ExpressVPN Survey Indicates Americans Care About Privacy. Some Have Already Taken Action

ExpressVPN published the results of its privacy survey. The survey, commissioned by ExpressVPN and conducted by Propeller Insights, included a representative sample of about 1,000 adults in the United States.

Overall, 29.3% of survey respondents said they already use had used a virtual private network (VPN) or a proxy network. Survey respondents cited three broad reasons for using a VPN service: 1) to avoid surveillance, 2) to access content, and 3) to stay safe online. Detailed survey results about surveillance concerns:

"The most popular reasons to use a VPN are related to surveillance, with 41.7% of respondents aiming to protect against sites seeing their IP, 26.4% to prevent their internet service provider (ISP) from gathering information, and 16.6% to shield against their local government."

Who performs the surveillance matters to consumers. People are more concerned with surveillance by companies than by law enforcement agencies within the U.S. government:

"Among the respondents, 15.9% say they fear the FBI surveillance, and only 6.4% fear the NSA spying on them. People are by far most worried about information gathering by ISPs (23.2%) and Facebook (20.5%). Google spying is more of a worry for people (5.9%) than snooping by employers (2.6%) or family members (5.1%).

Concerns with internet service providers (ISPs) are not surprising since these telecommunications company enjoy a unique position enabling them to track all online activities by consumers. Concerns about Facebook are not surprising since it tracks both users and non-users, similar to advertising networks. The "protect against sites seeing their IP" suggests that consumers, or at least VPN users, want to protect themselves and their devices against advertisers, advertising networks, and privacy-busting mobile apps which track their geo-location.

Detailed survey results about content access concerns:

"... 26.7% use [a VPN service] to access their corporate or academic network, 19.9% to access content otherwise not available in their region, and 16.9% to circumvent censorship."

The survey also found that consumers generally trust their mobile devices:

" Only 30.5% of Android users are “not at all” or “not very” confident in their devices. iOS fares slightly better, with 27.4% of users expressing a lack of confidence."

The survey uncovered views about government intervention and policies:

"Net neutrality continues to be popular (70% more respondents support it rather then don’t), but 51.4% say they don’t know enough about it to form an opinion... 82.9% also believe Congress should enact laws to require tech companies to get permission before collecting personal data. Even more, 85.2% believe there should be fines for companies that lose users’ data, and 90.2% believe there should be further fines if the data is misused. Of the respondents, 47.4% believe Congress should go as far as breaking up Facebook and Google."

The survey found views about smart devices (e.g., door bells, voice assistants, smart speakers) installed in many consumers' homes, since these devices are equipped with always-on cameras and/or microphones:

"... 85% of survey respondents say they are extremely (24.7%), very (23.4%), or somewhat (28.0%) concerned about smart devices monitoring their personal habits... Almost a quarter (24.8%) of survey respondents do not own any smart devices at all, while almost as many (24.4%) always turn off their devices’ microphones if they are not using them. However, one-fifth (21.2%) say they always leave the microphone on. The numbers are similar for camera use..."

There are more statistics and findings in the entire survey report by ExpressVPN. I encourage everyone to read it.


New York State Strengthens Its Data Breach Laws

To help its residents, the State of New York has improved its existing data breach law. Governor Andrew Cuomo signed two bills on July 25th:

"The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system."

The Governor's announcement emphasized the importance of the state's laws keeping pace with rapid advances in technology. To address new technologies, the SHIELD Act will provide stronger protections by:

"1) Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers; 2) Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; 3) Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State; 4) Expanding the definition of a data breach to include unauthorized access to private information; and 5) Creating reasonable data security requirements tailored to the size of a business."

The full text of the SHIELD Act legislation is available here. The SHIELD Act will go into effect on March 21, 2020. The announcement also mentioned Equifax:

"In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers... the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach..."

So, it seems that Equifax's breach and data security failures factored into the new legislation. The announcement also explained the new Identity Theft Prevention and Mitigation Services (A.2374/S.3582) legislation:

This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost. The bill... applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act."

The A.2374/S.3582 bill will go into effect on September 23, 2019. The retroactive coverage of three years is good as it ensures credit reporting agencies with recent data breaches cannot escape responsibility.

Consumer reporting agencies enjoy a unique position as consumers cannot opt out of having their credit reports covered by Experian, Equifax, and TransUnion. Some people would call that corporate welfare. It would be great if consumers had the right to remove their credit reports from credit reporting agencies that practice poor data security with repeated data breaches. Consumers have that right with retail stores -- you can stop shopping at stores with poor data security and multiple data breaches.

In related news, JD Supra reported about proposed legislation:

"... New York City lawmakers have proposed a bill that would make it unlawful for a mobile app developer or telecommunications carrier to share a customer’s location data without an authorized purpose if the data was collected from the customer’s device within the city. The bill broadly defines the term “share” as making “location data available to another person, whether for a fee or otherwise,” suggesting that selling information is unlawful without an authorized purpose such as customer consent. The bill allows for a private right of action, including penalties for violations of $1,000 per violation, with a maximum penalty of $10,000 per day per person whose location data was unlawfully shared, as well as attorney’s fees."

To learn more, read about new data breach legislation in other states this year.


How a Top Chicken Company Cut Off Black Farmers, One by One

[Editor's note: today's guest post, by reporters at ProPublica, discusses business practices with the poultry-processing industry, allegations of price fixing, decreased regulations and oversight, and the impacts upon small businesses. It is reprinted with permission.]

By Isaac Arnsdorf, ProPublica

After years of working as a sheriff’s deputy and a car dealership manager, John Ingrum used his savings to buy a farm some 50 miles east of Jackson, Mississippi. He planned to raise horses on the land and leave the property to his son.

The farm, named Lovin’ Acres, came with a few chicken houses, which didn’t really interest Ingrum. But then a man showed up from Koch Foods, the country’s fifth-largest poultry processor and one of the main chicken companies in Mississippi. Koch Foods would deliver flocks and feed — all Ingrum would have to do is house the chicks for a few weeks while they grew big enough to slaughter. The company representative wowed Ingrum with projections for the stream of income he could earn, Ingrum recalled in an interview.

What Ingrum didn’t know was that those financial projections overlooked many realities of modern farming in the U.S., where much of the country’s agricultural output is controlled by a handful of giant companies. The numbers didn’t reflect the debt he might have to incur to configure his chicken houses to the company’s specifications. Nor did they reflect the risk that the chicks could show up sick or dead, or that the company could simply stop delivering flocks.

And that growing concentration of corporate power in agriculture would only add to the long odds Ingrum, as a black farmer, faced in the United States, where just 1.3% of the country’s farmers are black.

The shadow of slavery, sharecropping and Jim Crow has left black farmers in an especially precarious position. Their farms tend to be smaller and their sales lower than the national average, according to data from the U.S. Department of Agriculture. While white farmers benefited from government assistance such as the Homestead Act and land-grant universities, black farmers were largely excluded from owning land and accumulating wealth. In recent decades, black farmers accused the USDA of discriminating against them by denying them loans or forcing them to wait longer, resulting in a class-action lawsuit that settled for more than $1 billion.

Along with these historical disadvantages, black farmers say they have also encountered bias in dealing with some of the corporate giants that control their livelihood. In complaints filed with the USDA between 2010 and 2015, Ingrum and another black farmer in Mississippi said Koch Foods discriminated against them and used its market control to drive them out of business.

After the complaints by the farmers, an investigator for the USDA, which is responsible for regulating the industry, looked into Koch Foods’ dealings with those farmers and found “evidence of unjust discrimination,” according to a 700-page case file obtained by ProPublica. The investigator concluded that Koch Foods violated a law governing meat companies’ business practices.

The Trump administration has cut back on enforcing this law, with the USDA now conducting fewer investigations and imposing fewer fines, as ProPublica has reported. Koch Foods hasn’t faced any penalty.

Koch Foods declined to provide an interview with any of its executives or to answer detailed questions about its dealings with black farmers in Mississippi. A lawyer for the company said it denies wrongdoing.

The five largest chicken companies now make up 61% of the market, compared with 34% in the hands of the top four firms in 1986. As the biggest companies expanded their control, they raised farmers’ average pay by a mere 2.5 cents a pound from 1988 to 2016, while the wholesale price of chicken rose by 17.4 cents a pound, according to data from the USDA and the National Chicken Council.

Mississippi is the fifth-largest poultry-producing state, with more than 1,300 chicken farms. In a state where the population is 38% black, only 96 of those farms were operated by African Americans in 2012, the most recent USDA data available. From 2009 to 2017, Koch Foods went from having contracts with four black farmers in Mississippi to zero.

Koch (pronounced “cook”) Foods is based outside Chicago and supplies chicken, often sold under other brands, to major restaurants and retailers such as Burger King, Kroger and Walmart. The company, which is privately held, is not part of the business empire of the conservative billionaires Charles Koch and David Koch. The owner of Koch Foods, Joseph Grendys, has a fortune that Forbes estimates at $3.1 billion.

After Ingrum signed his contract to grow chickens for Koch Foods, in 2002, different company representatives kept coming with lists of expensive modifications they wanted Ingrum to make, according to an affidavit he provided to the USDA investigator. After Ingrum met all the specifications, the next representative went back on what the previous one said and wanted things done a different way, Ingrum said in the affidavit.

Chicken companies usually say they update their specifications to improve animal welfare or respond to consumer preferences like avoiding antibiotics. But Ingrum couldn’t find much logic in the changes Koch Foods wanted him to make. One service technician directed Ingrum to install lights in one place, the next one someplace else. Another time, the company wanted Ingrum to move a power line, even though it was out of the way of the feed trucks and bins. That cost him $6,000.

According to Ingrum’s affidavit, when he met with a manager about the shifting demands, the manager said, derisively, “I had a couple of y’all when I was at Sanderson,” another big chicken company. Ingrum asked the manager, who was white, what he meant by that. The manager didn’t answer Ingrum. Reached by ProPublica on his cellphone, the manager hung up.

Ingrum suspected that the truck drivers who delivered feed were shortchanging him, so he installed sensors to alert him when the drivers arrived. In 2007, according to his affidavit, Ingrum caught a driver failing to fill a whole feed bin. The company brushed it off as an honest mistake. But Ingrum had heard of drivers asking farmers for payoffs to get more feed, according to the affidavit.

In 2009, Ingrum spent $50,000 on renovations that Koch wanted. Then the company wanted Ingrum to rebuild his compost shed. That was another $5,000. Then Koch Foods said the shed had to be certified by a government inspector. Ingrum called the agency, which said the shed didn’t require approval and they only sent an inspector out once a year.

With Koch Foods delivering flocks to Ingrum’s farm less frequently than expected, he was making less money and falling behind on his loan payments. He looked into selling his farm. When a prospective buyer from Florida called Koch to inquire about a contract with them, a Koch employee scared him off by saying Ingrum’s farm needed $100,000 in repairs, according to Ingrum’s affidavit. The employee also swore at Ingrum’s real estate agent and spread a rumor that the bank had foreclosed, according to the affidavit. That wasn’t true, but it was becoming increasingly hard to avoid.

In 2010, Ingrum heard that the Obama administration was making a push to help farmers who were getting squeezed by consolidation in agriculture. Attorney General Eric Holder and Agriculture Secretary Tom Vilsack were going around the country to hear from farmers about the problems in their markets. When they came to neighboring Alabama to meet with chicken farmers, Ingrum went and spoke on a panel.

At the hearing, Ingrum recounted how the company would pay him less if the birds were sick or underfed, even though the company supplied the chicks and the feed. Ingrum said he’d received a tray of 100 chicks with 35 to 40 already dead. Another time, he ran out of feed for three days and the chickens started eating one another.

“There’s no way it could be fair,” he said at the hearing, according to the transcript. “I had no control over the feed that they brought me.”

That night, when Ingrum returned home to Lovin’ Acres Farm, he found a note from Koch Foods saying his contract had expired.

The USDA investigator later inquired whether it was “solely a coincidence” that Koch Foods left the note at Ingrum’s farm on the same day he attended the hearing 300 miles away. A company supervisor said he “could not say.”

“I never got another chicken after going to that meeting over there in Alabama,” Ingrum, 55, said in an interview. “They put me slap out of business.”

As Ingrum ran out of money, the power company cut his electricity, but he refused to leave for three months. His former colleagues at the sheriff’s office had to come remove him. For the next five years, he stayed with relatives until he scraped together enough money from working at a car dealership to get back on his feet.

“Twenty years, everything I worked for, I lost it in one summer,” Ingrum said. “It just ruined me.”

Around the same time, two other black farmers in the area also stopped growing chickens for Koch Foods. Out of 173 chicken farmers under contract with Koch Foods in Mississippi, there was only one African American left. His name was Carlton Sanders.

Ingrum said he warned Sanders: “They’re coming after you, Carlton. You next.”

Sanders’ farm was in a nearby town called Lena. He had been in the business since 1992. Back then, he worked with a local family business called BC Rogers, which he said always treated him professionally. He used the chicken manure to fertilize his vegetable garden, and he took pride in his trees growing figs, pears and apricots. “I just had everything set,” Sanders said.

When Koch Foods bought BC Rogers in 2001, everything changed, Sanders said. Sanders’ performance was above average, according to the ranking system that the company used to pay farmers. But he felt singled out for disadvantages.

“I’ve never been treated like that by anybody,” Sanders, 63, said. “It was just like I was in hell with them.”

In 2014, Koch Foods wanted Sanders to make $105,000 worth of improvements, according to the USDA case file. Then Sanders borrowed an additional $93,000 to buy new curtains, insulation, cables and heaters. Suddenly, he owed a total of $295,000, but he made his payments on time, according to financial records reviewed by ProPublica.

The next year, Koch Foods informed its farmers of a new requirement for the ventilation in their chicken houses. Sanders went to his bank to see about another loan. The loan officer called the manager at Koch Foods and sent a follow-up email asking for “a listing of needed improvements that Koch Foods is requiring.”

The manager never responded directly to the banker. Instead, the company gave Sanders an “update list” with 23 items. Sanders gave the list to his banker, who understood it to be the company’s response to his inquiry. Sanders obtained work estimates for the 23 updates, amounting to $318,000, according to the case file.

The banker advised Sanders not to apply for another loan and to consider selling his farm instead. Meanwhile, Koch Foods stopped giving Sanders chickens to raise.

Sanders asked around and realized other farmers hadn’t gotten the same 23-item “update list.” So in December 2015, he filed a complaint with the USDA.

The complaint was assigned to a government attorney in Atlanta named Wayne Basford. Basford had also looked into Ingrum’s case, stretching back to 2010. Over the years, Basford had collected affidavits attesting to Koch employees’ calling black farmers “niggers” (the employees denied it), and he observed that the office staff was all white. He also noted that the Equal Employment Opportunity Commission was suing Koch Foods, alleging sexual harassment, retaliation and discrimination against Hispanic employees in Mississippi. (The company later paid $3.75 million to settle the lawsuit, though it did not admit wrongdoing.)

In February 2016, Basford notified Koch Foods that he was investigating a new complaint he’d received, without mentioning Sanders. Koch Foods’ lawyer responded by criticizing the condition of Sanders’ farm and, at the same time, denying that the company asks farmers to make “upgrades.”

As Basford inquired about the 23-item “update list” that only Sanders received, Koch Foods said these were optional. The list used the word “must” six times and never said the updates were voluntary.

“I hate to say it, but they just don’t like black people,” Sanders said. “There are no black people in the office — they don’t even want black people cleaning up after them.”

Basford asked to schedule a meeting with Koch Foods’ executives to present his findings. The company’s lawyer, Scott Pedigo, of the firm Baker Donelson in Jackson, Mississippi, called Basford to suggest meeting with local managers instead, according to emails included in the case file. Basford insisted on speaking with the top executives “due to the potential gravity of the situation.”

In July 2017, Basford and two colleagues from the USDA met in Birmingham, Alabama, with Koch Foods’ chief operating officer, Mark Kaminsky, along with two other executives and Pedigo. Grendys, Koch Foods’ billionaire owner, did not attend, but Basford sent Grendys a copy of his slides.

In the presentation, Basford said Koch Foods’ actions toward Sanders, combined with its treatment of Ingrum and the other black farmers, was “evidence of unjust discrimination.” Chicken companies are prohibited from engaging in “unfair, unjustly discriminatory or deceptive” business practices under the Packers and Stockyards Act of 1921. The Obama administration tried to tighten enforcement of this law by proposing new regulations to spell out what those prohibited practices are. But the meat industry lobbied Congress to block the proposed rules by withholding funding from the USDA. When the Trump administration came in, it swiftly prevented the rules from taking effect.

So when Basford presented his findings to the Koch Foods executives in July 2017, he included all the evidence of discrimination, but he alleged a narrower violation: that Koch Foods failed to notify Sanders of why it stopped delivering chickens to his farm. In response, Pedigo argued that the notification nine months earlier about the new ventilation requirement was enough.

The notice requirement had been strengthened by the Obama administration, but Congress reversed the change in 2015. That made it harder for Basford’s case to stick.

Basford, who declined to comment for this article, submitted the case for the USDA’s lawyers to evaluate possible next steps, such as seeking a fine against Koch Foods. The agency hasn’t taken any action so far. A USDA spokesman said the investigation is “ongoing” and the agency is coordinating with the Department of Justice.

Meanwhile, Basford tried to mediate between Koch Foods and Sanders. In the months following Basford’s presentation in 2017, he pushed Koch Foods to resume delivering chickens to Sanders’ farm so that Sanders could save it from foreclosure.

Pedigo responded with a list of 10 repairs that Sanders would have to make first. Seven were among the 23 fixes that the company had previously insisted were optional.

Basford wanted Koch Foods to assure Sanders that if he spent the money to make the latest repairs, the company would start bringing him chickens again. The company wouldn’t agree.

In the end, all Koch Foods agreed to was “reviewing its policies and programs.” Pedigo told Basford the company has a “commitment to treating all of its independent contract growers equally and with dignity and respect.”

In response to questions from ProPublica about Ingrum and Sanders, Pedigo declined to comment on the specific allegations in Basford’s investigation. In a statement, he said, “Koch Foods applies its standards and expectations to all growers uniformly without regard to race or any other protected status and has never discriminated against any grower on such basis.”

Kaminsky, the Koch Foods COO who attended Basford’s presentation, last October became chairman of the National Chicken Council, the industry’s trade group.

Koch Foods and other top chicken companies — Tyson Foods, Pilgrim’s Pride, Sanderson Farms and Perdue Farms — are fighting multiple lawsuits from retailers, distributors and farmers accusing them of conspiring to fix prices. The companies have denied the allegations. In one of the cases, the Justice Department’s Antitrust Division asked the judge on June 21 to freeze discovery in order to protect an ongoing criminal investigation.

The USDA is now doing fewer investigations like Basford’s. His office finished 1,873 investigations in 2017, the most recent data available, down from 2,588 in 2012. Penalties for violating the Packers and Stockyards Act dropped from $3.2 million in 2013 to as little as $243,850 in 2018, according to preliminary case data on the USDA’s website.

The enforcement office, known as the Grain Inspection, Packers and Stockyards Administration, or GIPSA, was dissolved as part of a department-wide reorganization. The USDA shifted responsibility for enforcing the Packers and Stockyards Act into another division whose primary purpose is helping companies boost sales. The staff in the Packers and Stockyards Division has decreased to 137 from 166 in 2010.

Sanders found himself in a downward spiral after the dispute with Koch Foods. He had a stroke and a heart attack. The bank foreclosed on his farm and he filed for bankruptcy. His wife left him. These days, he’s living on food stamps plus whatever he gets from hunting and fishing.

“I’ve been about as dead as somebody can go without being dead,” he said. “I’m trying to hold my head up, that’s all I can do.”

On Sundays, Sanders passes by his old farm on his way to church. The farm is just sitting there, still up for sale, lying fallow. Sometimes, he takes a long way around to avoid seeing it.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Researcher Uncovers Several Browser Extensions That Track Users' Online Activity And Share Data

Many consumers use web browsers since websites contain full content and functionality, versus pieces of websites in mobile apps. A researcher has found that as many as four million consumers have been affected by browser extensions, the optional functionality for web browsers, which collected sensitive personal and financial information.

Ars Technica reported about DataSpii, the name of the online privacy issue:

"The term DataSpii was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue. Jadali intended for the DataSpii name to capture the unseen collection of both internal corporate data and personally identifiable information (PII).... DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics..."

At first glance, this may not sound important, but it is. Why? First, the data collected included the most sensitive and personal information:

"Home and business surveillance videos hosted on Nest and other security services; tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services; vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers; patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services; travel itineraries hosted on Priceline, Booking.com, and airline websites; Facebook Messenger attachments..."

I'll bet you thought your Facebook Messenger stuff was truly private. Second, because:

"... the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies..."

Ars Technica also reported:

"Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. Ars, however, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links. The privacy policies for the browser extensions do give fair warning that some sort of data collection will occur..."

So, the data collection may be legal, but is it ethical -- especially if the anonymization is partial? After the researcher's report went public, many of the suspect browser extensions were deleted from online stores. However, extensions already installed locally on users' browsers can still collect data:

"Beginning on July 3—about 24 hours after Jadali reported the data collection to Google—Fairshare Unlock, SpeakIt!, Hover Zoom, PanelMeasurement, Branded Surveys, and Panel Community Surveys were no longer available in the Chrome Web Store... While the notices say the extensions violate the Chrome Web Store policy, they make no mention of data collection nor of the publishing of data by Nacho Analytics. The toggle button in the bottom-right of the notice allows users to "force enable" the extension. Doing so causes browsing data to be collected just as it was before... In response to follow-up questions from Ars, a Google representative didn't explain why these technical changes failed to detect or prevent the data collection they were designed to stop... But removing an extension from an online marketplace doesn't necessarily stop the problems. Even after the removals of Super Zoom in February or March, Jadali said, code already installed by the Chrome and Firefox versions of the extension continued to collect visited URL information..."

Since browser developers haven't remotely disabled leaky browser extensions, the burden is on consumers. The Ars Technica report lists the leaky browser extensions by name. Since online stores can't seem to consistently police browser extensions for privacy compliance, again the burden falls upon consumers.

The bottom line: browser extensions can easily compromise your online privacy and security. That means like any other software, wise consumers: read independent online reviews first, read the developer's terms of use and privacy policy before installing the browser extension, and use a privacy-focused web browser.

Consumer Reports advises consumers to, a) install browser extensions only from companies you trust, and b) uninstall browser extensions you don't need nor use. For consumers that don't know how, the Consumer Reports article also lists step-by-step instructions to uninstall browser extensions in Google Chrome, Firefox, Safari, and Internet Explorer branded web browsers.


FBI Seeks To Monitor Twitter, Facebook, Instagram, And Other Social Media Accounts For Violent Threats

Federal Bureau of Investigation logo The U.S. Federal Bureau of Investigation (FBI) issued on July 8th a Request For Proposals (RFP) seeking quotes from technology companies to build a "Social Media Alerting" tool, which would enable the FBI to monitor in real-time accounts in several social media services for violence threats. The RFP, which was amended on August 7th, stated:

"The purpose of this procurement is to acquire the services of a company to proactively identify and reactively monitor threats to the United States and its interests through a means of online sources. A subscription to this service shall grant the Federal Bureau of Investigation (FBI) access to tools that will allow for the exploitation of lawfully collected/acquired data from social media platforms that will be stored, vetted and formatted by a vendor... This synopsis and solicitation is being issued as Request for Proposal (RFP) number DJF194750PR0000369 and... This announcement is supplemented by a detailed RFP Notice, an SF-33 document, an accompanying Statement of Objectives (SOO) and associated FBI documents..."

"Proactively identify" suggests the usage of software algorithms or artificial intelligence (AI). And, the vendor selected will archive the collected data for an undisclosed period of time. The RFP also stated:

"Background: The use of social media platforms, by terrorist groups, domestic threats, foreign intelligence services, and criminal organizations to further their illegal activity creates a demonstrated need for tools to properly identify the activity and react appropriately. With increased use of social media platforms by subjects of current FBI investigations and individuals that pose a threat to the United States, it is critical to obtain a service which will allow the FBI to identify relevant information from Twitter, Facebook, Instagram, and other Social media platforms in a timely fashion. Consequently, the FBI needs near real time access to a full range of social media exchanges..."

For context, in 2016 the FBI attempted to force Apple Computer to build "backdoor software" to unclock an alleged terrorist's iPhone in California. The FBI later found an offshore technology company to build its backdoor.

The documents indicate that the FBI wants its staff to use the tool at both headquarters and field-office locations globally, and with mobile devices. The SOO document stated:

"FBI personnel are deployed internationally and sometimes in areas of press censorship. A social media exploitation tool with international reach and paired with a strong language translation capability, can become crucial to their operations and more importantly their safety. The functions of most value to these individuals is early notification, broad international reach, instant translation, and the mobility of the needed capability."

The SOO also explained the data elements too be collected:

"3.3.2.2.1 Obtain the full social media profile of persons-of-interest and their affiliation to any organization or groups through the corroboration of multiple social media sources... Items of interest in this context are social networks, user IDs, emails, IP addresses and telephone numbers, along with likely additional account with similar IDs or aliases... Any connectivity between aliases and their relationship must be identifiable through active link analysis mapping..."
"3.3.3.2.1 Online media is monitored based on location, determined by the users’ delineation or the import of overlays from existing maps (neighborhood, city, county, state or country). These must allow for customization as AOR sometimes cross state or county lines..."

While the document mentioned "user IDs" and didn't mention passwords, the implication seems clear that the FBI wants both in order to access and monitor in real-time social media accounts. And, the "other Social Media platforms" statement raises questions. What is the full list of specific services that refers to? Why list only the three largest platforms by name?

As this FBI project proceeds, let's hope that the full list of social sites includes 8Chan, Reddit, Stormfront, and similar others. Why? In a study released in November of 2018, the Center for Strategic and International Studies (CSIS) found:

"Right-wing extremism in the United States appears to be growing. The number of terrorist attacks by far-right perpetrators rose over the past decade, more than quadrupling between 2016 and 2017. The recent pipe bombs and the October 27, 2018, synagogue attack in Pittsburgh are symptomatic of this trend. U.S. federal and local agencies need to quickly double down to counter this threat. There has also been a rise in far-right attacks in Europe, jumping 43 percent between 2016 and 2017... Of particular concern are white supremacists and anti-government extremists, such as militia groups and so-called sovereign citizens interested in plotting attacks against government, racial, religious, and political targets in the United States... There also is a continuing threat from extremists inspired by the Islamic State and al-Qaeda. But the number of attacks from right-wing extremists since 2014 has been greater than attacks from Islamic extremists. With the rising trend in right-wing extremism, U.S. federal and local agencies need to shift some of their focus and intelligence resources to penetrating far-right networks and preventing future attacks. To be clear, the terms “right-wing extremists” and “left-wing extremists” do not correspond to political parties in the United States..."

The CSIS study also noted:

"... right-wing terrorism commonly refers to the use or threat of violence by sub-national or non-state entities whose goals may include racial, ethnic, or religious supremacy; opposition to government authority; and the end of practices like abortion... Left-wing terrorism, on the other hand, refers to the use or threat of violence by sub-national or non-state entities that oppose capitalism, imperialism, and colonialism; focus on environmental or animal rights issues; espouse pro-communist or pro-socialist beliefs; or support a decentralized sociopolitical system like anarchism."

Terrorism is terrorism. All of it needs to be prosecuted including left-, right-, domestic, and foreign. (This prosecutor is doing the right thing.) It seems wise to monitor the platform where suspects congregate.

This project also raises questions about the effectiveness of monitoring social media? Will this really works. Digital Trends reported:

"Companies like Google, Facebook, Twitter, and Amazon already use algorithms to predict your interests, your behaviors, and crucially, what you like to buy. Sometimes, an algorithm can get your personality right – like when Spotify somehow manages to put together a playlist full of new music you love. In theory, companies could use the same technology to flag potential shooters... But preventing mass shootings before they happen raises thorny legal questions: how do you determine if someone is just angry online rather than someone who could actually carry out a shooting? Can you arrest someone if a computer thinks they’ll eventually become a shooter?"

Some social media users have already experienced inaccuracies (failures?) when sites present irrelevant advertisements and/or political party messaging based upon supposedly accurate software algorithms. The Digital Trends article also dug deeper:

"A Twitter spokesperson wouldn’t say much directly about Trump’s proposal, but did tell Digital Trends that the company suspended 166,513 accounts connected to the promotion of terrorism during the second half of 2018... Twitter also frequently works to help facilitate investigations when authorities request information – but the company largely avoids proactively flagging banned accounts (or the people behind them) to those same authorities. Even if they did, that would mean flagging 166,513 people to the FBI – far more people than the agency could ever investigate."

Then, there is the problem of the content by users in social media posts:

"Even if someone does post to social media immediately before they decide to unleash violence, it’s often not something that would trip up either Twitter or Facebook’s policies. The man who killed three people at the Gilroy Garlic Festival in Northern California posted to Instagram from the event itself – once calling the food served there “overprices” and a second that told people to read a 19th-century pro-fascist book that’s popular with white nationalists."

Also, Amazon got caught up in the hosting mess with 8Chan. So, there is more news to come.

Last, this blog post explored the problems with emotion recognition by facial-recognition software. Let's hope this FBI project is not a waste of taxpayer's hard-earned money.


At Least 3 Countries Warn Their Citizens About Travel To The USA

After several mass shooting incidents in the United States, several countries have issued travel warnings for their citizens visiting the United States. Fox 2 Now News in St. Louis reported:

"The Japanese Consul in Detroit on Sunday published an alert that said Japanese nationals "should be aware of the potential for gunfire incidents everywhere in the United States," which it described as "a gun society." Uruguay’s Office of Foreign Ministry issued an advisory Monday saying citizens should "take precaution amid the growing indiscriminatory violence, specifically hate crimes including racism and discrimination" when traveling to the United States. The alert noted that other factors, such as the "indiscriminate possession of firearms by the population" and the "impossibility of authorities to prevent these situations," were among some of the reasons... Uruguay’s warning also suggested avoiding the cities of Detroit, Baltimore and Albuquerque... Venezuela’s Foreign Ministry office also issued a warning to its residents Monday, saying Venezuelans should postpone their travels or exercise caution when traveling as a result of the events in El Paso, Texas, and Dayton, Ohio... The statement from Venezuela cites a Forbes article listing these US cities as places to avoid: "Given all of the above, it is suggested above all to avoid visiting some cities that are among the 20 most dangerous in the world, such as Cleveland, Ohio; Detroit, Michigan; Baltimore, Maryland; St. Louis, Missouri; Oakland, California; Memphis, Tennessee; Birmingham, Alabama; Atlanta Georgia; Stockton, and Buffalo." "

CNN reported:

"In April, the US State Department gave Venezuela its highest travel advisory, Level 4: Do Not Travel, citing crime, civil unrest and the arbitrary arrest and detention of US citizens. Venezuela was ranked as the most dangerous country in the world for the second straight year, according to a Gallup survey in 2018. It is one of 13 countries issued the highest advisory. Uruguay is listed as a Level 2: Exercise Increased Caution on the State Department's travel advisory."

These travel warnings by other countries cannot be good news for the tourism and travel industries in the USA. It makes one wonder how many jobs will be lost, or how many workers will be furloughed, as foreign travelers avoid visits to the USA.

And, this follows a January, 2018 report which found that, "since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors." So, the recent travel warnings are bad news on top of existing bad news.

What are your opinions? If you have heard of another country issuing warnings about travel to the USA, please share that below.


What Can Be Done Right Now to Stop a Basic Source of Health Care Fraud

[Editor's note: today's post, by reporters at ProPublica, discusses fixes for the security issues discussed in a prior post. It is reprinted with permission.]

By Marshall Allen, ProPublica

In our story about the convicted health care con man David Williams, we detailed how the Texas personal trainer made off with millions by billing some of the nation’s largest health insurers as if he were a doctor providing medical services.

Williams cannily exploited gaping loopholes in the health insurance system that allowed him almost unfettered entry. Taking commonsense steps to close those loopholes, experts say, could block other fraudsters from entry.

1. No one checks to see whether people getting federal ID numbers that allow them to bill insurers have valid licenses. They could.

Anyone billing an insurance company needs a National Provider Identifier, or NPI number. The number is obtained through Medicare, a federal agency that covers people over 65 as well as those with disabilities. But Medicare doesn’t verify that NPI applicants who claim to be licensed are, indeed, licensed by their state’s regulators. The agency could do a license check in less than a minute online or in milliseconds if the process is automated.

Medicare said federal regulations do not allow it to verify NPI applicants’ credentials, so the Department of Health and Human Services might need to revise the regulations. Congress could also order the reform.

2. Insurance companies don’t always verify that the people they are paying are licensed medical providers. They could.

Williams avoided scrutiny from insurers by billing as an out-of-network provider, so he didn’t have a contract with them and didn’t have his credentials verified before receiving payments. At Williams’ trial on federal fraud charges, representatives from the insurance companies testified that it’s not cost effective to review every claim. Almost all are automatically paid.

At a minimum, insurers could ensure that anyone billing them has the proper licensing before a payment is made. Again, this screening would take seconds or less.

Regulators could also require that insurers verify the licenses of those they pay. Some experts say it may take state and federal legislation to mandate it. Officials from America’s Health Insurance Plans, the trade group for the insurers, declined to comment on this suggestion.

3. Insurance companies aren’t reporting most cases of suspected fraud to state and federal regulators. They could.

Many states have a law in place that requires insurers to report suspected cases of fraud to state regulators. This allows regulators to spot serial fraudsters and trends, and it helps officials build criminal and civil cases. But the states have a mishmash of requirements, and many don’t do audits to make sure cases are being reported.

At least three insurance companies caught Williams committing fraud. But the Texas Department of Insurance only received one referral about the case, according to internal documents. If all three insurers that Williams defrauded had referred him, his case could have been prioritized and stopped sooner.

The existing state laws don’t apply to self-funded plans where employers pay for the health benefits. Those are overseen by the federal government. And no federal law requires insurers who administer self-funded plans to report suspected cases of fraud.

State and federal laws would need to be changed to require the consistent reporting of suspected fraud. Experts say audits, and the potential for fines, may also be needed to spur the insurers to file the reports.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Emotion Recognition: Facial Recognition Software Based Upon Valid Science or Malarkey?

The American Civil Liberties Union (ACLU) reported:

"Emotion recognition is a hot new area, with numerous companies peddling products that claim to be able to read people’s internal emotional states, and artificial intelligence (A.I.) researchers looking to improve computers’ ability to do so. This is done through voice analysis, body language analysis, gait analysis, eye tracking, and remote measurement of physiological signs like pulse and breathing rates. Most of all, though, it’s done through analysis of facial expressions.

A new study, however, strongly suggests that these products are built on a bed of intellectual quicksand... after reviewing over 1,000 scientific papers in the psychological literature, these experts came to a unanimous conclusion: there is no scientific support for the common assumption “that a person’s emotional state can be readily inferred from his or her facial movements.” The scientists conclude that there are three specific misunderstandings “about how emotions are expressed and perceived in facial movements.” The link between facial expressions and emotions is not reliable (i.e., the same emotions are not always expressed in the same way), specific (the same facial expressions do not reliably indicate the same emotions), or generalizable (the effects of different cultures and contexts has not been sufficiently documented)."

Another reason why this is important:

"... an entire industry of automated purported emotion-reading technologies is quickly emerging. As we wrote in our recent paper on “Robot Surveillance,” the market for emotion recognition software is forecast to reach at least $3.8 billion by 2025. Emotion recognition (aka “affect recognition” or “affective computing”) is already being incorporated into products for purposes such as marketing, robotics, driver safety, and audio “aggression detectors.”

Regular readers of this blog are familiar with aggression detectors and the variety of industries where the technology is already deployed. And, one police body-cam maker says it won't deploy facial recognition in its products due to problems with the technology.

Yes, reliability matters -- especially when used for surveillance purposes. Nobody wants law enforcement making decisions about persons based upon software built using unreliable or fake science masquerading as reliable, valid science. Nobody wants education and school officials making decisions about students using unreliable software. Nobody wants hospital administrators and physicians making decisions about patients based upon unreliable software.

What are your opinions?


White Hat Hacker: Social Media Is a 'Goldmine For Details' For Cyberattacks Targeting Companies

Many employees are their own worst enemy when they start a new job. In this Fast Company article, a white hat hacker explains the security fails by employees which compromise their employer's data security.

Stephanie “Snow” Carruthers, the chief people hacker within a group at IBM Inc., explained that hackers troll:

"... social media for photos, videos, and other clues that can help them better target your company in an attack. I know this because I’m one of them... I’m part of an elite team of hackers within IBM known as X-Force Red. Companies hire us to find gaps in their security – before the real bad guys do... Social media posts are a goldmine for details that aid in our “attacks.” What you find in the background of photos is particularly revealing... The first thing you may be surprised to know is that 75% of the time, the information I’m finding is coming from interns or new hires. Younger generations entering the workforce today have grown up on social media, and internships or new jobs are exciting updates to share. Add in the fact that companies often delay security training for new hires until weeks or months after they’ve started, and you’ve got a recipe for disaster..."

The obvious security fails include selfie photos by interns or new hires wearing their security badges, selfies showing log-in credentials on computer screens, and selfies showing passwords written on post-it notes attached to computer monitors. Less obvious security fails include group photos by interns or new hires with their work team. Group photos can help hackers identify team members to craft personalized and more effective phishing e-mails and text messages using co-workers' names, to trick recipients into opening attachments containing malware.

This highlights one business practice interns and new hires should understand. Your immediate boss or supervisor won't scour your social media accounts looking for security fails. Your employer will outsource the job to another company, which will.

If you just started a new job, don't be that clueless employee posting security fails to your social media accounts. Read and understand your employer's social media policy. If you are a manager, schedule security training for your interns and new hires ASAP.


Automated Following: The Technology For Platoons Of Self-Driving Trucks

The MediaPost Connected Thinking blog reported:

"At the Automated Vehicle Symposium in Orlando [in July], one company involved in automated vehicle technology unveiled its vision for using a single driver to drive a pair of vehicles. The approach, named Automated Following, is an advanced platooning system created by Peloton Technology. It uses vehicle-to-vehicle (V2V) technology to let a lead driver control the vehicle and one that is following, in this case large trucks... Platooning works by utilizing V2V communications and radar-based active braking systems, combined with vehicle control algorithms, according to Peloton. The system connects a fully automated follow truck with a driver-controlled lead truck. The V2V link lets the human driven lead truck guide the steering, acceleration and braking of the follow truck..."

To learn more, I visited the Peloton Technology website. The Platoon-Pro section of the site lists the benefits below:

Platooning benefits. Peloton-Pro at Peloton Technology website. July 20, 2019. Click to view larger version

While it's good to read about specific estimates of fuel savings, I was hoping to also read similar estimates about decreased crashes and/or decreased severity of crashes. The page simply listed the safety features.

The site's home page features a "Safety & Platoon" video explaining how a 2-truck platoon might operate. On an interstate highway, both trucks are manned with human drivers. (What happened to the single driver benefit?) The video also shows what happens when a passenger vehicle briefly "cuts" in between a 2-truck platoon:

According to the video, the drivers can vary the distance between two trucks in a platoon. That seems to be a good feature.

The technology raises several questions. First, the video features a "cut in" with a small car. What happens when a larger vehicle, such as a bus, cuts in? What happens when several (large) vehicles cut in between? Second, just because we humans can do something doesn't mean we should do it. 2-truck platoons in the near future could expand to 4- or 5-truck platoons after that. One wonders about the wisdom. Are highways, country roads, and city streets designed to accommodate truck platoons this large?

Third, my impression: a 2-truck platoon sounds like a short train. In the near future, motorists will have to navigate in-between and around platoons of self-driving tractor-trailer trucks. Are motorists ready for this? Historically, auto drivers have had difficulty with traditional railroad crossings. The technology seems to be something which requires plenty of testing.

Another way of asking the question: is this what we want on our streets and highways given existing railroads already designed for trains = long platoons of trucks?

Fourth, security matters. What's being done to prevent the technology being abused? Automated following technology in the hands of bad guys could enable terrorists to deliver platoons of car bombs, or platoons of small boats armed with bombs. So, security (against hacking and against theft) is even more of an issue.

What are your opinions?


Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.

[Editor's note: today's guest post, by reporters at ProPublica, discusses security and fraud issues within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Ever since her 14-year marriage imploded in financial chaos and a protective order, Amy Lankford had kept a wary eye on her ex, David Williams. Williams, then 51, with the beefy body of a former wrestler gone slightly to seed, was always working the angles, looking for shortcuts to success and mostly stumbling. During their marriage, Lankford had been forced to work overtime as a physical therapist when his personal training business couldn’t pay his share of the bills.

So, when Williams gave their three kids iPad Minis for Christmas in 2013, she was immediately suspicious. Where did he get that kind of money? Then one day on her son’s iPad, she noticed numbers next to the green iMessage icon indicating that new text messages were waiting. She clicked.

What she saw next made her heart pound. Somehow the iPad had become linked to her ex-husband’s personal Apple device and the messages were for him.

Most of the texts were from people setting up workouts through his personal training business, Get Fit With Dave, which he ran out of his home in Mansfield, Texas, a suburb of Fort Worth. But, oddly, they were also providing their birth dates and the group number of their health insurance plans. The people had health benefits administered by industry giants, including Aetna, Cigna and UnitedHealthcare. They were pleased to hear their health plans would now pay for their fitness workouts.

Lankford’s mind raced as she scrolled through the messages. It appeared her ex-husband was getting insurance companies to pay for his personal training services. But how could that be possible? Insurance companies pay for care that’s medically necessary, not sessions of dumbbell curls and lunges.

Insurance companies also only pay for care provided by licensed medical providers, like doctors or nurses. Williams called himself “Dr. Dave” because he had a Ph.D. in kinesiology. But he didn’t have a medical license. He wasn’t qualified to bill insurance companies. But, Lankford could see, he was doing it anyway.

As Lankford would learn, “Dr. Dave” had wrongfully obtained, with breathtaking ease, federal identification numbers that allowed him to fraudulently bill insurers as a physician for services to about 1,000 people. Then he battered the system with the bluntest of ploys: submit a deluge of out-of-network claims, confident that insurers would blindly approve a healthy percentage of them. Then, if the insurers did object, he gambled that they had scant appetite for a fight.

By the time the authorities stopped Williams, three years had passed since Lankford had discovered the text messages. In total, records show, he ran the scheme for more than four years, fraudulently billing several of the nation’s top insurance companies — United, Aetna and Cigna — for $25 million and reaping about $4 million in cash.

In response to inquiries, Williams sent a brief handwritten letter. He didn’t deny billing the insurers and defended his work, calling it an “unprecedented and beneficial opportunity to help many people.”

“My objective was to create a system of preventative medicine,” he wrote. Because of his work, “hundreds of patients” got off their prescription medication and avoided surgery.

There are a host of reasons health care costs are out-of-control and routinely top American’s list of financial worries, from unnecessary treatment and high prices to waste and fraud. Most people assume their insurance companies are tightly controlling their health care dollars. Insurers themselves boast of this on their websites.

In 2017, private insurance spending hit $1.2 trillion, according to the federal government, yet no one tracks how much is lost to fraud. Some investigators and health care experts estimate that fraud eats up 10% of all health care spending, and they know schemes abound.

Williams’ case highlights an unsettling reality about the nation’s health insurance system: It is surprisingly easy for fraudsters to gain entry, and it is shockingly difficult to convince insurance companies to stop them.

Williams’ spree also lays bare the financial incentives that drive the system: Rising health care costs boost insurers’ profits. Policing criminals eats away at them. Ultimately, losses are passed on to their clients through higher premiums and out-of-pocket fees or reduced coverage.

Insurance companies “are more focused on their bottom line than ferreting out bad actors,” said Michael Elliott, former lead attorney for the Medicare Fraud Strike Force in North Texas.

As Lankford looked at the iPad that day, she knew something else that made Williams’ romp through the health care system all the more surprising. The personal trainer had already done jail time for a similar crime, and Lankford’s father had uncovered the scheme.

Scanning her ex-husband’s texts, Lankford, then 47, knew just who to call. During the rocky end of her marriage, her dad had become the family watchdog. Jim Pratte has an MBA in finance and retired after a career selling computer hardware, but even the mention of Williams flushed his face red and ratcheted up his Texas twang. His former-son-in law is the reason he underwent firearms training.

Lankford lived a few minutes away from her parents in Mansfield. She brought her dad the iPad and they pored over message after message in which Williams assured clients that their insurance would cover their workouts at no cost to them.

Lankford and Pratte, then 68, were stunned at Williams’ audacity. They were sure the companies would quickly crackdown on what appeared to be a fraudulent scheme.

Especially because Williams had a criminal record.

In early 2006, while Williams and Lankford were going through their divorce, the family computer started freezing up. Lankford asked her dad to help her recover a document. Scrolling through the hard drive, Pratte came upon a folder named “Invoices,” and he suspected it had something to do with Williams.

His soon to be ex-son-in-law had had a promising start. He’d wrestled and earned bachelor’s and master’s degrees at Boise State University, and a Ph.D. at Texas A&M University, before landing a well-paying job as a community college professor in Arlington. But the glow faded when the school suddenly fired him for reasons hidden by a confidential settlement and by Williams himself, who refused to reveal them even to his wife.

Out of a job, Williams had hustled investments from their friends to convert an old Winn-Dixie grocery store into a health club called “Doc’s Gym.” The deal fell apart and everyone lost their money. The failure was written up in the local newspaper under the headline: “What’s up with Doc’s?”

Inside the “Invoices” folder, Pratte found about a dozen bills that appeared to be from a Fort Worth nonprofit organization where his daughter and Williams took their son Jake for autism treatment. As Pratte suspected, the invoices turned out to be fake. Williams had pretended to take Jake for therapy, then created the false bills so he could pocket a cash “reimbursement” from a county agency.

In November 2008, Williams pleaded guilty in Tarrant County District Court to felony theft. He was sentenced to 18 months in jail and was released on bail while he appealed.

Things took an even darker turn about two years later when Williams and Lankford’s 11-year-old son showed up to school with bruising on his face. Investigators determined that Williams had hit the boy in the face about 20 times. Williams pleaded guilty to causing bodily injury to a child, a felony, which, coupled with the bail violation, landed him in jail for about two years.

The time behind bars didn’t go to waste. Williams revised the business plan for Get Fit With Dave, concluding he needed to get access to health insurance.

Williams detailed his plans in letters to Steve Cosio, a tech-savvy friend who ran the Get Fit With Dave website in exchange for personal training sessions. Cosio, whose name later popped up on Lankford’s son’s iPad, kept the letters in their original envelopes and shared them with ProPublica. He said he never suspected Williams was doing anything illegal.

In his letters, Williams said that when he got out, instead of training clients himself, he would recruit clients and other trainers to run the sessions. “It has the potential for increased revenue.”

He asked Cosio to remove the term “personal training” from his website in another letter, adding “95 percent of my clients are paid for by insurance, which does not cover ‘personal training,’ I have to bill it as ‘therapeutic exercise.’ It is the same thing, but I have to play the insurance game … Insurance pays twice as much as cash pay so I have to go after that market.”

Williams downplayed his child abuse conviction — “I can honestly say that I am the only one in here for spanking their child” — and included a dig at his ex-father-in-law, Pratte: “an evil, evil man. He is the reason for my new accommodations.”

Williams told Cosio he needed to raise a quick $30,000 to pay an attorney to get him access to his children. “I will need to get a bunch of clients in a hurry.”

To set his plan in motion, Williams needed what is essentially the key that unlocks access to health care dollars: a National Provider Identifier, or NPI number. The ID number is little known outside the medical community but getting one through the federal government’s Medicare program is a rite of passage for medical professionals and organizations. Without it, they can’t bill insurers for their services.

One would think obtaining an NPI, with its stamp of legitimacy, would entail at least some basic vetting. But Williams discovered and exploited an astonishing loophole: Medicare doesn’t check NPI applications for accuracy — a process that should take mere minutes or, if automated, a millisecond. Instead, as one federal prosecutor later noted in court, Medicare “relies on the honesty of applicants.”

Records show Williams first applied for an NPI under his own name as far back as 2008. But it wasn’t until 2014 that Williams began to ramp up his scheme, even though now he wasn’t just unlicensed, he was a two-time felon. He got a second NPI under the company name, Kinesiology Specialists. The following year, he picked up another under Mansfield Therapy Associates. In 2016, he obtained at least 11 more, often for entities he created in the areas where he found fitness clients: Dallas, Nevada, North Texas and more. By 2017, he had 20 NPIs, each allowing him a new stream of billings.

For every NPI application, Williams also obtained a new employer identification number, which is used for tax purposes. But he never hid who he was, using his real name, address, phone number and email address on the applications. He added the title “Dr.” and listed his credentials as “PhD.” Under medical specialty he often indicated he was a “sports medicine” doctor and provided a license number, even though he wasn’t a physician and didn’t have a medical license.

Medicare officials declined to be interviewed about Williams. But in a statement, they acknowledged that the agency doesn’t verify whether an NPI applicant is a medical provider or has a criminal history. The agency claims it would need “explicit authority” from the Department of Health and Human Services to do so — and currently doesn’t have it. Regulations, and potentially the law, would need to be revised to allow the agency to vet the applications, the statement said.

Medicare does verify the credentials of physicians and other medical providers who want to bill the agency for their Medicare patients.

To those charged with rooting out fraudsters, the current regulations seem like an invitation to plunder. “Medicare has to make sure that the individuals who apply for NPIs are licensed physicians — it’s that simple,” said Elliott, the former prosecutor who ran about 100 health care fraud investigations.

Elliott, who now does white-collar criminal defense, said he knows of two other cases currently under federal investigation in which non-licensed clinic administrators lied to obtain NPI numbers, then used patients’ information to file false claims worth millions.

Medicare warns NPI applicants that submitting false information could lead to a $250,000 fine and five years in prison. But since Medicare started issuing NPIs in 2006, officials said they could not identify anyone who had been sanctioned.

So, for those bent on fraud, the first step is easy; the online approval for an NPI takes just minutes.

Williams got out of jail in November 2012 and launched an aggressive expansion with an irresistible pitch: Time to get those private personal training sessions you thought you couldn’t afford!

“Now accepting most health insurance plans,” his Get Fit With Dave website announced. He added a drop-down menu to his site, allowing potential clients to select their health insurance provider: Aetna. Blue Cross Blue Shield. United.

He began building a team, soliciting trainers from the strength and conditioning department at Texas Christian University. He met with new recruits at local fast food joints or coffee shops to set them up. To the trainers, the business appeared legit: They even signed tax forms. Before long, Williams’ network stretched throughout Texas and into Colorado, Idaho and Nevada.

One Fort Worth trainer recalled meeting Williams through one of his clients, a Southwest Airlines flight attendant. Williams, he said, seemed like a real doctor, and it wasn’t hard to imagine an insurer’s wellness program covering fitness. Plus, it was good money — about $50 an hour and Williams paid him for multiple clients at once if he did boot camps, said the trainer, who asked that his name not be used so he wouldn’t be tarnished by his association with Williams. Williams, he said, even gave him an iPad, with “Kinesiology Specialists” etched on the back, to submit bills and paid him via direct deposit.

Clients came to Williams through his business cards, his website and word-of-mouth. Williams, records show, quickly verified if their insurance companies would cover his fees — although he didn’t tell clients that those fees would be billed as medical services, not personal training. To ensure the clients paid nothing, he waived their annual deductibles — the portion patients pay each year before insurance kicks in. Authorities said Williams banked on being able to file enough claims to quickly blow through their deductibles so he could get paid.

Meredith Glavin, a flight attendant with Southwest, told the authorities she got in touch with Williams after her co-workers said insurance was covering their workouts. After providing her name, address and insurance information on the Get Fit With Dave website, Williams emailed back with the good news: “Everything checks out with your insurance. My services will be covered at no cost to you.”

During a follow-up phone call, Glavin said, they discussed her fitness and weight loss goals and then Williams connected her with a trainer. The workouts were typical fitness exercises, she said, not treatment for a medical condition. But insurance claims show Williams billed the sessions as highly complex $300 examinations to treat “lumbago and sciatica,” a condition in which nerve pain radiates from the lower back into the legs.

He used his favorite billing code — 99215 — to bill Glavin’s insurer, United, the claims show. The code is supposed to be used less often because it requires a comprehensive examination and sophisticated medical decision-making, warranting higher reimbursement. In all, Williams used the code to bill United for more than $20.5 million — without apparently triggering any red flags at the insurer. For that code alone, the insurance giant rewarded him with $2.5 million in payments.

Eventually, Get Fit With Dave expanded to about a dozen trainers and around 1,000 patients, said a source familiar with the case. And, court records show, the checks from insurance companies, some over $100,000, kept rolling in.

Williams bought a couple of pick-up trucks, a new Harley Davidson motorcycle and a fancy house. But greed didn’t seem his only motivation. “I made $50K last week,” he wrote in a December 2014 text to a friend. “Seriously it means nothing. It is not about the money. I have had a lot taken away from me, and maybe I am trying to prove something ... Maybe it is my way of giving the finger to everyone???”

A few miles away, his former father-in-law watched Williams’ illegal business blossom with growing outrage. Pratte kept his grandson’s iPad on his desk, near his computer, and checked it every day. The texts appeared boring, even routine, but Pratte knew they were evidence of ongoing fraud.

“I have another flight attendant friend who is interested in signing up as well,” a new client texted to Williams.

“Tell him to show up with his insurance card,” Williams replied.

To Pratte, the text messages were a “gold mine.” This is the stuff that will really nail his rear end, he recalled thinking as he read the messages. He couldn’t wait to share his findings with the insurers. How often do they get cases wrapped up in a bow?

But when he and Lankford began contacting insurers, they were soon bewildered. When Pratte told Aetna that he wanted to report a case of fraud, he said the customer service representative asked for his member number, then told him non-members couldn’t report criminal activity. Lankford, who happened to be covered by Aetna, made the complaint, but they say they never heard back.

An Aetna spokesman told ProPublica that the insurer could find no record of Pratte’s call but said the company’s fraud hotline takes tips from anyone, even anonymous callers.

Lankford sent an email to Cigna’s special investigations unit in January 2015 “regarding one of your providers that concerns me.” She provided Williams’ company name, address, cellphone number, Social Security number and more, and she described his scheme. “He has no medical license or credentials,” she wrote. “He was in prison for felony theft.”

A supervisory investigator called to ask for the names of personal trainers, which Lankford provided. But, again, there was silence.

Pratte could see many of the clients worked for Southwest and had their benefits administered by United. He jotted down the name, address, phone number, birth date and member identification number of the potential clients on a yellow legal pad — all the information the insurer and Southwest would need to investigate the fraud. This is so easy, Pratte recalled thinking as he wrote down the details, all they have to do is cross-reference this.

Because Southwest self-funds its benefits, the company was on the hook for the bills, which would eventually total about $2.1 million according to a source familiar with the case. It paid United to administer the company’s plan and ensure the claims it covered were legitimate. Pratte said he called the airline in the fall of 2015 and spoke to someone in the human resources department who said they would pass the information to the right people. “That was the last I heard,” he said. Southwest declined to comment for this story. It still pays United to administer its benefits.

Pratte started calling United in the fall of 2014 and spoke to a fraud investigator who took the information with interest, he said. But within a couple of weeks he was told she moved to a different position. Pratte continued calling United over the following two years, making about a dozen calls in total, he said. “He is not a doctor,” Pratte told whoever picked up the phone. “So, I don’t see how he can be filing claims.”

In early 2015, Lankford emailed additional information to the investigator. The investigator wrote back, thanking Lankford and saying she forwarded the details to the people who research licenses. “They will investigate further,” she said in the email.

Meanwhile, the text messages showed Williams continuing to sign up — and bill for — United members.

Frustrated, Pratte made one final call to United in 2016, but he was told the case was closed. United said he’d have to call the Texas Department of Insurance for any additional details. Pratte had already filed a complaint with the regulator but reached out again. The department told him that because he hadn’t personally been defrauded, it would not be able to act on his complaint.

To Pratte, it appeared he had struck out with Aetna, United, Southwest and the Texas Department of Insurance. “I was trying to get as many people as possible to look into it as I could,” Pratte said recently. “I don’t know if that tells me they are incompetent. Or they don’t care. Or they’re too busy.”

A case summary, prepared by the Texas Department of Insurance, shows it first learned of the Williams case in January 2015 but lacked staff to investigate. A spokesman said the regulator later received Pratte’s complaint but didn’t pursue it after learning that United had already investigated and closed its case.

Meanwhile, some Get Fit With Dave clients had begun noticing odd claims on their insurance statements.

Nanette Bishop had heard about Williams when a fellow Southwest flight attendant handed her the trainer’s business card and said, “You’ve got to meet Dr. Dave.” (Bishop said the Southwest legal department advised her not to speak with ProPublica. Details about her interaction with Williams come from court records.)

Bishop said she started strong with the workouts but “fizzled” quickly. Her daughter, who was also on her plan and signed up for workouts, only did a couple sessions. Bishop said she had a hard time staying consistent because she was traveling a lot — for much of October 2014 she was in Germany. Later, she noticed in her insurance records that Williams had been paid for dozens of sessions over many months, even during the time she’d been abroad.

Bishop texted Williams in January 2015 to tell him he needed to refund all the money. “I never worked out four [times] a week and [my daughter] quit the first week of September,” she wrote. Bishop also called United and Southwest Airlines to report the overbilling.

About a month later, Williams received a letter from a subsidiary of United ordering a review Bishop’s medical records.

Another client texted Williams with concerns that her United insurance plan had been billed for 18 workouts in December 2015. That couldn’t be accurate, the woman wrote. “I had to take December off due to my work schedule and family in town,” she wrote. “I understand that people need to be paid but this seems excessive.”

While Pratte, Lankford and some of Williams’ clients repeatedly flagged bogus bills, the mammoth health insurers reacted with sloth-like urgency to the warnings. Their correspondence shows an almost palpable disinterest in taking decisive action — even while acknowledging Williams was fraudulently billing them.

Cigna appears to have been the quickest to intervene. In January 2015, Cigna sent Williams a letter, noting that he wasn’t a licensed medical provider and had misrepresented the services he provided. The insurer said he needed to pay back $175,528 and would not be allowed to continue billing.

“I just got a $175K bill in the mail,” Williams texted to a friend. “Cigna insurance has been overpaying me for the past 18 months and they want it back. I knew that they were reimbursing at too high of a rate so I can’t really complain.”

By then Williams had more than one National Provider Identifier, so he just switched numbers and kept billing Cigna. More than a year later, in May 2016, Cigna sent another letter, saying he now owed $310,309 for inappropriate payments. In total, the company paid him more than $323,000. Williams never gave any of it back. Cigna declined to comment about the Williams case.

Aetna wrote Williams in January 2015 to say it had reviewed his claims and found he wasn’t licensed, resulting in an overpayment of $337,933. The letter said there appeared to be “abusive billing” that gave “rise to a reasonable suspicion of fraud.” But the insurer also gave him a month to provide documentation to dispute the assessment. When Williams hadn’t responded in three months, an Aetna investigator wrote to Williams’ attorney, saying, “We are willing to discuss an amicable resolution of this matter,” and gave him two more weeks to respond.

That August, an Aetna attorney sent Williams’ attorney another letter, noting that Williams had submitted “fraudulent claims” and had continued to submit bills “even after his billing misconduct was identified.”

In January 2016 — a year after Aetna first contacted him — Williams agreed to a settlement that required him to refund the company $240,000 “without admission of fault or liability by either party.”

But that didn’t stop, or even appear to slow, Williams. Not only did he renege on that promise, he picked one of his other NPI numbers and continued to file claims resulting in another $300,000 in payments from Aetna. In total, Aetna paid Williams more than $608,000.

In emails, Ethan Slavin, a company spokesman, didn’t explain why Aetna settled with Williams instead of pursuing criminal prosecution. He blamed the insurer’s slow response on the lengthy settlement process and Williams’ tactic of billing under different organizations and tax identification numbers. Williams did repay some of the money before defaulting, Slavin said.

United, one of the largest companies in the country, paid out the most to Williams. The insurer brought in $226 billion last year and has a subsidiary, Optum, devoted to digging out fraud, even for other insurers. But that prowess is not reflected in its dealings with Williams.

In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor.

Williams responded a month later, noting that he had a Ph.D. in kinesiology and did rehab, so he met the qualifications of a sports medicine doctor.

United responded in November 2015 with the same argument: he wasn’t licensed and thus needed to repay the money, again warning that if he didn’t, United would “initiate repayment by offsetting future payments.”

Williams took United up on its offer. “Please offset future payments until the requested refund amount is met,” he responded.

Then Williams turned to another NPI number, records show, and continued submitting claims to United.

In January 2016, Williams agreed to settle with United and repay $630,000 in monthly installments of $10,000. Inexplicably, the agreement refers to Williams as “a provider of medical services or products licensed as appropriate under the laws of the state of TX” and notes that the settlement doesn’t terminate his continued participation in United’s programs.

In 2016, Williams obtained a new batch of NPI numbers from Medicare. As usual, he used his real name, address and credentials on the applications. The additional numbers allowed him to continue to make claims to United.

In November 2016, United investigators caught Williams again — twice. They sent two letters accusing him of filing 820 claims between May 2016 and August 2016 and demanded repayment. Again, almost inconceivably, the company threatened to cover his debt with “future payments.”

In December 2016, United notified Williams he had only repaid $90,000 of the initial $630,000 he owed and was in default. The following month, United told him he had to pay the remaining $540,000 within 20 days or he could face legal action. Williams replied, saying he wanted to renegotiate the settlement, but the insurer declined. Late that month, United said its inappropriate payments to Williams had ballooned to more than $2.3 million.

A United spokeswoman said it was difficult to stop Williams because he used variations on his name and different organizations to perpetrate the fraud. “He did everything he could not to get caught,” Maria Gordon-Shydlo said.

She acknowledged getting the complaints from Lankford and Pratte, as well as United members, but defended the response of the company, saying it had eventually referred Williams to law enforcement.

The insurer is continuing “to improve our processes and enhance our systems so we can catch these schemes on the front-end,” she said, “before a claim is paid and to recoup dollars that were paid as a result of provider misconduct.”

In all, United paid Williams more than $3.2 million — most of it after the insurer had caught him in the act.

But in reality, the losses weren’t all United’s. Most of the fraud was funded by its client, Southwest.

Many health care experts and fraud investigators said they weren’t surprised to hear that insurers were slow to stop even such an outlandish case of fraud.

“It’s just not worth it to them,” said Dr. Eric Bricker, an internist who spent years running a company that advised employers who self-funded their insurance.

For insurance behemoths pulling in billions, or hundreds of billions, in revenue, fraud that sucks away mere millions is not even a rounding error, he said.

And perhaps counter-intuitively, insurance companies are loath to offend physicians and hospitals in their all-important networks — even those accused of wrongdoing, many experts have said. They attract new clients by providing access to their networks.

This ambivalence toward fraud, Bricker and others said, is no secret. Scammers like Williams are “emblematic of gazillions of people doing variants of the same thing,” Bricker said. Insurers embolden them by using a catch-and-release approach to fraud, in which the insurers identify criminals, then let them go.

Joe Christensen has pursued fraud for both government and commercial insurers, serving as a director in Aetna’s Special Investigations Unit, a team of more than 100 people ferreting out fraud, from 2013 to 2018 and as the director of Utah’s insurance fraud division for 13 years. Fraud in government programs, like Medicare and Medicaid, gets more publicity, he said, and has dedicated arms of agencies pursuing fraudsters. But the losses may be even greater in the commercial market because the dollar levels are higher, he said.

Some commercial insurers take a passive approach, Christensen said, in part because it’s expensive to press a fraud case. At Aetna, he said, investigators would identify cases of apparent fraud, but it was up to the executives and legal team to decide how to handle them. Taking fraudsters to civil or criminal court requires resources, so the company often settled for trying to get repaid through settlements or blocking a suspect provider from billing, he said.

Christensen said while he was at Aetna, investigators almost never sought to partner with law enforcement agencies to pursue criminal cases. Last spring, he became the SIU director for a Southern California-based Medicaid plan called L.A. Care Health Plan, where he was allowed to take a proactive approach. In just about a year, he said, his much smaller team began 37 criminal investigations with law enforcement agencies. The cases are in different stages, but so far there have been seven arrests, four search warrants and one conviction. Christensen recently took a job with an insurer in Utah, where his family lives, so he could be closer to them.

ProPublica asked Aetna how many criminal cases it had pursued in 2017 and 2018. A company official said the question could not be answered because it does not track such cases.

In the spring of 2017, more than four years after Williams first began billing insurers, one of them, United, finally brought him to the attention of the FBI’s heath care fraud squad.

One May day, agents from the FBI and the newly engaged Texas Department of Insurance knocked on the door of Williams’ sprawling six-bedroom home — a spread he’d boasted to one trainer that he’d purchased with cash. Williams didn’t invite them in. He refused to answer questions, claiming his attorney had dealt with the questionable billings.

Undaunted, just days later, Williams used a freshly minted NPI number to send another bill to United. The last known claim he submitted was on June 3, 2017, according to a source familiar with the investigation.

That October, Williams’ long run came to an end when he was arrested by the FBI.

The following May, Williams’ trial began in the United States District Court for the Northern District of Texas. The prosecution didn’t have to make a complex argument. Williams had billed for non-medically necessary services and wasn’t a medical provider — a “slam dunk case” said the agent on the case.

But the testimony served as a cheat sheet for how to defraud the health insurance industry and mostly get away with it.

Without irony, the prosecutor, P.J. Meitl, argued that Williams had preyed on a health insurance system that relies “on trust, relies on honesty” when it pays claims.

He called fraud investigators from Aetna, Cigna and United, who testified that their companies auto-pay millions of claims a year. It’s not cost effective to check them, they said. “Aetna relies on the honesty of the person submitting the claim verifying that it’s true,” testified Kathy Richer, a supervisor in Aetna’s Special Investigations Unit.

In a similar manner, Medicare trusts that people who apply for NPI numbers are actually medical providers, Meitl told the jury. Medicare “does not investigate or verify whether an individual is actually a health care provider before issuing an NPI number.”

Williams’ attorney, Wes Ball, argued that the case was the sign of a “broken” health care system and blamed insurers for making a financial decision not to review Williams’ claims before paying them. United failed to protect Southwest’s money, Ball said, and “might be a vendor you might not want to hire.”

As for the NPI numbers, anyone could have checked Williams’ credentials, he said.

The jury wasn’t convinced, convicting Williams of four counts of health care fraud.

The judge sentenced him to a little more than nine years in federal prison and ordered him to pay $3.9 million in restitution to United, Aetna and Cigna.

Insurers promote themselves as guardians of health care dollars. United says on its website it wants to “help employers manage” medical expenses, resulting in “lower costs.” Aetna promises employers “affordability.” Cigna promises “increased savings.”

But private health insurers allow so much fraud that prosecutors use an idiom to describe the rare person who gets caught: “Pigs get fat, hogs get slaughtered.”

“Pigs” can steal millions, if they bill just enough to avoid notice. But if they get greedy and bill too many millions, they “become a data outlier,” said Elliott, the former fraud task force prosecutor. “You get slaughtered.”

Williams took years to reach hog status.

Part of the problem, experts say, is that health care fraud is often misunderstood as shafting greedy insurers — not the folks paying for health insurance. Ultimately, insurers don’t bear the cost. For their self-funded clients, like Southwest, they merely process the claims. For their traditionally insured clients, they can recover any losses by increasing deductibles and premiums and decreasing coverage.

Williams appears to have duped more than insurers. His twin brother, Dan Williams, recently retired as the assistant special agent in charge of the Dallas field office for criminal investigation for the Internal Revenue Service. He spent 27 years ferreting out fraud, and he gets the irony. “You’re not the first person to point that out,” he said.

Dan Williams said his brother’s sudden riches from the training business piqued his investigative instincts, but he “trusted” his brother when “he told me he was authorized to bill insurance companies.”

In his letter to ProPublica, Williams did not address the issues in the case or even acknowledge that any of his activities were wrong. Instead, he blamed his former wife. “It grieves me that the consequences of a bitter and hurtful divorce have resulted in the ending of this unprecedented and beneficial opportunity to help many people,” he wrote.

Lankford and Pratte are proud of their part in ending his scheme, if still baffled that they had to play such a central role in uncovering it.

If it hadn’t been for the iPad messages, “I have to believe he would still be billing insurance companies from a Caribbean island,” Pratte said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


FTC Levies $5 Billion Fine, 'New Restrictions, And Modified Corporate Structure' To Hold Facebook Accountable. Will These Actions Prevent Future Privacy Abuses?

The U.S. Federal Trade Commission (FTC) announced on July 24th a record-breaking fine against Facebook, Inc., plus new limitations on the social networking service. The FTC announcement stated:

"Facebook, Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information... The settlement order announced [on July 24th] also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance..."

During 2018, Facebook generated after-tax profits of $22.1 billion on sales of $55.84 billion. While a $5 billion fine is a lot of money, the company can easily afford the record-breaking fine. The fine equals about one month's revenues, or a little over 4 percent of its $117 billion in assets.

U.S. Federal Trade Commission. New compliance system for Facebook. Click to view larger version The FTC announcement explained several "unprecedented" restrictions in the settlement order. First, the restrictions are designed to:

"... prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making... It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors."

Facebook logo Second, the restrictions mandated compliance officers:

"Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties."

Third, the new order strengthens oversight:

"... The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order."

Fourth, the order included six new privacy requirements:

"i) Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; ii) Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising; iii) Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users; iv) Facebook must establish, implement, and maintain a comprehensive data security program; v) Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and vi) Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."

Wow! Lots of consequences when a manager builds a corporation with a, "move fast and break things" culture, values, and ethics. Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division said:

"The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information... This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness."

There is disagreement among the five FTC commissioners about the settlement, as the vote for the order was 3 - 2. FTC Commissioner Rebecca Kelly Slaughter stated in her dissent:

"My principal objections are: (1) The negotiated civil penalty is insufficient under the applicable statutory factors we are charged with weighing for order violators: injury to the public, ability to pay, eliminating the benefits derived from the violation, and vindicating the authority of the FTC; (2) While the order includes some encouraging injunctive relief, I am skeptical that its terms will have a meaningful disciplining effect on how Facebook treats data and privacy. Specifically, I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance; (3) Finally, my deepest concern with this order is that its release of Facebook and its officers from legal liability is far too broad..."

FTC Commissioners Noah Joshua Phillips and Christine S. Wilson stated on July 24th in an 8-page joint statement (Adobe PDF) with Chairman Joseph J. Simons of the U.S. District Court for the District of Columbia:

"In 2012, Facebook entered into a consent order with the FTC, resolving allegations that the company misrepresented to consumers the extent of data sharing with third-party applications and the control consumers had over that sharing. The 2012 order barred such misrepresentations... Our complaint announced today alleges that Facebook failed to live up to its commitments under that order. Facebook subsequently made similar misrepresentations about sharing consumer data with third-party apps and giving users control over that sharing, and misrepresented steps certain consumers needed to take to control [over] facial recognition technology. Facebook also allowed financial considerations to affect decisions about how it would enforce its platform policies against third-party users of data, in violation of its obligation under the 2012 order... The $5 billion penalty serves as an important deterrent to future order violations... For purposes of comparison, the EU’s General Data Protection Regulation (GDPR) is touted as the high-water mark for comprehensive privacy legislation, and the penalty the FTC has negotiated is over 20 times greater than the largest GDPR fine to date... IV. The Settlement Far Exceeds What Could be Achieved in Litigation and Gives Consumers Meaningful Protections Now... Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit. Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations... V. Mark Zuckerberg is Being Held Accountable and the Order Cabins His Authority Our dissenting colleagues argue that the Commission should not have settled because the Commission’s investigation provides an inadequate basis for the decision not to name Mark Zuckerberg personally as a defendant... The provisions of this Order extinguish the ability of Mr. Zuckerberg to make privacy decisions unilaterally by also vesting responsibility and accountability for those decisions within business units, DCOs, and the privacy committee... the Order significantly diminishes Mr. Zuckerberg’s power — something no government agency, anywhere in the world, has thus far accomplished. The Order requires multiple information flows and imposes a robust system of checks and balances..."

Time will tell how effective the order's restrictions and $5 billion are. That Facebook can easily afford the penalty suggests the amount is a weak deterrence. If all or part of the penalty is tax-deductible (yes, tax-deductible fines have happened before to directly reduce a company's taxes), then that would weaken the deterrence effectiveness. And, if all or part of the fine is tax-deductible, then we taxpayers just paid for part of Facebook's alleged wrongdoing. I'll bet most taxpayers wouldn't want that.

Facebook stated in a July 24th news release that its second-quarter 2019 earnings included:

"... an additional $2.0 billion legal expense related to the U.S. Federal Trade Commission (FTC) settlement and a $1.1 billion income tax expense due to the developments in Altera Corp. v. Commissioner, as discussed below. As the FTC expense is not expected to be tax-deductible, it had no effect on our provision for income taxes... In July 2019, we entered into a settlement and modified consent order to resolve the inquiry of the FTC into our platform and user data practices. Among other matters, our settlement with the FTC requires us to pay a penalty of $5.0 billion and to significantly enhance our practices and processes for privacy compliance and oversight. In particular, we have agreed to implement a comprehensive expansion of our privacy program, including substantial management and board of directors oversight, stringent operational requirements and reporting obligations, and a process to regularly certify our compliance with the privacy program to the FTC. In the second quarter of 2019, we recorded an additional $2.0 billion accrual in connection with our settlement with the FTC, which is included in accrued expenses and other current liabilities on our condensed consolidated balance sheet."

"Not expected to be" is not the same as definitely not. And, business expenses reduce a company's taxable net income.

A copy of the FTC settlement order with Facebook is also available here (Adobe PDF format; 920K bytes). Plus, there is more:

"... the FTC also announced today separate law enforcement actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future."

Cambridge Analytica was involved in the massive Facebook data breach in 2018 when persons allegedly posed as academic researchers in order to download Facebook users' profile information they really weren't authorized to access.

What are your opinions? Hopefully, some tax experts will weigh in about the fine.