use the technology:

"The proliferation and near universal availability of Bluetooth® technology is opening up new markets at all ends of the spectrum. Beacons or iBeacons—small objects transmitting location information to smartphones and powered by Bluetooth with low energy—make the promise of a mobile wallet, mobile couponing, and location-based services possible... The retail space is the first to envision a future for beacons using for everything from in-store analytics to proximity marketing, indoor navigation and contactless payments. Think about a customer who is looking at a new TV and he/she gets a text with a 25 percent off coupon for that same TV and then pays automatically using an online account..."

iBeacons are the version for Apple branded mobile devices. All 12 major automobile makers offer hands-free phone calling systems using the technology. And, social network giant Facebook has developed its own proprietary Bluetooth module for an undisclosed upcoming consumer electronics device.

So, the technology provides new marketing and revenue opportunities to advertisers. TechCrunch explained:

"The Beacons program isn’t looking to get help from individual-driver Wazers in this case, but is looking for cities and tunnel owners who might be fans of the service to step up and apply to its program. The program is powered by Eddystone, a Bluetooth Low Energy beacon profile created by Google that works with cheap, battery-powered BLE Waze Beacon hardware to be installed in participating tunnels. These beacons would be configured to transmit signals to Bluetooth-enabled smartphones... There is a cost to participate — each beacon is $28.50, Waze notes, and a typical installation requires around 42 beacons per mile of tunnel. But for municipalities and tunnel operators, this would actually be a service they can provide drivers, which might actually eliminate frustration and traffic..."

There are several key takeaways here:

  1. GPS navigation services can perform better in previously unavailable areas,
  2. Companies can collect (and share) more precise geolocation data about consumers and our movements,
  3. Consumers' GPS data can now be collected in previously unattainable locations,
  4. What matters aren't the transmissions by beacons, but rather the GPS and related data collected by your phone and the apps you use, which are transmitted back to the apps' developers, and then shared by developers with their business partners (e.g., mobile service providers, smartphone operating system developers, advertisers, and affiliates
  5. You don't have to be a Google user for Google to collect GPS data about you, and
  6. Consumers can expect a coming proliferation of Bluetooth modules in a variety of locations, retail stores, and devices.

So, now you know more about how Google and other companies collect GPS data about you. After analyzing the geolocation data collected, they know not only when and where you go, but also your patterns in the physical world: where you go on certain days and times, how long you stay, where and what you've done before (and after), who you associate with, and more.

Don't like the more precise tracking? Then, don't use the Waze app or Google Maps, delete the blabbermouth apps, or turn off the Bluetooth feature on your phone.

A noted economist once said, "There is no free lunch." And that applies to GPS navigation in tunnels. The price for "free," convenient navigation services means mobile users allow companies to collect and analyze mountains of data about their movements in the physical world.

What are your opinions of GPS navigation services in tunnels? If the city or town where you live has tunnels, have beacons been installed?


CBP Responds To Senator's Query About Border Searches Of Returning Travelers' Devices

This has implications for all U.S. citizens returning to the country from international travel; business or vacation. An important exchange occurred recently between government officials about Fourth Amendment rights and protections, or the lack thereof, for citizens.

Earlier this year, U.S. Senator Ron Wyden (D-Oregon) sent a letter (Adobe PDF) asking the Department of Homeland Security (DHS), the parent agency of U.S. Customs & Border Protection (CBP), about CBP's detaining of citizens returning from international travel, and warrantless demands to access citizens' locked mobile devices. The Senator's letter read in part:

U.S. Department of Homeland Security logo "Dear Secretary Kelly,
I am alarmed by recent media reports of Americans being detained by CBP and pressured to give CBP agents access to their smartphone PIN numbers or otherwise provide access to locked devices. These reports are particularly troubling, particularly in light of your recent comments suggesting that CBP might begin demanding social media passwords from visitors to the United States. With those passwords, CBP may then be able to log into accounts and access data that they would only be able to get from Internet companies with a warrant. Circumventing the normal protections for such private information is simply unacceptable.

There are well-established rules governing how law enforcement agencies may obtain data from social media companies and email providers... In addition to violating the privacy and civil liberties of travelers, these digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation. Likewise, if businesses fear their data can be seized when employees cross the border, they may reduce non-essential employee international travel, or deploy technical countermeasures..."

Senator Wyden's concerns focus upon the rights of companies and individuals to protect intellectual property, without which many businesses -- large, small, startups, and journalists -- cannot operate. Senator Wyden asked for a response from DHS by March 20, 2017 with answers to five questions (links added):

"1. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person disclose their social media or email password?
2. How is CBP use of a traveler's password to gain access to data stored in the cloud consistent with the Computer Fraud And Abuse Act?
3. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
4. How many times in each calendar year 2012 - 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a smartphone or computer password, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20, 2017?
5. How many times in each calendar year 2012, 2013, 2014, 2015,and 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20, 2017?"

In April, Senator Wyden, with Senator Rand Paul (R-Kentucky), Representative Jared Polis (D-Colorado), and Representative Blake Farenthold (R-Texas) introduced the Protecting Data at the Border Act (PDBA) to ensure that U.S. citizens are not forced to endure indiscriminate and suspicion-less searches of their phones, laptops and other digital devices when crossing the United State's borders.

U.S. Customs and Border Protection logo On June 20, Kevin McAleenan, the Nominee for CBP Commissioner, responded to Senator's Wyden's letter. NBC News reported:

"U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place... McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos... Travelers don't even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can "detain" the phone, McAleenan wrote."

When your phone or mobile device is detained, that means CBP agents keep it for a time before returning it to you. So, while you may enter the country fairly quickly, your seized device(s) may not. There are notable horror stories about travelers returning to the United States. It doesn't matter if the device is yours or your employer's.

McAleenan's letter did not answer questions #4 and #5 about search activity. Not good. In fact, the letter stated:

"DHS's May 9, 2017 letter stated that CBP did not have data responsive to this request."

Huh? This seems incredulous. Consider this scenario: a CBP agent detains a citizen's device(s) and inspects those devices (with or without the assistance of another federal agency). McAleenan's response would have us believe that the CBP doesn't have data documenting this event. This implies that the CBP either doesn't collect or doesn't maintain records of how its agents account for their time: when, where, why, the duration, which agents inspected, and types of devices inspected; nor when the detained device was ultimately returned to its owner. It also implies that the CBP doesn't have any records (e.g., doesn't know) about when, where, or the amount of data uploaded from detained devices and stored in CBP databases. This seems unbelievable and a huge managerial failure.

During my business career I had to submit and complete data into several online time-tracking systems; which tracked workers' time down to 15 minute intervals. Perhaps, it is appropriate to query the CBP about its time-tracking systems. Some ad hoc queries may yield responsive data.

Moreover, the CBP site contains and displays plenty of statistics about the agency's operations (e.g., staffing, sector performance, etc.) and enforcement (e.g., "inadmissibles," illegal aliens apprehended, arrests of wanted criminals, drug seizures, gang affiliated enforcement, etc.), but nothing about citizens detained for device searches nor the volume of passwords collected.

More about that in a few minutes. So, keep reading.

What to make of this? U.S. citizens have no Fourth Amendment rights when traveling across our borders. Not good. It doesn't matter whether you are law-abiding or not. Not good. Why? How? McAleenan's letter confirmed it:

"While 8 U.S.C. 1357 is an example of CBP's authority to conduct a search in the immigration context, CBP currently operates under a host of additional statutory authorities that more broadly provide that all persons, baggage, and merchandise arriving, or departing from, the United States are subject to search, inspection, and detention. See, e.g., 19 U.S.C. 1461; 1496; 1499. Those statutory Customs authorities are applicable to all travelers entering the United States, regardless of their citizenship.

"On this point, because CBP must determine the admissibility of both the traveler and his or her goods and baggage, even after a returning U.S. citizen has established their identity and U.S. citizenship, CBP may conduct a border search of the goods he or she is seeking to bring into the country to ensure that those goods are permitted to enter. In other words, because any traveler may be carrying an electronic device that contains evidence relating to offenses such as terrorism, illegal smuggling, child pornography, CBP's authority to search such a device at the border does not depend upon the citizenship of the traveler.

In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device -- which affects less than one-hundredth of one percent of travelers arriving to the United States because of a need to inspect that traveler's device. Therefore, although CBP may detain an arriving traveler's electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination..."

U.S. international travel statistics for Fiscal year 2016. The U.S. Customs and Border Protection. Click to view larger version Exceedingly rare? Perhaps on a percentage basis. We know from the CBP statistics page:

"CBP officers processed more than 390 million travelers at air, land, and sea ports of entry in FY2016, including more than 119 million travelers at air ports of entry..."

Some simple math using data supplied by the CBP: 0.01 percent X 390 million = 39,000 passengers during 2016 who have had their electronic devices detained and searched for information. Next, multiple that annual total by 10 or more years. The true total fast approaches half a million incidents.

Plus, the detainment and search rate may not be rare at all for frequent travelers. Some jobs require employees to travel frequently to international destinations.

Also, the above statement highlights the CBP approach: all travelers entering the country are presumed to be threats without any supporting data or evidence. No Fourth Amendment protections for U.S. citizens at our borders. Do you find this troubling? I hope that you do. Contact your elected representatives and demand that they support the Protecting Data at the Border Act.

A wise friend once said, "You just can't run away from the Fourth Amendment." I agree. What do you think?


Dozens Of Uber Employees Fired Or Investigated For Harassment. Uber And Lyft Drivers Unaware of Safety Recalls

Uber logo Ride-sharing companies are in the news again and probably not for the reasons their management executives would prefer. First, TechCrunch reported on Thursday:

"... at a staff meeting in San Francisco, Uber executives revealed to the company’s 12,000 employees that 20 of their colleagues had been fired and that 57 are still being probed over harassment, discrimination and inappropriate behavior, following a string of accusations that Uber had created a toxic workplace and allowed complaints to go unaddressed for years. Those complaints had pushed Uber into crisis mode earlier this year. But the calamity may be just beginning... Uber fired senior executive Eric Alexander after it was leaked to Recode that Alexander had obtained the medical records of an Uber passenger in India who was raped in 2014 by her driver."

"Recode also reported that Alexander had shared the woman’s file with Kalanick and his senior vice president, Emil Michael, and that the three men suspected the woman of working with Uber’s regional competitor in India, Ola, to hamper its chances of success there. Uber eventually settled a lawsuit brought by the woman against the company..."

News broke in March, 2017 about both the Recode article and the Grayball activity at Uber to thwart local government code inspections. In February, a former Uber employee shared a disturbing story with allegations of sexual harassment.

Lyft logo Second, the investigative team at WBZ-TV, the local CBS afiliate in Boston, reported that many Uber and Lyft drivers are unaware of safety recalls affecting their vehicles. This could make rides in these cars unsafe for passengers:

"Using an app from Carfax, we quickly checked the license plates of 167 Uber and Lyft cars picking up passengers at Logan Airport over a two day period. Twenty-seven of those had open safety recalls or about 16%. Recalls are issued when a manufacturer identifies a mechanical problem that needs to be fixed for safety reasons. A recent example is the millions of cars that were recalled when it was determined the airbags made by Takata could release shrapnel when deployed in a crash."

Both ride-sharing companies treat drivers as independent contractors. WBZ-TV reported:

"Uber told the [WBZ-TV investigative] Team that drivers are contractors and not employees of the company. A spokesperson said they provide resources to drivers and encourage them to check for recalls and to perform routine maintenance. Drivers are also reminded quarterly to check with NHTSA for recall information."

According to the president of the Massachusetts Bar Association Jeffrey Catalano, the responsibility to make sure the car is safe for passengers lies mainly with the driver. But because Uber and Lyft both advertise their commitment to safety on their websites, they too could be held responsible."


Any Half-Decent Hacker Could Break Into Mar-a-Lago

[Editor's Note: Today's guest blog post is by the reporters at ProPublica. The article explores the security issues about key locations the President visits repeatedly and does business at. It was originally published yesterday, and is reprinted with permission.]

by Jeff Larson and Julia Angwin, ProPublica; and by Surya Mattu, Gizmodo

Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.

We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Security lapses are not uncommon in the hospitality industry, which -- like most industries and government agencies -- is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.

U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.

Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions -- and other sensitive conversations at the properties -- to be monitored by hackers.

The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."

The White House did not respond to repeated requests for comment.

Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.

Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.

Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.

In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.

Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.

By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 -- slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.

It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.

However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.

Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.

In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.

So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.

Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.

An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.

To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.

We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.

To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.

By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.

From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.

Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.

This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."

A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.

We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.

Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.

Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.

Two days after we visited the Bedminster club, Trump arrived for a weekend stay.

Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.

From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.

However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.

From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.

Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.

The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.

In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."

Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.

The company also publishes online, without a password, many of the default settings and usernames for its software 2014 essentially providing a roadmap for intruders.

Clubessential declined comment.

Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


The Need For A Code Of Ethics With The Internet Of Things

Earlier this week, The Atlantic website published and interview with Francine Berman, a computer-science professor at Rensselaer Polytechnic Institute, about the need for a code of ethics for connected, autonomous devices, commonly referred to as the internet-of-things (IoT). The IoT is exploding.

Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. North America, Western Europe, and China, which already comprise 67 percent of the installed base, will drive much of this growth.

In a February, 2017 article (Adobe PDF) in the journal Communications of the Association for Computing Machinery, Berman and Vint Cerf, an engineer, discussed the need for a code of ethics:

"Last October, millions of interconnected devices infected with malware mounted a "denial-of-service" cyberattack on Dyn, a company that operates part of the Internet’s directory service. Such attacks require us to up our technical game in Internet security and safety. They also expose the need to frame and enforce social and ethical behavior, privacy, and appropriate use in Internet environments... At present, policy and laws about online privacy and rights to information are challenging to interpret and difficult to enforce. As IoT technologies become more pervasive, personal information will become more valuable to a diverse set of actors that include organizations, individuals, and autonomous systems with the capacity to make decisions about you."

Given this, it seems wise for voters to consider whether or not elected officials in state, local, and federal government understand the issues. Do they understand the issues? If they understand the issues, are they taking appropriate action? If they aren't taking appropriate action, is due to other priorities? Or are different elected officials needed? At the federal level, recent events with broadband privacy indicate a conscious decision to ignore consumers' needs in favor of business.

In their ACM article, Bermand and Cerf posed three relevant questions:

  1. "What are your rights to privacy in the internet-of-things?
  2. Who is accountable for decisions made by autonomous systems?
  3. How do we promote the ethical use of IoT technologies?"

Researchers and technologists have already raised concerns about the ethical dilemmas of self-driving cars. Recent events have also highlighted the issues.

Some background. Last October, a denial-of-service attack against a hosting service based in France utilized a network of more than 152,000 IoT devices, including closed-circuit-television (CCTV) cameras and DVRs. The fatal crash in May of a Tesla Model S car operating in auto-pilot mode and the crash in February of a Google self-driving car raised concerns. According to researchers, 75 percent of all cars shipped globally will have internet connectivity by 2020. Last month, a security expert explained the difficulty with protecting connected cars from hackers.

And after a customer posted a negative review online, a developer of connected garage-door openers disabled both the customer's device and online account. (Service was later restored.) Earlier this year, a smart TV maker paid $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC). Consumers buy and use a wide variety of connected devices: laptops, tablets, smartphones, personal assistants, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. In January, the FTC filed a lawsuit against a modem/router maker alleging poor security in its products.

Consumers have less control over many IoT devices, such as smart utility meters, which collect information about consumers. Typically, the devices are owned and maintained by utility companies while installed in or on consumers' premises.

Now, back to the interview in The Atlantic. Professor Berman reminded us that society has met the ethical challenge before:

"Think about the Industrial Revolution: The technologies were very compelling—but perhaps the most compelling part were the social differences it created. During the Industrial Revolution, you saw a move to the cities, you saw the first child-labor laws, you saw manufacturing really come to the fore. Things were available that had not been very available before..."

Well, another revolution is upon us. This time, it includes changes brought about by the internet and the IoT. Berman explained today's challenges include considerations:

"... we never even imagined we’d have to think about. A great example: What if self-driving cars have to make bad choices? How do they do that? Where are the ethics? And then who is accountable for the choices that are made by autonomous systems? This needs to be more of a priority, and we need to be thinking about it more broadly. We need to start designing the systems that are going to be able to support social regulation, social policy, and social practice, to bring out the best of the Internet of Things... Think about designing a car. I want to design it so it’s safe, and so that the opportunity to hack my car is minimized. If I design Internet of Things systems that are effective, provide me a lot of opportunities, and are adaptive, but I only worry about really important things like security and privacy and safety afterwards, it’s much less effective than designing them with those things in mind. We can lessen the number of unintended consequences if we start thinking from the design stage and the innovation stage how we’re going to use these technologies. Then, we put into place the corresponding social framework."

Perhaps, most importantly:

"There’s a shared responsibility between innovators, companies, the government, and the individual, to try and create and utilize a framework that assigns responsibility and accountability based on what promotes the public good."

Will we meet the challenge of this revolution? Will innovators, companies, government, and individuals share responsibility? Will we work for the public good or solely for business growth and profitability?

What do you think?


Security Expert Says Protecting Driverless Cars From Hackers Is Hard

Wired Magazine recently interviewed Charlie Miller, an automobile security expert, about the security of driverless cars. You may remember Miller. He and an associated remotely hacked a moving Jeep vehicle in 2015 to demonstrate security vulnerabilities in autos. Miller later worked for Uber, and recently joined Didi.

Wired Magazine reported:

"Autonomous vehicles are at the apex of all the terrible things that can go wrong,” says Miller, who spent years on the NSA’s Tailored Access Operations team of elite hackers before stints at Twitter and Uber. “Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them…If a bad guy gets control of that, it’s going to be even worse."

The article highlights the security issues with driverless used by ride-sharing companies. Simply, the driverless taxi or ride-share car is unattended for long periods of time.. That is a huge opportunity for hackers posing as riders to directly access and hack driverless cars:

"There’s going to be someone you don’t necessarily trust sitting in your car for an extended period of time,” says Miller. “The OBD2 port is something that’s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle’s sensitive network."

The article also highlights some of the differences between driverless cars used as personal vehicles versus as ride-sharing (or taxi) cars. In a driverless personal vehicle, the owner -- who is also the inattentive driver -- can regain control after a remote hack and steer/brake to safety. Not so in a driverless ride-sharing car or taxi.

Do you believe that criminals won't try to hack driverless (ride-sharing and taxi) cars? History strongly suggests otherwise. Since consumers love the convenience of pay-at-the-pump in gas stations, criminals have repeatedly installed skimming devices in unattended gas station pumps to steal drivers' debit/credit payment information. No doubt, criminals will want to hack driverless cars to steal riders' payment information.

What are your opinions of the security of driverless cars?


Lawsuit Claims The Uber Mobile App Scams Both Riders And Drivers

Uber logo A class-action lawsuit against Uber claims that the ride-sharing company manipulated its mobile app to simultaneously short-change drivers and over-charge riders. Ars Technica reported:

"When a rider uses Uber's app to hail a ride, the fare the app immediately shows to the passenger is based on a slower and longer route compared to the one displayed to the driver. The software displays a quicker, shorter route for the driver. But the rider pays the higher fee, and the driver's commission is paid from the cheaper, faster route, according to the lawsuit.

"Specifically, the Uber Defendants deliberately manipulated the navigation data used in determining the fare amount paid by its users and the amount reported and paid to its drivers," according to the suit filed in federal court in Los Angeles."

Controversy surrounds Uber after several high-level executive changes, an investigative news report alleging a worldwide program to thwart oversight by local governments, and a key lawsuit challenging the company's technology.


Uber: President Resigns, Greyball, A Major Lawsuit, Corporate Culture, And Lingering Questions

Uber logo Several executive changes are underway at Uber. The President of Uber's Ridesharing unit, Jeff Jones, resigned after only six months at the company. The Recode site posted a statement by Jones:

"Jones also confirmed the departure with a blistering assessment of the company. "It is now clear, however, that the beliefs and approach to leadership that have guided my career are inconsistent with what I saw and experienced at Uber, and I can no longer continue as president of the ride-sharing business," he said in a statement to Recode."

Prior to joining Uber, Jones had been the Chief Marketing Officer (CMO) at Target stores. Travis Kalanick, the Chief Executive Officer at Uber, disclosed that he met Jones at a Ted conference in Vancouver, British Columbia, Canada.

There have been more executive changes at Uber. The company announced on March 7 its search for a Chief Operating Officer (COO). It announced on March 14 the appointment of Zoubin Ghahramani as its new Chief Scientist based San Francisco. Ghahramani will lead Uber’s AI Labs, our recently created machine learning and artificial intelligence research unit and associated business strategy. Zoubin, a Professor of Information Engineering at the University of Cambridge, joined Uber when it acquired Geometric Intelligence.

In February 2017, CEO Travis Kalanick asked Amit Singhal to resign. Singhal, the company's senior vice president of engineering, had joined Uber a month after 15 years at Google. Reportedly, Singhal was let go for failing to disclose reasons for his departure from Google, including sexual harassment allegations.

Given these movements by executives, one might wonder what is happening at Uber. A brief review of the company's history found controversy accompanying its business practices. Earlier this month, an investigative report by The New York Times described a worldwide program by Uber executives to thwart code enforcement inspections by governments:

"The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials who were trying to clamp down on the ride-hailing service. Uber used these methods to evade the authorities in cities like Boston, Paris and Las Vegas, and in countries like Australia, China and South Korea.

Greyball was part of a program called VTOS, short for “violation of terms of service,” which Uber created to root out people it thought were using or targeting its service improperly. The program, including Greyball, began as early as 2014 and remains in use, predominantly outside the United States. Greyball was approved by Uber’s legal team."

An example of how the program and Greyball work:

"Uber’s use of Greyball was recorded on video in late 2014, when Erich England, a code enforcement inspector in Portland, Ore., tried to hail an Uber car downtown in a sting operation against the company... officers like Mr. England posed as riders, opening the Uber app to hail a car and watching as miniature vehicles on the screen made their way toward the potential fares. But unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled."

The City of Portland sued Uber in December 2014 and issued a Cease And Desist Order. Uber continued operations in the city, and a pilot program in Portland began in April, 2015. Later in 2015, the City of Portland authorized Uber''s operations. In March 2017, Oregon Live reported a pending investigation:

"An Uber spokesman said Friday that the company has not used the Greyball program in Portland since then. Portland Commissioner Dan Saltzman said Monday that the investigation will focus on whether Uber has used Greyball, or any form of it, to obstruct the city's enforcement of its regulations. The review would examine information the companies have already provided the city, and potentially seeking additional data from them... The investigation also will affect Uber's biggest competitor, Lyft, Saltzman said, though Lyft did not operate in Portland until after its business model was legalized, and there's no indication that it similarly screened regulators... Commissioner Nick Fish earlier called for a broader investigation and said the City Council should seek subpoena powers to determine the extent of Uber's "Greyball" usage..."

This raises questions about other locations Uber may have used its Greyball program. The San Francisco District Attorney's office is investigating, as are government officials in Sydney, Australia. Also this month, the Upstate Transportation Association (UTA), a trade group of taxi companies in New York State, asked government officials to investigate. The Albany Times Union reported:

"In a Tuesday letter to Governor Andrew Cuomo, Assembly Speaker Carl Heastie and Senate Majority Leader John Flanagan, UTA President John Tomassi wrote accused the company of possibly having used the Greyball technology in New York to evade authorities in areas where ride-hailing is not allowed. Uber and companies like it are authorized to operate only in New York City, where they are considered black cars. But UTA’s concerns about Greyball are spurred in part by reported pick-ups in some suburban areas."

A look at Uber's operations in Chicago sheds some light on how the company operates. NBC Channel 5 reported in 2014:

"... news that President Barack Obama's former adviser and campaign strategist David Plouffe has joined the company as senior VP of policy and strategy delivers a strong message to its enemies: Uber means business. How dare you disrupt our disruption? You're going down.

Here in the Land of Lincoln, Plouffe's hiring adds another layer of awkward personal politics to the Great Uber Debate. It's an increasingly tangled web: Plouffe worked in the White House alongside Rahm Emanuel when the Chicago mayor was Chief of Staff. Emanuel, trying to strike a balance between Uber-friendly and cabbie-considerate, recently passed a bill that restricts Uber drivers from picking up passengers at O'Hare, Midway and McCormick Place... Further complicating matters, Emanuel's brother, Hollywood super-agent Ari Emanuel, has invested in Uber..."

That debate also included the Illinois Governor, as politicians try to balance the competing needs of traditional taxi companies, ride-sharing companies, and consumers. The entire situation raises questions about why there aren't Greyball investigations by more cities. Is it due to local political interference?

That isn't all. In 2014, Uber's "God View" tool raised concerns about privacy, the company's tracking of its customers, and a questionable corporate culture. At that time, an Uber executive reportedly suggested that the company hire opposition researchers to dig up dirt about its critics in the news media.

Uber's claims in January 2015 of reduced drunk-driving accidents due to its service seemed dubious after scrutiny. ProPublica explained:

"Uber reported that cities using its ridesharing service have seen a reduction in drunk driving accidents, particularly among young people. But when ProPublica data reporter Ryann Grochowski Jones took a hard look at the numbers, she found the company's claim that it had "likely prevented" 1,800 crashes over the past 2.5 years to be lacking... the first red flag was that Uber didn't include a methodology with its report. A methodology is crucial to show how the statistician did the analysis... Uber eventually sent her a copy of the methodology separately, which showed that drunk-driving accidents involving drivers under 30 dropped in California after Uber's launch. The math itself is fine, Grochowski Jones says, but Uber offers no proof that those under 30 and Uber users are actually the same population.

This seems like one of those famous moments in intro statistics courses where we talk about correlation and causality, ProPublica Editor-in-Chief Steve Engelberg says. Grochowski Jones agrees, showcasing how drowning rates are higher in the summer as are ice cream sales but clearly one doesn't cause the other."

Similar claims by Uber about the benefits of "surge pricing" seemed to wilter under scrutiny. ProPublica reported in October, 2015:

"The company has always said the higher prices actually help passengers by encouraging more drivers to get on the road. But computer scientists from Northeastern University have found that higher prices don’t necessarily result in more drivers. Researchers Le Chen, Alan Mislove and Christo Wilson created 43 new Uber accounts and virtually hailed cars over four weeks from fixed points throughout San Francisco and Manhattan. They found that many drivers actually leave surge areas in anticipation of fewer people ordering rides. "What happens during a surge is, it just kills demand," Wilson told ProPublica."

Another surge-pricing study in 2016 concluded with a positive spin:

"... that consumers can benefit from surge pricing. They find this is the case when a market isn’t fully served by traditional taxis when demand is high. In short, if you can’t find a cab on New Year’s Eve, Daniels’ research says you’re better off with surge pricing... surge pricing allows service to expand during peak demand without creating idleness for drivers during normal demand. This means that more peak demand customers get rides, albeit at a higher price. This also means that the price during normal demand settings drops, allowing more customers service at these normal demand times."

In other words, "can benefit" doesn't ensure that riders will benefit. And "allows service to expand" doesn't ensure that service will expand during peak demand periods. "Surge pricing" does ensure higher prices. A better solution might be surge payments to drivers during peak hours to expand services. Uber will still make more money with more rides during peak periods.

The surge-pricing concept is a reminder of basic economics when prices are raised by suppliers. Demand decreases. A lower price should follow, but the surge-price prevents that. As the prior study highlighted, drivers have learned from this: additional drivers don't enter the market to force down the higher surge-price.

And, there is more. In 2015, the State of California Labor Commission ruled that Uber drivers are employees and not independent contractors, as the company claimed. Concerns about safety and criminal background checks have been raised. Last year, BuzzFeed News analyzed ride data from Uber:

"... the company received five claims of rape and “fewer than” 170 claims of sexual assault directly related to an Uber ride as inbound tickets to its customer service database between December 2012 and August 2015. Uber provided these numbers as a rebuttal to screenshots obtained by BuzzFeed News. The images that were provided by a former Uber customer service representative (CSR) to BuzzFeed News, and subsequently confirmed by multiple other parties, show search queries conducted on Uber’s Zendesk customer support platform from December 2012 through August 2015... In one screenshot, a search query for “sexual assault” returns 6,160 Uber customer support tickets. A search for “rape” returns 5,827 individual tickets."

That news item is interesting since it includes several images of video screens from the company's customer support tool. Uber's response:

"The ride-hail giant repeatedly asserted that the high number of queries from the screenshots is overstated, however Uber declined BuzzFeed News’ request to grant direct access to the data, or view its data analysis procedures. When asked for any additional anonymous data on the five rape complaint tickets it claims to have received between December 2012 and August 2015, Uber declined to provide any information."

Context matters about ride safety and corporate culture. A former Uber employee shared a disturbing story with allegations of sexual harassment:

"I joined Uber as a site reliability engineer (SRE) back in November 2015, and it was a great time to join as an engineer... After the first couple of weeks of training, I chose to join the team that worked on my area of expertise, and this is where things started getting weird. On my first official day rotating on the team, my new manager sent me a string of messages over company chat. He was in an open relationship, he said, and his girlfriend was having an easy time finding new partners but he wasn't. He was trying to stay out of trouble at work, he said, but he couldn't help getting in trouble, because he was looking for women to have sex with... Uber was a pretty good-sized company at that time, and I had pretty standard expectations of how they would handle situations like this. I expected that I would report him to HR, they would handle the situation appropriately, and then life would go on - unfortunately, things played out quite a bit differently. When I reported the situation, I was told by both HR and upper management that even though this was clearly sexual harassment and he was propositioning me, it was this man's first offense, and that they wouldn't feel comfortable giving him anything other than a warning and a stern talking-to... I was then told that I had to make a choice: (i) I could either go and find another team and then never have to interact with this man again, or (ii) I could stay on the team, but I would have to understand that he would most likely give me a poor performance review when review time came around, and there was nothing they could do about that. I remarked that this didn't seem like much of a choice..."

Her story seems very credible. Based upon this and other events, some industry watchers question Uber's value should it seek more investors via an initial public offering (IPO):

"Uber has hired two outside law firms to conduct investigations related to the former employee's claims. One will investigate her claims specifically, the other is conducting a broader investigation into Uber's workplace practices...Taken together, the recent reports paint a picture of a company where sexual harassment is tolerated, laws are seen as inconveniences to be circumvented, and a showcase technology effort might be based on stolen secrets. That's all bad for obvious reasons... What will Uber's valuation look like the next time it has to raise money -- or when it attempts to go public?"

To understand the "might be based on stolen secrets" reference, the San Francisco Examiner newspaper explained on March 20:

"In the past few weeks, Uber’s touted self-driving technology has come under both legal and public scrutiny after Alphabet — Google’s parent company — sued Uber over how it obtained its technology. Alphabet alleges that the technology for Otto, a self-driving truck company acquired by Uber last year, was stolen from Alphabet’s own Waymo self-driving technology... Alphabet alleges Otto founder Anthony Levandowski downloaded proprietary data from Alphabet’s self-driving files. In December 2015, Levandowski download 14,000 design files onto a memory card reader and then wiped all the data from the laptop, according to the lawsuit.

The lawsuit also lays out a timeline where Levandowski and Uber were in cahoots with one another before the download operation. Alphabet alleges the two parties were in communications with each other since the summer of 2015, when Levandowski still worked for Waymo. Levandowski left Waymo in January 2016, started Otto the next month and joined Uber in August as vice president of Uber’s self-driving technology after Otto was purchased by Uber for $700 million... This may become the biggest copyright infringement case brought forth in Silicon Valley since Apple v. Microsoft in 1994, when Apple sued Microsoft over the alleged likeness in the latter’s graphic user interface."

And, just this past Saturday Uber suspended its driverless car program in Arizona after a crash. Reportedly, Uber's driverless car programs in Arizona, Pittsburgh and San Francisco are suspended pending the results of the crash investigation.

No doubt, there will be more news about the lawsuit, safety issues, sexual harassment, Greyball, and investigations by local cities. What are your opinions?


Can Customs and Border Officials Search Your Phone? These Are Your Rights

[Editor's note: today's guest post is by the reporters at ProPublica. Past actions by CBP, including the search of a domestic flight, have raised privacy concerns among many citizens. Informed consumers know their privacy rights before traveling. This news article first appeared on March 13 and is reprinted with permission.]

by Patrick G. Lee, ProPublica

A NASA scientist heading home to the U.S. said he was detained in January at a Houston airport, where Customs and Border Protection officers pressured him for access to his work phone and its potentially sensitive contents.

Last month, CBP agents checked the identification of passengers leaving a domestic flight at New York's John F. Kennedy Airport during a search for an immigrant with a deportation order.

And in October, border agents seized phones and other work-related material from a Canadian photojournalist. They blocked him from entering the U.S. after he refused to unlock the phones, citing his obligation to protect his sources.

These and other recent incidents have revived confusion and alarm over what powers border officials actually have and, perhaps more importantly, how to know when they are overstepping their authority.

The unsettling fact is that border officials have long had broad powers -- many people just don't know about them. Border officials, for instance, have search powers that extend 100 air miles inland from any external boundary of the U.S. That means border agents can stop and question people at fixed checkpoints dozens of miles from U.S. borders. They can also pull over motorists whom they suspect of a crime as part of "roving" border patrol operations.

Sowing even more uneasiness, ambiguity around the agency's search powers -- especially over electronic devices -- has persisted for years as courts nationwide address legal challenges raised by travelers, privacy advocates and civil-rights groups.

We've dug out answers about the current state-of-play when it comes to border searches, along with links to more detailed resources.

Doesn't the Fourth Amendment protect us from "unreasonable searches and seizures"?

Yes. The Fourth Amendment to the Constitution articulates the "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." However, those protections are lessened when entering the country at international terminals at airports, other ports of entry and subsequently any location that falls within 100 air miles of an external U.S. boundary.

How broad is Customs and Border Protection's search authority?

According to federal statutes, regulations and court decisions, CBP officers have the authority to inspect, without a warrant, any person trying to gain entry into the country and their belongings. CBP can also question individuals about their citizenship or immigration status and ask for documents that prove admissibility into the country.

This blanket authority for warrantless, routine searches at a port of entry ends when CBP decides to undertake a more invasive procedure, such as a body cavity search. For these kinds of actions, the CBP official needs to have some level of suspicion that a particular person is engaged in illicit activity, not simply that the individual is trying to enter the U.S.

Does CBP's search authority cover electronic devices like smartphones and laptops?

Yes. CBP refers to several statutes and regulations in justifying its authority to examine "computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players, and any other electronic or digital devices."

According to current CBP policy, officials should search electronic devices with a supervisor in the room, when feasible, and also in front of the person being questioned "unless there are national security, law enforcement, or other operational considerations" that take priority. For instance, if allowing a traveler to witness the search would reveal sensitive law enforcement techniques or compromise an investigation, "it may not be appropriate to allow the individual to be aware of or participate in a border search," according to a 2009 privacy impact assessment by the Department of Homeland Security.

CBP says it can conduct these searches "with or without" specific suspicion that the person who possesses the items is involved in a crime.

With a supervisor's sign-off, CBP officers can also seize an electronic device -- or a copy of the information on the device -- "for a brief, reasonable period of time to perform a thorough border search." Such seizures typically shouldn't exceed five days, although officers can apply for extensions in up to one-week increments, according to CBP policy. If a review of the device and its contents does not turn up probable cause for seizing it, CBP says it will destroy the copied information and return the device to its owner.

Can CBP really search my electronic devices without any specific suspicion that I might have committed a crime?

The Supreme Court has not directly ruled on this issue. However, a 2013 decision from the U.S. Court of Appeals for the Ninth Circuit -- one level below the Supreme Court -- provides some guidance on potential limits to CBP's search authority.

In a majority decision, the court affirmed that cursory searches of laptops -- such as having travelers turn their devices on and then examining their contents -- does not require any specific suspicions about the travelers to justify them.

The court, however, raised the bar for a "forensic examination" of the devices, such as using "computer software to analyze a hard drive." For these more powerful, intrusive and comprehensive searches, which could provide access to deleted files and search histories, password-protected information and other private details, border officials must have a "reasonable suspicion" of criminal activity -- not just a hunch.

As it stands, the 2013 appeals court decision legally applies only to the nine Western states in the Ninth Circuit, including California, Arizona, Nevada, Oregon and Washington. It's not clear whether CBP has taken the 2013 decision into account more broadly: The last time the agency publicly updated its policy for searching electronic devices was in 2009. CBP is currently reviewing that policy and there is "no specific timeline" for when an updated version might be announced, according to the agency.

"Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives," the court's decision said. "It is little comfort to assume that the government -- for now -- does not have the time or resources to seize and search the millions of devices that accompany the millions of travelers who cross our borders. It is the potential unfettered dragnet effect that is troublesome."

During the 2016 fiscal year, CBP officials conducted 23,877 electronic media searches, a five-fold increase from the previous year. In both the 2015 and 2016 fiscal years, the agency processed more than 380 million arriving travelers.

Am I legally required to disclose the password for my electronic device or social media, if CBP asks for it?

That's still an unsettled question, according to Liza Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. "Until it becomes clear that it's illegal to do that, they're going to continue to ask," she said.

The Fifth Amendment says that no one shall be made to serve as "a witness against himself" in a criminal case. Lower courts, however, have produced differing decisions on how exactly the Fifth Amendment applies to the disclosure of passwords to electronic devices.

Customs officers have the statutory authority "to demand the assistance of any person in making any arrest, search, or seizure authorized by any law enforced or administered by customs officers, if such assistance may be necessary." That statute has traditionally been invoked by immigration agents to enlist the help of local, state and other federal law enforcement agencies, according to Nathan Wessler, a staff attorney with the ACLU's Speech, Privacy and Technology Project. Whether the statute also compels individuals being interrogated by border officials to divulge their passwords has not been directly addressed by a court, Wessler said.

Even with this legal uncertainty, CBP officials have broad leverage to induce travelers to share password information, especially when someone just wants to catch their flight, get home to family or be allowed to enter the country. "Failure to provide information to assist CBP may result in the detention and/or seizure of the electronic device," according to a statement provided by CBP.

Travelers who refuse to give up passwords could also be detained for longer periods and have their bags searched more intrusively. Foreign visitors could be turned away at the border, and green card holders could be questioned and challenged about their continued legal status.

"People need to think about their own risks when they are deciding what to do. US citizens may be comfortable doing things that non-citizens aren't, because of how CBP may react," Wessler said.

What is some practical advice for protecting my digital information?

Consider which devices you absolutely need to travel with, and which ones you can leave at home. Setting a strong password and encrypting your devices are helpful in protecting your data, but you may still lose access to your devices for undefined periods should border officials decide to seize and examine their contents.

Another option is to leave all of your devices behind and carry a travel-only phone free of most personal information. However, even this approach carries risks. "We also flag the reality that if you go to extreme measures to protect your data at the border, that itself may raise suspicion with border agents," according to Sophia Cope, a staff attorney at the Electronic Frontier Foundation. "It's so hard to tell what a single border agent is going to do."

The EFF has released an updated guide to data protection options here.

Does CBP recognize any exceptions to what it can examine on electronic devices?

If CBP officials want to search legal documents, attorney work product or information protected by attorney-client privilege, they may have to follow "special handling procedures," according to agency policy. If there's suspicion that the information includes evidence of a crime or otherwise relates to "the jurisdiction of CBP," the border official must consult the CBP associate/assistant chief counsel before undertaking the search.

As for medical records and journalists' notes, CBP says its officers will follow relevant federal laws and agency policies in handling them. When asked for more information on these procedures, an agency spokesperson said that CBP has "specific provisions" for dealing with this kind of information, but did not elaborate further. Questions that arise regarding these potentially sensitive materials can be handled by the CBP associate/assistant chief counsel, according to CBP policy. The agency also says that it will protect business or commercial information from "unauthorized disclosure."

Am I entitled to a lawyer if I'm detained for further questioning by CBP?

No. According to a statement provided by CBP, "All international travelers arriving to the U.S. are subject to CBP processing, and travelers bear the burden of proof to establish that they are clearly eligible to enter the United States. Travelers are not entitled to representation during CBP administrative processing, such as primary and secondary inspection."

Even so, some immigration lawyers recommend that travelers carry with them the number for a legal aid hotline or a specific lawyer who will be able to help them, should they get detained for further questioning at a port of entry.

"It is good practice to ask to speak to a lawyer," said Paromita Shah, associate director at the National Immigration Project of the National Lawyers Guild. "We always encourage people to have a number where their attorney can be reached, so they can explain what is happening and their attorney can try to intervene. It's definitely true that they may not be able to get into the actual space, but they can certainly intervene."

Lawyers who fill out this form on behalf of a traveler headed into the United States might be allowed to advocate for that individual, although local practices can vary, according to Shah.

Can I record my interaction with CBP officials?

Individuals on public land are allowed to record and photograph CBP operations so long as their actions do not hinder traffic, according to CBP. However, the agency prohibits recording and photography in locations with special security and privacy concerns, including some parts of international airports and other secure port areas.

Does CBP's power to stop and question people extend beyond the border and ports of entry?

Yes. Federal statutes and regulations empower CBP to conduct warrantless searches for people travelling illegally from another country in any "railway car, aircraft, conveyance, or vehicle" within 100 air miles from "any external boundary" of the country. About two-thirds of the U.S. population live in this zone, including the residents of New York City, Los Angeles, Chicago, Philadelphia and Houston, according to the ACLU.

As a result, CBP currently operates 35 checkpoints, where they can stop and question motorists traveling in the U.S. about their immigration status and make "quick observations of what is in plain view" in the vehicle without a warrant, according to the agency. Even at a checkpoint, however, border officials cannot search a vehicle's contents or its occupants unless they have probable cause of wrongdoing, the agency says. Failing that, CBP officials can ask motorists to allow them to conduct a search, but travelers are not obligated to give consent.

When asked how many people were stopped at CBP checkpoints in recent years, as well as the proportion of those individuals detained for further scrutiny, CBP said they didn't have the data "on hand" but that the number of people referred for secondary questioning was "minimum." At the same time, the agency says that checkpoints "have proven to be highly effective tools in halting the flow of illegal traffic into the United States."

Within 25 miles of any external boundary, CBP has the additional patrol power to enter onto private land, not including dwellings, without a warrant.

Where can CBP set up checkpoints?

CBP chooses checkpoint locations within the 100-mile zone that help "maximize border enforcement while minimizing effects on legitimate traffic," the agency says.

At airports that fall within the 100-mile zone, CBP can also set up checkpoints next to airport security to screen domestic passengers who are trying to board their flights, according to Chris Rickerd, a policy counsel at the ACLU's National Political Advocacy Department.

"When you fly out of an airport in the southwestern border, say McAllen, Brownsville or El Paso, you have Border Patrol standing beside TSA when they're doing the checks for security. They ask you the same questions as when you're at a checkpoint. 'Are you a US citizen?' They're essentially doing a brief immigration inquiry in the airport because it's part of the 100-mile zone," Rickerd said. "I haven't seen this at the northern border."

Can CBP do anything outside of the 100-mile zone?

Yes. Many of CBP's law enforcement and patrol activities, such as questioning individuals, collecting evidence and making arrests, are not subject to the 100-mile rule, the agency says. For instance, the geographical limit does not apply to stops in which border agents pull a vehicle over as part of a "roving patrol" and not a fixed checkpoint, according to Rickerd of the ACLU. In these scenarios, border agents need reasonable suspicion that an immigration violation or crime has occurred to justify the stop, Rickerd said. For stops outside the 100-mile zone, CBP agents must have probable cause of wrongdoing, the agency said.

The ACLU has sued the government multiple times for data on roving patrol and checkpoint stops. Based on an analysis of records released in response to one of those lawsuits, the ACLU found that CBP officials in Arizona failed "to record any stops that do not lead to an arrest, even when the stop results in a lengthy detention, search, and/or property damage."

The lack of detailed and easily accessible data poses a challenge to those seeking to hold CBP accountable to its duties.

"On the one hand, we fight so hard for reasonable suspicion to actually exist rather than just the whim of an officer to stop someone, but on the other hand, it's not a standard with a lot of teeth," Rickerd said. "The courts would scrutinize it to see if there's anything impermissible about what's going on. But if we don't have data, how do you figure that out?"

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Advocacy Groups And Legal Experts Denounce DHS Proposal Requiring Travelers To Disclose Social Media Credentials

U.S. Department of Homeland Security logo Several dozen human rights organizations, civil liberties advocates, and legal experts published an open letter on February 21,2017 condemning a proposal by the U.S. Department of Homeland Security to require the social media credentials (e.g., usernames and passwords) of all travelers from majority-Muslim countries. This letter was sent after testimony before Congress by Homeland Security Secretary John Kelly. NBC News reported on February 8:

"Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. "We want to get on their social media, with passwords: What do you do, what do you say?" he told the House Homeland Security Committee. "If they don't want to cooperate then you don't come in."

His comments came the same day judges heard arguments over President Donald Trump's executive order temporarily barring entry to most refugees and travelers from Syria, Iraq, Iran, Somalia, Sudan, Libya and Yemen. Kelly, a Trump appointee, stressed that asking for people's passwords was just one of "the things that we're thinking about" and that none of the suggestions were concrete."

The letter, available at the Center For Democracy & Technology (CDT) website, stated in part (bold emphasis added):

"The undersigned coalition of human rights and civil liberties organizations, trade associations, and experts in security, technology, and the law expresses deep concern about the comments made by Secretary John Kelly at the House Homeland Security Committee hearing on February 7th, 2017, suggesting the Department of Homeland Security could require non-citizens to provide the passwords to their social media accounts as a condition of entering the country.

We recognize the important role that DHS plays in protecting the United States’ borders and the challenges it faces in keeping the U.S. safe, but demanding passwords or other account credentials without cause will fail to increase the security of U.S. citizens and is a direct assault on fundamental rights.

This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism."

The letter was signed by about 75 organizations and individuals, including the American Civil Liberties Union, the American Library Association, the American Society of Journalists & Authors, the American Society of News Editors, Americans for Immigrant Justice, the Brennan Center for Justice at NYU School of Law, Electronic Frontier Foundation, Human Rights Watch, Immigrant Legal Resource Center, National Hispanic Media Coalition, Public Citizen, Reporters Without Borders, the World Privacy Forum, and many more.

The letter is also available here (Adobe PDF).


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Driver's Licenses For 9 States Won't Be Valid ID For Domestic Flights In 2018

Residents in nine states wanting to travel domestically via commercial airlines may need to obtain alternative identification documents. Why? While new identification requirements will become effective in 2018, starting in 2017 federal agencies may no longer accept driver's licenses from these nine states.

On December 12, the Department of Homeland Security (DHS) announcement explained:

"The Transportation Security Administration (TSA) will begin posting signs at airports this week notifying travelers that beginning January 2018 it will start enforcing REAL ID requirements at airport security checkpoints, meaning that travelers seeking to use their state-issued driver’s license or identification card for boarding commercial aircraft may only use such documents if they are issued by a REAL ID compliant state or a non-compliant state with an extension."

The U.S. Congress passed the REAL ID Act in 2005 to establish minimum security standards for state-issued driver’s licenses and identification cards. The Act prohibits federal agencies, including the TSA, from accepting licenses and identification cards for certain official purposes (e.g., boarding federally regulated commercial aircraft) from states that do not meet these minimum standards and have not received an extension for compliance from DHS.

If the nine states change their procedures, then the government may grant each state an extension or approval, as warranted. The nine states which did not receive extensions for 2016 or 2017 are Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina, and Washington. So, starting January 30, 2017 federal agencies and nuclear power plants may not accept driver's licenses and state IDs from these nine states for identification. Federal officials may continue to accept Enhanced Driver’s Licenses from Minnesota and Washington.

See the DHS site for the compliance status for all states and territories. See the TSAa.gov site for a complete list of identification documents accepted at TSA checkpoints. Below are the notices you may see while traveling through airports.

Generic TSA notice about changing ID requirements

TSA notice for noncompliant states about changing ID requirements


Some Android Phones Infected With Surveillance Malware Installed In Firmware

Security analysts recently discovered surveillance malware in some inexpensive smartphones that run the Android operating system (OS) software. The malware secretly transmits information about the device owner and usage to servers in China. The surveillance malware was installed in the phones' firmware. The New York Times reported:

"... you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered pre-installed software in some Android phones... International customers and users of disposable or prepaid phones are the people most affected by the software... The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature."

Shanghai ADUPS Technology Company (ADUPS) is privately owned and based in Shanghai, China. According to Bloomberg, ADUPS:

"... provides professional Firmware Over-The-Air (FOTA) update services. The company offers a cloud-based service, which includes cloud hosts and CDN service, as well as allows manufacturers to update all their device models. It serves smart device manufacturers, mobile operators, and semiconductor vendors worldwide."

Firmware is a special type of software store in read-only memory (ROM) chips that operates a device, including how it controls, monitors, and manipulates data within a device. Kryptowire, a security firm, discovered the malware. The Kryptowire report identified:

"... several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example)... These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information... Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed."

So, the malware was powerful, sophisticated, and impossible for consumers to detect.

This incident provides several reminders. First, there were efforts earlier this year by the U.S. Federal Bureau of Investigation (FBI) to force Apple to build "back doors" into its phones for law enforcement. Reportedly, it is unclear what specific law enforcement or intelligence services utilized the data streams produced by the surveillance malware. It is probably wise to assume that the Ministry of State Security, China's intelligence agency, had or has access to data streams.

Second, the incident highlights supply chain concerns raised in 2015 about computer products manufactured in China. Third, the incident indicates how easily consumers' privacy can be compromised by data breaches during a product's supply chain: manufacturing, assembly, transport, and retail sale.

Fourth, the incident highlights Android phone security issues raised earlier this year. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Fifth, the incident highlights the need for automakers and software developers to ensure the security of both connected cars and driverless cars.

Sixth, the incident raises questions about how and what, if anything, President Elect Donald J. Trump and his incoming administration will do about this trade issue with China. The Trump-Pence campaign site stated about trade with China:

"5. Instruct the Treasury Secretary to label China a currency manipulator.

6. Instruct the U.S. Trade Representative to bring trade cases against China, both in this country and at the WTO. China's unfair subsidy behavior is prohibited by the terms of its entrance to the WTO.

7. Use every lawful presidential power to remedy trade disputes if China does not stop its illegal activities, including its theft of American trade secrets - including the application of tariffs consistent with Section 201 and 301 of the Trade Act of 1974 and Section 232 of the Trade Expansion Act of 1962..."

This incident places consumers in a difficult spot. According to the New York Times:

"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.” Ms. Lim [an attorney that represents Adups] said she did not know how customers could determine whether they were affected."

Until these supply-chain security issues get resolved it is probably wise for consumers to inquire before purchase where their Android phone was made. There are plenty of customer service sites for existing Android phone owners to determine the country their device was made in. Example: Samsung phone info.

Should consumers avoid buying Android phones made in China or Android phones with firmware made in China? That's a decision only you can make for yourself. Me? When I changed wireless carriers in July, I switched an inexpensive Android phone I'd bought several years ago to an Apple iPhone.

What are your thoughts about the surveillance malware? Would you buy an Android phone?