Previous month:
June 2011
Next month:
August 2011

19 posts from July 2011

Federal Reserve Board Takes Action Against Wells Fargo Including $85 Million Fine

Wells Fargo logo Only July 20, the Federal Reserve Board issued a press release about its action against Wells Fargo & Company for lending and mortgage abuses. The action includes a "cease and desist" order, an $85 million civil penalty, and an order for Wells Fargo to compensate affected borrowers:

"... issued a consent cease and desist order and assessed an $85 million civil money penalty against Wells Fargo & Company of San Francisco, a registered bank holding company, and Wells Fargo Financial, Inc., of Des Moines. The order addresses allegations that Wells Fargo Financial employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In addition to the civil money penalty, the order requires that Wells Fargo compensate affected borrowers."

The lending and mortgage abuses:

"Wells Fargo Financial--a once-active, non-bank subsidiary of Wells Fargo--made subprime loans that primarily refinanced existing home mortgages in which borrowers received additional money from the loan proceeds in so-called cash-out refinancing loans. The order addresses allegations that Wells Fargo Financial sales personnel steered borrowers who were potentially eligible for prime interest rate loans into loans at higher, subprime interest rates, resulting in greater costs to borrowers. The order also addresses separate allegations that Wells Fargo Financial sales personnel falsified information about borrowers' incomes to make it appear that the borrowers qualified for loans when they would not have qualified based on their actual incomes."

The amount of compensation to be paid to affected borrowers has not been set. The number of affected borrowers is estimated betweet 3,700 and 10,000. The amount of compensation will be dependent upon several factors:

"... including differences between what borrowers paid and what they should have paid in terms of origination points, interest payments, fees, and penalties."

On the same day, Wells Fargo issued a statement which read in part:

"The alleged actions committed by a relatively small group of team members are not what we stand for at Wells Fargo,” said Chairman and CEO John Stumpf. “Fair and responsible lending practices have been at the core of our culture, and they will continue to guide us as we work closely with the Federal Reserve to provide restitution to customers who may have been harmed, and to reinforce our internal controls so they further reflect Wells Fargo’s commitment to helping customers succeed financially... The Company’s agreement with the Federal Reserve does not include an admission of the allegations cited, which cover lending practices at Wells Fargo Financial between January 2004 and September 2008... Within 90 days, Wells Fargo will submit plans to the Federal Reserve that will outline its oversight of its mortgage lending practices regarding certain compliance and incentive compensation programs. In addition, Wells Fargo will develop a plan for continuing to identify and provide compensation to Wells Fargo Financial customers who may have been harmed by the practices alleged in the agreement..."

Analysis: Several States' Online Consumer Forms For Filing Phone Scams Complaints

[Editor's note: this is part three of a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with filing online complaints with the U.S. Federal Trade Commission and with the Attorney General office in the state where I live. Today, I want to share my findings about how well several states' Attorney General websites allow consumers to file online complaints about phone scams.

Remember, the the FTC Phone Fraud website instructs consumers to file complaints at both the FTC Complaint Assist website and at their state Attorney General website. After having difficult at the Massachusetts AG website, I reviewed several states' AG websites. I wanted to know if other states presented online complaint forms that made it easy (or difficult) to file complaints about phone scams.

I reviewed and compared the online complaints form for six (6) states. I chose four states (California, Florida, New York, and Texas) with large populations since that would include the probable online experience for a large percentage of the US population. I also included my home state (Massachusetts), and one state (Alabama) that does not have any laws requiring the notification of consumers affected by data breaches:

# State AG Website Online Complaint Form
1 Massachusetts
2 California
3 Florida
4 Alabama
5 New York
6 Texas

Remember, the FTC website linked to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico. So, many consumers will arrive at their state's AG website with the goal to complete this specific task: file a complaint online about a phone scam. Given this specific task, I used three criteria to evaluate the AG websites:

  1. Did the AG website main page present a link or button for consumers to file a complaint online, that was prominent and easy to find?
  2. Did the AG website allow consumers to actually file a complaint online?
  3. Did the state's online form allow for the submission of phone scams?

There are many other criteria one could use to evaluate AG websites. I chose these three criteria because they directly relate to the specific task. I looked for variations of the "File a Complaint" phrase and not necessarily the same words. My findings:

1. Many AG websites made it difficult for consumers to file complaints. 50% (3 of 6) of the websites reviewed contain a link or button on the home page that was prominent and easy-to-find. Prominent and easy means that the link/button is immediately displayed when the page loads. So, half of the websites (e.g., Florida, New York, and Texas) evaluated didn't provide a link/button.

AG websites typically present information about news releases and the services available to consumers and businesses -- all very valuable information. The lack of a "File a Complaint" link or button on the home page makes the website needlessly more difficult to use. This forces consumers to hunt for the complaint form page.

Several example highlight this forced hunt. First, the online complaint form is buried in the Florida AG website under the Consumer Protection website section. That fom location may be a logical place for frequent website visitors, attorneys, and AG office staff, but not necessarily for first-time visitors or consumers. Second, the Texas AG website has a "Report Fraud, Waste, and Abuse" link on its main page, but that link is narrowly focused on complaints about state government agencies. Consumers looking to file a complaint about a non-government organization still have to hunt for the online complaint form.

Third, the New York AG website locates its complaint forms under the Consumer Frauds Bureau and Identity Theft sections. Again, frequent visitors, attorneys, and AG office staff may know to look there, but first-time visitors won't.

When hunting for a form, there are several time-consuming strategies that consumers may use: site-search mechanism, click on various navigation links, and/or read the page content.

2. Most AG websites present interactive online complaint forms. 83% (5 of 6) of the websites reviewed present online complaint forms. The only website that didn't -- New York -- presented static forms in Adobe PDF format, which consumers must download, complete offline, and submit via surface mail.

3. Not all AG websites allow consumers to submit complaints about telemarketing/phone fraud. 60% (3 of 5) of the websites with interactive, online complaint forms allow consumers to file complaints about phone scams. (Remember, the New York AG website had PDF forms instead of interactive forms.) That is, the complaint forms are flexible enough to allow consumers to enter the data elements they may have.

In my online experience, the form in the Massachusetts AG website requires consumers to submit all of the following data elements about the phone-scammer: company name, address, city, state, ZIP Code, and phone number. With phone scams, consumers won't necessarily have all of these data elements. I didn't. The complaint form at the Texas AG website also contained the same usability problems as  the Massachusetts AG website form.

While it is a fairly simple task to add a "File a Complaint" link on the home page and to edit an online complaint forms to make more company data elements optional rather than required, there probably are backend database considerations. The online databases must contains sufficient categorization and tagging to identify phone fraud complaints as such, and not as partially completed complaints.

If you have submitted complaints at your state's AG website, what was your experience?

Filing an Online Complaint About a Credit Card Phone Scam

[Editor's Note: this is part two in a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with an attempted credit card phone scam. Today, I want to describe in greater detail my experiences with filing complaints online. It is important to notify the appropriate law government agencies about scams so law enforcement can take action and shut them down.

As I described yesterday, I visited the FTC Phone Fraud website to learn how to telemarketing or phone scams. The main page contained a "Report Phone Fraud" link, which links to the Reporting Phone Fraud page. This page explains how to file a complaint online with both the U.S. Federal Trade Commission and the Attorney General Office in your state:

"Your complaint counts! Fight telephone fraud. Report telephone scam artists to the FTC and to your state Attorney General. When you report phone fraud to the FTC, your complaint is entered into a secure database that is available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad."

At the FTC Complaint Assist website, I filed my complaint online. That was simple enough, and later during the day I received a confirmation e-mail message that my complaint had been successfully submitted.

Since I live in Massachusetts, I wanted to file a complaint with the Attorney General's (AG) Office for my state. The FTC Phone Fraud website makes this easy, since it contains a link to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico.

So, I clicked through to the Massachusetts Attorney General website. The Massachusetts AG website main page has an easy-to-find "File A Complaint" link on the main page in the center column:

Massachusetts Attorney General Office website home page

I clicked on the "File a Complaint" link which directed me to an instructions page. After reading the instructions, I accessed the Consumer Complaint Form page. So far, so good.

I completed the form page with the information I had, which unfortunately wasn't much. Remember, I only had the company name, Card Services, because the scam artist hung up when I asked for more information about his company': its phone number. After submitting the Consumer Complaint Form, I received this error page:

File a Complaint Online - Error page

The website requires all of the following about the scammer: company address, city, state, phone, and ZIP Code. This was disappointing since I only had the company name, and the form requires data elements I don't have. If I had fallen victim to this phone scam and lost money, then I might have had more information about the scammer's company. That is no guarantee, though.

I reviewed the Consumer Complaint Form page, and noticed that it did not indicate which fields were required versus optional. That is a basic website development flaw. As a user experience professional who has built and redesigned dozens of websites since 1997, I can state this with authority. Well-designed online forms should indicate to users what information is required versus optional. It saves everyone time and avoids frustration.

At this point, I was stuck. I couldn't file online the complaint about the phone scam. Remember, I arrived at my state AG website based on instructions from the FTC website. This was frustrating.

If a state wants consumers to file complaints so it can collect accurate information about the types and volume of scams operating in their state, then the form should allow consumers to enter the data elements they have about the scammer's company. Otherwise, scams go unreported and the state AG has inaccurate information about the types and volume of scams operating in their state.

I realize that in these tough economic times, state's budgets are tight. The reporting of scams goes to law enforcement, and law enforcement seems to me to be a high-priority item.

After this experience, I began to wonder what the online experience is for consumers in other states. Tomorrow: a brief look at the online consumer complaint forms at several states' Attorney General websites.

Have you filed an online complaint with your state Attorney General? What was your experience?

Would You Recognize This Credit Card Phone Scam?

[Editor's Note: this is part one in a three-part series about telemarketing or phone scams.]

Would you recognize this scam? During Tuesday morning last week, I received a phone call from a company, Card Services, offering a lower interest rate on my credit cards of 10%. The offer sounded interesting but suspicion.

A lower credit card interest rate is always of interest, but I was also suspicious because my landline phone is already listed in the Do Not Call registry. I listened to the phone representative's pitch for a couple minutes. The rep asked three questions:

  1. Do I have a Visa or MasterCard?
  2. Do I owe more than $3,000.00 on my credit cards?
  3. Is my current credit card interest rate higher than 10%?

I answered yes to all three questions just so I could hear his pitch. I pay my credit card bills in full every month, so I do not incur any interest charges. During the phone call, I then asked the representative which bank he worked at. He said he works "with" all of the major banks -- and rattled off a list of bank names.

Next, I asked him to clearly state his company's name. He said "Card Services." I had never heard of Card Services before, and I definitely wanted to know more about this company before revealing any personal information.

Next, I asked him for his phone number. He hung up.

So, this clearly was a phone phishing scam where the scammer tries to trick consumers into revealing their sensitive personal information: name, address, credit card number, security code, and if you are gullible enough: your online banking sign-in credentials (e.g., ID, password).

A brief search of the Internet found similar phone scam experiences reported by consumers at Honeypot. I did not try a Better Business Bureau search, since I only had a company name and no address. There are simply too many companies in the BBB database that use the "Card Services" name.

It seems that many credit card issuers and banks have an internal department often called "Card Services," which the scammer is hoping that consumers will mistakenly believe is calling.

The Fraud And Identity Theft Prevention page at the Capital One website advises consumers:

"Never give your account number to someone calling you on the phone, even if the caller says it will be used to claim a prize or award."

Instead of a prize, this scammer offered a lower interest rate credit card. Thankfully, I was alert and knowledgeable enough to spot this cam and avoid being a victim. If you have experienced a phone scam like I did, or if you have been a victim, experts advise consumers to report it to the U.S. Federal Trade Commission at, and to your state's attorney general office. While at the FTC website, I reported this scam.

The phone scam I received was just one version of telemarketing fraud scams. Watch this FTC video to learn how to spot telemarketing fraud:

If you have received a phone call from Card Services, what was your experience?

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

  1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
  2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
  3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
  4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
  5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
  6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
  7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
  8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
  9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.

The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?

Personal Information Recovered From Wiped Hard Drive

We all discard old computers. Apparently, a professionally wiped hard drive is insufficient data security for discarded computers. Watch this WYFF Channel 4 Geenville-Spartanburg news video. (Or watch it here.)

Using software available on the Internet, two computer professionals explained how they recovered sensitive patient information, including Social Security numbers, from hard disk drives professionally wiped clean and discarded by a hospital.

For effective data security: businesses and consumers should shred old hard-disk drives when you discard them.

Breach Notification And Privacy Laws

Australia may be falling behind other countries in implementing data breach notification laws to require companies and government agencies to notify consumers when their personal information has been exposed or stolen. ZDNet Australia reported:

"Australia currently doesn't have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission's report on privacy, released in 2008."

The article summarized existing breach notification laws or pending legislation in several countries:

"Internet and telecommunications service providers in the UK are also already required to disclose when they have experienced a breach. However, the EU commissioner said last month that she wanted to extend this to all businesses... New Zealand doesn't have any breach notification laws... Canada has a Bill that is proceeding through parliament that will require businesses to disclose data breaches if they may result in a "real risk of significant harm". Until this is passed, its Federal Privacy Commissioner has issued guidelines for organisations to follow in the event of a breach, but these are voluntary."

According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws requiring notification when consumers' personal information is disclosed. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

If you live in one of those four states without breach notification laws, you might want to ask your elected officials why.

The need for legislation in the USA is driven not just by data breach notifications but also to protect consumers' privacy. The Do Not Track opt-out setting for consumers is largely ignored by advertisers. Plus, ARS Technica reported:

"... the United States and Turkey are the only developed nations in the world without a comprehensive law protecting consumer privacy. European citizens have privacy rights, Asian citizens have privacy rights, Latin American citizens have privacy rights. In the US, however, in lieu of a comprehensive approach, we have a handful of inconsistent, sector-specific laws around particularly sensitive information like health and financial data..."

Given the state of privacy legislation in the USA and the tendency of consumers to avoid reading the terms of use and privacy policies for products and websites, the result has been that companies':

"... risk-averse lawyers have figured out that the best way to not violate [FTC guidelines] is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures."

Various legislation proposed in the U.S. Congress:

  • The Data Breach And Security Act of 2011: re-introduced in June by U.S. Senators Mark Pryor (D-Arkansas) and John D. (Jay) Rockefeller IV (D-West Virginia) to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide breach victims with tools to protect their credit and finances.
  • The Secure and Fortify Electronic Data Act (a/k/a the SAFE Data Act) introduced by Mary Bono Mack (R-California),Chairperson of the House Subcommittee on Commerce, Manufacturing, and Trade, to establish national standards for data security and breach notification.
  • The Best Practices Act introduced by Bobby Rush (D-Illinois) in February 2011
  • The Consumer Privacy Protection Act introduced by Cliff Stearns (R-Florida) in April 2011
  • Do Not Track legislation introduced in the State of California Senate

I have not yet read the entire text of all four bills, and will do so once the content settles after revisions and consolidations.

Study: 'Do Not Track" Opt-out Compliance Varies Among Advertisers

Several news sources recently reported the results of a study by researchers at the Stanford Security Lab. The researchers developed a method to monitor whether or not advertisers complied with the consumer opt-out selection from targeted advertising.

Consumers can opt out of targeted advertising at the Network Advertising Iniative website, or use this beta version Firefox Add-on. You can read the research study methodology here, with updates from several advertisers.

AdWeek reported the researchers' findings:

"Nearly half of the companies participating in the self-regulatory Network Advertising Initiative do not remove tracking cookies after users opt out of online behavioral ad targeting, according to Jonathan Mayer, a graduate student and research fellow at the Stanford Center for Internet and Society. At least eight of the companies explicitly say they’ll stop tracking after users opt out but continue to leave tracking cookies in place, said Mayer."

Those eight companies included: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street on Demand, and TARGUSinfo AdAdvisor.

If a company says it won't track you, then remove the tracking mechanism from that consumers browser/computer. And there is confusion:

"... on some industry sites that specifically mention data collection, the language is written in such a way that people might think they’re opting out of collection altogether, but they’re actually only opting out of information gathering for the specific use of ad targeting."

So, a comprehensive solution would seem to have to include at least three factors:

  1. Clear, consistent language about what the consumer is opting out of (e.g., target ads, tracking, data collection, all of the above)
  2. Clear, consistent compliance and removal of the tracking mechanisms
  3. Independent auditing of advertiser opt-out compliance, since most consumers do not have the time, skills, nor experience to perform this technical audit. Ideally, the audit would also publish the names of offending companies

The research study results suggest to me that self-regulation probably is not working. What do you think?

How Secure Are Today's Smart Phones?

Smart phones are popular. An estimated 55 percent of consumers buy them, up from 34 percent in 2010. For the latest three months ending May 2011, the share of the smart phone market is dominated by Google/Android (38.1%), Apple/iOS (26.6%), RIM (24.7%), Microsoft (5.8%), and others (4.8%). Companies are racing to replace consumers' credit cards and cash with mobile wallets (a/k/a mobile payments) on smart phones.

My wife bought me a smart phone in December as a Christmas present. My Windows Phone is very convenient. The camera, handling of multiple e-mail accounts, ESPN ScoreCenter, Twitter, Ars Technica, and BBC News apps are my favorites. However, I have a love-hate relationship with my smart phone.

The interface is inconsistent across apps. Different apps use different buttons and controls. Some apps automatically collect updates using my data plan, and others let me control the refresh/update. The voice-activated Bing search on my phone is great, but I don't have yet Google/Bing searches integrated with McAfee SiteAdvisor on my smart phone as I do on my laptop.

While browsing various websites with my smart phone, I often see a warning message that my phone uses an obsolete web browser. While browsing Marketplace Hub for new apps to download and install on my smart phone, I have noticed that some apps have privacy policies and many don't. Not good.

When I start to think about poor smart phone data security, apps lacking privacy policies is one example. Apps that lack privacy policies make no promise or commitment to consumers about how that app (and its developer) will protect, use, sell, and/or share consumers' data collected by that app. Nor does the app make any promises about what data it will, or won't, collect and transmit back to the app developer.

I don't install apps that lack a privacy policy.

I have also noticed that several privacy policies apply. There are separate privacy policies from the phone manufacturer (HTC), the operating system developer (Microsoft), the telecommunications provider (AT&T), and each app developer. Simplicity and integration would be a huge benefit. A single, comprehensive privacy policy would be better. The current multitude of policies makes it difficult for consumers to assess how private (and secure) the information on their smart phone really is.

After discussing this with friends, my phone experience doesn't seem much different from other brands: Apple/iOS, and Google/Android.

All of this leads me to wonder how secure smart phones really are. So, I've started to compile a list of smart phone data security statistics. According to Infosec:

"Existing mobile operating systems are under attack... Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination."

The New York Times reported on another measure of smart phone (in)security:

"Phishing is also a growing problem on all smartphone platforms... Mobile users are three times more likely to fall for these scams than PC users, according to statistics on phishing recently gathered by one security company, Trusteer. The company believes that is because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot. It cautions people not to click on Web links in messages."

In prior blog posts, I have reported about class-action lawsuits against OpenFeint and Apple which included allegations of unauthorized tracking and data collection by apps of consumers' sensitive personal information. That is another measure of smart phone data security (or lack thereof).

Since there are reportedly 200,000+ apps in Apple's App Store, 70,000+ in Android's Market, and 25,000+ apps for Windows phones, I spent some time reading app-related studies.

In October 2010, researchers at Intel Labs, Penn State, and Duke University released results of their study of Google/Android apps. The researchers randomly selected 30 apps from the 358 most popular free apps in Android market, and developed a method called TaintDroid to track what private information was shared. The researchers found:

"In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers."

The researchers also studied notification of consumers, because privacy violations can occur when data is used in unexpected or unauthorized ways. The researchers also found:

"... the install-time permission checks do not indicate to the user how these services and data will be used. There is no way to determine simply from the set of permissions how data will be used, and in some cases misused. Users can also be notified of an application's behavior via a license agreement that is displayed on first use. With one exception, we found the user license agreements in the studied applications, if present at all, do not provide any additional information on how data is used."

In June 2010, SMobile Systems (now Juniper Neworks) released the results of its study about Google/Android apps (PDF):

"... one in every five applications request permissions to access private or sensitive information that an attacker could use for malicious purposes. One out of every twenty applications has the ability to place a call to any number without interaction or authority from the user. More frighteningly, 29 applications were found to request the exact same permissions as applications that are known to be spyware and have been categorized and detected as such by SMobile’s solution. A full eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable. 383 applications were found to have the ability to read or use the authentication credentials from another service or application. Finally, 3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user's interaction or authorization."

SMobile concluded (bold emphasis added):

"... the fact remains that there is no means available for a user to know for sure that the app they just downloaded is doing only what the user sees it doing. One must look at the permissions it has requested to determine what the application's true capabilities might be."

These permissions are the actions an app could perform: make a phone call, send an SMS/text, send an e-mail, transmit data, save/edit/delete a file in the smart phone's memory, modify a phone setting, access a smart phone feature (e.g., camera), and so forth.

Another measure of data security has been document by the News Of The World and News Corporation phone-hacking scandal. The Boston Globe explained well the vulnerability from "caller ID spoofing" combined with the lack of voice-mail password access by most mobile carriers:

"... caller ID spoofing, which can make a call appear to be coming from any phone number. Hackers can use it to access someone else’s voice mail messages by fooling the system into thinking the call is coming from the owner’s cellphone... Three of the four major US cellphone carriers - AT&T, T- Mobile, and Sprint - do not require customers who call voice mail on their own phones to use a password to listen to messages, making them vulnerable to malicious spoofers. That is a serious shortcoming..."

Smart phones don't seem nearly as secure as I though before compiling the above list of statistics. There seems to be several ways to assess smart phone data security:

  • Consistency of privacy policies across the manufacturers, service providers, and app developers
  • Presence of privacy policies across apps
  • Compliance rates by app developers with an app store's security policies and guidelines
  • Whether app privacy policies disclose both data collected and how that data will be used
  • Whether apps collect and transmit data beyond the privacy policy disclosure
  • Whether apps perform permissions beyond what the user sees or is stated in the privacy policy
  • Whether apps perform actions (e.g., transmit e-mail, SMS/text, or data) without first notifying users and gaining authorization. Some of these actions can produce charges on consumers' monthly mobile bills
  • Whether apps collect and transmit data to third parties (e.g., advertisers, manufacturers, affiliates)
  • Whether apps that mimick known spyware's features and behaviors are indeed acting as spyware
  • Malware installed secretly on consumers' smart phones by phishing attacks via websites, email, text/SMS
  • Whether the telecommunications carrier provides a secure access to voice-mail with a password, and builds this into the app on the smart phone

Besides this list of discrete data security measurements, there is an overarching consideration. Today's mobile devices (e.g., smart phone and tablets) are pre-programmed and designed by manufacturers to be always tethered to some telecommunications service, unlike traditional desktop and laptop computers which can be configurred to operate with any of several telecommunications networks chosen by the user. The Observer concluded:

"... we are on the slippery slope towards a much more controlled, less open, internet. If these trends continue, then it won't be all that long before a significant proportion of the world's internet users will access the network, not via freely programmable PCs connected via landline networks, but through tethered, non-programmable information appliances (smartphones) hooked up to tightly controlled and regulated mobile networks... The danger, in other words, is that we move from an internet designed for people to a networked tailored only to the needs of corporations."

It seems to me no accident that mobile the device manufacturers use the term "jail-break" to describe consumers' desire to use mobile devices on the telecommunications network of their choice (and not the manufacturer's choice). My view: the Internet was designed to be flexible for users to explore and to innovate. Otherwise, why bother?

What's your opinion about smart phone data security? What studies have you read?

Win Some Cash! Enter The Privacy Concern Contest on Twitter

Here is an opportunity to win some cash! PrivateWiFi, a provider of secure wireless services, is operating a contest via Twitter. Tweet your biggest privacy and security concern and you might win one of the following prizes:

  • First Prize: $300
  • Second Prize: $200
  • Third Prize: $100

The contest started July 12 and ends Friday, July 22. Browse contest rules. You can enter multiple tweets. After the deadline, PrivateWiFi will select the three winning tweets. To enter the contest, tweet your online privacy and security concerns to @PrivateWiFi and use the hashtag #ilikeprivacy. Here is my entry:

@PrivateWiFi Banks selling consumers' debit card shopping habits to 3rd parties. Broken trust & don't know where data goes. #ilikeprivacy

Here are a few other entries:

"SarahaADowney My biggest privacy concern is the collection, sale, & public display of personal data on people search websites. #ilikeprivacy"

"TomBarten my biggest privacy concern is not knowing, and not being able to find out, what happens to your personal data. #ilikeprivacy"

"CAPAPA Privacy-invasive provisions of the negotiated-in-secret Anti Counterfeiting Trade Agreement #ACTA #ilikeprivacy"

So, visit or fire up the twitter app on your mobile device and enter the contest today!

Curious? A few related articles:

Why Does First Data Know So Much About Consumers?

[Editor's Note: This blog post was first published on September 10, 2008. I am posting it again since several banks have decided to sell consumers' debit card shopping habits, and since consumer tracking has increased greatly during the years. Banks have a sacred trust to their customers -- to serve and protect consumers' sensitive personal information, not sell it all. Guest author William Seebeck has written several posts for this blog. "Bill" and I worked together at Lexis-Nexis headquarters in Dayton, Ohio during the 1980's. Bill sent to me his comment below which he also submitted as a reply to the ZDNet blog post by Tom Formeski about First Data Corporation. Bill's message deserves the widest audience possible, and it includes advice First Data, the big banks, and consumers would be wise to listen to.]

By Bill Seebeck

I'm sure that it is true, as Mr. Capellas states, that he knows more about what we (the American public) are likely to do next than we do ourselves.

However, I hope that Mr. Capellas also knows that he and First Data Corporation hold a special trust as the guardians of that information as it represents the most private of American consumer information.

Why does First Data know so much?

In part it is because First Data Corporation, now a private corporation, represents both sides of most electronic transactions. It represents more than 50% of the banks and other financial institutions that issue credit/debit cards and other electronic instruments. It also represents more than 50% of all merchants that accept credit cards at their stores, restaurants on the streets of America's towns and cities and also on the electronic highway that transits our Internet community. First Data also represents more than 50% of all the ATM's that Americans use every day.

This means that First Data Corporation has knowledge of your bank accounts, credit activity, purchasing data, and much, much more.

I think most Americans would agree Mr. Capellas that as a result of the role your company plays in all aspects of financial transactions that you and your company are in a very unique and most singular position. You hold a sacred trust it seems to guard the privacy of such transactions rather than thinking up new ways to monetarily benefit from the use or sale of this most private information.

Those of us who are pioneers in the use of electronic information and e-payment services believe that companies like First Data should be much more transparent. It is bad enough that America's consumers feel held hostage by the credit reporting agencies, it doesn't need another company to exploit them.

Mr. Capellas, most Americans don't know that you have access to their bank accounts, their store accounts, their phone records and their Internet activity. I strongly suggest that you keep what you and your company know about what is in those accounts to yourself. Show the people of America what keeping a sacred trust is all about.

William B. Seebeck
August 8, 2008. © William Seebeck.

Epsilon General Counsel Admits Lessons Learned From Its Data Breach

Epsilon logo On June 2, Epsilon Data Management's General Counsel, Jeanette Fitzgerald, answered questions before a Congressional inquiry panel about the company's massive data breach. While Fitzgerald has been with Epsilon for five years, she became General Counsel in January 2011.

Epsilon, a marketing e-mail company, suffered a data breach earlier this year which exposed the e-mail addresses of millions of consumers. Basically, a hacker broke into the company's e-mail computers and stole millions of e-mail addresses. This subjected consumers to phishing spam. Congress demanded an investigation.

The Congressional hearing, titled "Sony and Epsilon: Lessons for Data Security Legislation," included another major witness: Tim Schaaff, president of Sony Network Entertainment International. Sony experienced about four major breaches earlier this year. C-Span provides video testimony from Schaaff and Fitzgerald. (Hearings by the Subcommittee on Commerce, Manufacturing, and Trade are also on Youtube.)

As reported in Corporate Counsel:

"... Epsilon fully supports national legislation that would create a uniform standard for data breach notification..."

Perhaps more importantly and for other C-suite executive, Fitzgerald listed what her company had learned from its data breach experience:

"1. Have a data response team and a response plan in place: "I cannot stress enough how important it is to have staff across disciplines who are smart and capable of thinking on their feet. [The crisis] required fast-paced decisions."

2. Consider your insurance now. If you don't have it, can you get it? And if you have it, ask yourself if it is broad enough to cover the many situations you may encounter.

3. If you find yourself in a data crisis, take some time to evaluate what the repercussions are likely to be. "Thinking it through first will guide how you respond to the fast-moving issues."

You would think that given the multitude of high-profile data breaches during the past few years, that any company or c-suite executive paying attention to the news would already know this and prepare.

Ringleader Digital May Have Ceased Operations

Clickz reported that Ringleader Digital, a firm focused on behavioral advertising for mobile devices, may have ceased operations and closed without notice:

"Its staff is no longer answering or returning phone calls and emails... A doorman in the lobby at the address listed on Ringleader's corporate website - 286 Fifth Avenue, New York, NY – said the company's offices have been locked since the beginning of the month and no one has entered the premises since..."

Ringleader's technology was the focus of concern by several privacy advocates. The company faced several class-action lawsuits for allegedly performing tracking and data collection of mobile devices without providing notice to users nor gaining users' consent. The two major class-action lawsuits were Hillman et al and Aughenbaugh et al filed in November 2010.

The Hillman complaint included as codefendants several well-known companies: Ringleader Digital, Accuweather, CNN, ESPN, Fox News Network, Go2 Media, Merriam-Webster, Travel Channel, and the Whitepages. ESPN and Fox News were not listed as defendants in the Aughenbaugh complaint. The Hillman complaint alleged that Ringleader's mobile tracking violated the mobile device manufacturers’ agreements, and included the tracking of minor children.

According to ClickZ, Ringleader had agreed to settle out of court one of the lawsuits.

WellPoint To Pay $100K Settlement To State of Indiana For Data Breach

On Tuesday, the State of Indiana Attorney General Office announced an agreement with WellPoint regarding the health care insurer's data breach in 2010. WellPoint will pay the State $100,000 for the breach which exposed the sensitive personal information of 32,051 Indiana residents. The settlement resolved a lawsuit that Indiana Attorney General Greg Zoeller's office filed under a new data-breach notification law passed in 2009.

A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide, including about 5,600 in Connecticut and 230,000 in California. The breach victims included patients who used the company's website to apply for individual health insurance through WellPoint subsidiaries (Anthem Blue Cross or Anthem Blue Cross and Blue Shield) in 10 states.

The data breach exposed consumer information from October 23, 2009, to March 8, 2010. A consumer alerted WellP:oint on February 22, 2010, and again on March 8, 2010, that records containing personal information were potentially accessible. Affected consumers were notified about the breach starting June 18, 2010. Indiana Attorney General Greg Zoller said:

"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft."

I agree. Breach detection, early notification of consumers, and prompt action are essential. I only wish the settlement amount was larger.

Morgan Stanley Data Breach Affects 34,000 Investment Clients

A data breach at Morgan Stanley Smith Barney (MSSB) included the exposure or theft of sensitive personal and financial information about 34,000 of the bank's investment clients. reported the contents of the breach notification letter sent to breach victims.

According to the breach notice, two password-protect CD-ROMs that MSSB had sent to the New York State Department of Taxation and Finance never arrived. The lost or stolen CD-ROMs included investment clients' names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and investment income earned.

This is terrible news for several reasons:

  • MSSB caused this data breach. There was nothing the breach victims could have done
  • A password-protected CD-ROM is not strong protection. Encryption is stronger. CD-ROm drives are the most secure method MSSB executives could use?
  • Investment clients are high-value clients with plenty of money. Their stolen information is ripe for phishing attacks, for resale to other criminals, to open fraudulent accounts, to gain credit, to gain medical coverage, or to commit crimes in the breach victims' names
  • Banks are high-value targets for hackers and identity criminals. The news media has reported about plenty of breaches at banks. Were MSSB executives not listening or asleep at their desks?
  • Unlike credit card numbers, Social Security numbers are valid for a long time. Banks cancel and replace crredit card numbers. Not so with SSNs

The lost/stolen MSSB CD-ROMs reminded me of my experience with IBM's data breach in 2007. MSSB needs to do the right thing for its breach victims -- at least five years of complimentary and comprehensive credit monitoring. Why? The length of the free credit monitoring services should match the risk period. And SSNs don't go bad. There has to be consequences when companies don't adequately protect consumers' sensitive personal and financial data. If the free credit monitoring period doesn't match the risk period, then MSSB has unfairly shifted the burden from themselves to the breach victims they created.

A check of the MSSB website did not find a press release about the data breach. I guess that MSSB is hoping that this data breach will blow over and be quickly forgotten. summed up the situation appropriately:

"What this letter really says is that after all the coverage of all of the breaches, all the horror stories, all the misery, all the litigation, all the heroic pronouncements by all the regulators, legislators, corporate leaders and consumer advocates, the memo still didn’t get to Wall Street where they obviously care more about intellectual property, trade secrets, inside trading, outsized profits and complaining about over-regulation than their most precious asset: their customers."

Yep. What companies do -- or don't do to protect their customers -- says more than any words. It definitely seems to me that MSSB is not taking data security as seriously as it should.

Customer Losses From Citigroup Data Breach At $2.7 Million

The post-breach news keeps getting worse for Citigroup.

The bank announced in May that 200,000 customers were affected by its data breach. Then, that number was revised upwards to 360,000. ZDNet reported that about 3,400 Citigroup customers have lost about $2.7 million from the May data breach.

The take-aways from this breach:

  • Do the math -- the loss, so far, is just under $800 per breach victim. That is direct evidence of the connection between breaches, identity theft, and identity fraud
  • Banks are high-value targets, so future hacks/attempts are likely
  • Identity criminals are persistent and act quickly to steal money
  • Criminals often re-sell stolen identity information. So, the revenues for the criminals is likely higher than $2.7 million

Groupon India Subsidiary Suffers Data Breach

Last week, the online deals company Groupon announced that its subsidiary in India, SoSasta, suffered a data breach. According to Reuters, an unnamed security expert alerted the company.

Unencrypted passwords and perhaps email addresses of customers were exposed or stolen. InfoWorld reported the Sosasta database size to be 300,000 customers.

SoSasta posted a notice on its Facebook account that the security issue had been fixed, and that customers' financial information (e.g., credit card and debit card information) had not been exposed nor stolen. SoSasta advised its customers to change their passwords.

While it is good to see breach notices on a scoial networking account, It is a concern that the company didn't discover the breach itself.

Banks To Expand Their Selling of Consumers' Shopping Data

In response to regulation limiting banks' fees, banks plan to replace their lost revenues by selling consumers' shopping habits and data. If you consider how you currently use your debit cards, banks are able to collect an amazing amount of data about where you shop, when you shop, and how much you spend on various types of items.

If you are like most people, you use your debit card to pay for everything: food, clothing, entertainment, travel, medicine, doctor's visits, liquor, and more. Combine that data with your phone calling patters and the geo-locations in your smart phone, and its a comprehensive database of where you go, when you go, where you shop, what you buy, and how much you spend.

CNN Money reported:

"Merchants pay banks an average fee of 10% to 15% of the purchase price of a product each time a customer uses a discount that's generated from the bank's data, according to Cardlytics, an intermediary that works with both banks and retailers. Typically, the bank takes a 25% cut of that fee and pays the rest to an intermediary, like Cardlytics. So if a customer buys a $1,000 couch, the merchant pays a fee of up to $150 to the bank and the bank walks away with $37.50."

How the new deals will look to consumers based on the consumer data collection:

"Say you use your Citi-issued debit card to buy a pair of shoes at Nordstrom, and then Citi sells that information to a series of retailers. As a result, you receive a coupon from Macy's for a 20% discount on shoes at its store. The coupon is delivered by Citi, however, not from Macy's. To redeem the coupon, you must respond by text, e-mail or by checking off a box next to the offer on your online bank statement. Once you go into Macy's to buy the shoes, Citi will retroactively credit your account for the 20% discount."

Anytime I read a phrase like, "retroactively credit" alarm bells go off. I want to know how quickly the credit is applied and what might affect the timing or amount of the credit. That means reading the fine print for any cardholder agreements.

Some consumers like the deals and discounts they get for giving up personal information and privacy. Experts speculate that some consumers make prefer these deals over those available at online social networking website deals, like Groupon.

If you read this blog regularly, then these new fees should be no surprise. How did we get to here? Banks already compile databases about your spending with your credit cards. Learn more about the history of how banks made money from credit cards.

After banks raised the interest rates on credit cards in 2009, many consuemrs shifted their purchases to debit cards. Then, banks increased fees on a variety of actions, such as checking account overdrafts. After many consumer complaints, the U.S. Congress resopnded with legislation limiting the feeds banks can charge for debit cards and credit cards.

You could call this latest move by the banks an escapation in the race to get your money, versus you keeping your money.

As I see it, it all boils down to consumer choice: you decide how much of your personal information to disclose, and for what in return. Your shopping purchases and habits are definitely personal information. A discounted product isn't a "savings" as you still need to spend money. Remember, the debit-card shopping data collection by many banks will happen whether you take advantage of these new deals or not.

What consumers can do if you don't like the data collection:

  • Read the fine print for your card agreement, especially when your bank updates its terms of use and privacy policies (online at its website, or in your monthly credit card statement). That will provide clues about how much privacy you don't have, the companies the bank will sell your shopping data to, and options for you to opt-out of e-mail and snail-mail marketing offers.
  • If you want to keep purchases private, use your debit card at ATM machines to withdraw cash and shop with cash at retailers. There there is no shopping data attached to your debit card.
  • Move your money to a local bank or credit union with better service and more favorable privacy terms
  • Be a smart shopper with mobile banking and "mobile wallets" -- purchases made with your smart phone. First, make sure that anti-malware is intalled on your smart phone. Second, only install trustworthy apps that have privacy policies. Otherwise, leaky apps will compromise your personal information and money.

What is your opinion of this? If you have found a bank, with a favorable privacy policy, that doesn't sell your debit-card shopping data, share the bank name or website address below.