Previous month:
June 2013
Next month:
August 2013

23 posts from July 2013

Health Information Data Breach At OHSU Affects More Than 3,000 Patients

Oregon Health and Sciences University logo Healthcare IT News reported that Oregon Health & Sciences University has experienced another data breach exposing patients' sensitive medical information. In this latest data breach:

"... protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data. The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information..."

3,044 patients admitted to the hospital between January 1, 2011 and July 3, 2013 were affected by this breach. Breach notification letters were sent to affect patients on July 26, 2013. OHSU stated in its breach notice:

"In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients... OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service... This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services... The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data."

Concerned patients can call OHSU via a toll-free phone number (877 819-9774) from Monday through Friday from 6:00 am to 6:00 pm.

Reportedly, this is the fourth data breach at OHSU. According to the HIPAA Privacy Rule, Protected Health Information (PHI) is:

"... individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person..."

PHI includes past or present medical conditions and illnesses, treatments for the person, and payment methods by the person for the healthcare treatments. The companies and organizations that must comply with the HIPAA Privacy Rule:

"... apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form... Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans... Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards... "

The term "business associate" is important because the Privacy Rule applies specifically to vendors or subcontractors used by health plans:

"When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement... In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule..."

This breach highlights the need for adequate training of employees about cloud services, the data security risks, and what information can/cannot be stored in cloud services. This is also why I am very, very careful and reluctant to share any medical or health information in cloud-based service or in mobile-device apps. Many developers of cloud-based services and mobile-device apps are not HIPAA PHI compliant.


Halliburton To Plead Guilty For Destroying Evidence About BP Gulf Oil Spill

Halliburton Energy Services Inc. logo

Remember that massive BP oil spill in the Gulf of Mexico in 2010? It was the largest oil spill in U.S. history. The U.S. Justice Department announced last week that Halliburton Energy Services Inc. has agreed to plead guilty to destroying evidence related to the massive 2010 British Petroleum (BP) oil spill in the Gulf of Mexico. Halliburton was a contractor to BP.

The announcement said in part:

"Halliburton has signed a cooperation and guilty plea agreement with the government in which Halliburton has agreed to plead guilty and admit its criminal conduct. As part of the plea agreement, Halliburton has further agreed, subject to the court’s approval, to pay the maximum-available statutory fine, to be subject to three years of probation and to continue its cooperation in the government’s ongoing criminal investigation."

The evidence Halliburton destroyed:

"On or about May 3, 2010, Halliburton established an internal working group to examine the Macondo well blowout, including whether the number of centralizers used on the final production casing could have contributed to the blowout. A production casing is a long, heavy metal pipe set across the area of the oil and natural gas reservoir. Centralizers are protruding metal collars affixed at various intervals on the outside of the casing. Use of centralizers can help keep the casing centered in the wellbore away from the surrounding walls as it is lowered and placed in the well... in or about May 2010, Halliburton, through its Cementing Technology Director, directed a Senior Program Manager for the Cement Product Line (Program Manager) to run two computer simulations of the Macondo well final cementing job using Halliburton’s Displace 3D simulation program to compare the impact of using six versus 21 centralizers. Displace 3D was a next-generation simulation program that was being developed to model fluid interfaces and their movement through the wellbore and annulus of a well. These simulations indicated that there was little difference between using six and 21 centralizers. Program Manager was directed to, and did, destroy these results."

Similar evidence was destroyed again during June 2010. Reportedly, the fine Halliburton will pay is the statutory maximum $200,000. Halliburton also paid a voluntary contribution of $55 million to the National Fish and Wildlife Foundation.

A criminal investigation is still ongoing by the Deepwater Horizon Task Force, based in New Orleans. BP owned the lease for the drilling site. Transocean Ltd. owned the Deepwater Horizon drilling platform and provided the employees that operated the well. BP hired Halliburton to provide cement to plut the leaking oil well.

The Guardian UK reported:

"... Halliburton recommended to BP that the Macondo well contain 21 centralisers – metal collars that can improve cementing – but BP chose to use six... BP and Transocean Ltd, which owned the drilling rig, have previously entered guilty pleas over other aspects of the Gulf oil spill and agreed to pay respective criminal fines of $1.26bn and $400mn... Halliburton, BP and Transocean are also defendants in a federal civil trial that began in February to apportion blame and set damages for the oil spill."

The massive oil spill resulted in the deaths of 11 workers on the oil platform and millions of barrels of oil poured into the Gulf of Mexico waters, damaging shorelines and fish stocks for months. Determining the exact amount of crude oil spilled has been difficult. One estimate is 3.26 million barrels. Other estimates range from 4.4 to 5.5 million barrels spilled. Determining the number is important since the Oil Pollution Act of 1990 includes fines of up to $1,100 per barrel for negligence; or up to $4,300 per barrel for gross negligence.

Some facts from the official report about the BP oil spill and cleanup (Adobe PDF):

  • The spill lasted for 87 days
  • 88,522 square miles of fisheries wer closed
  • 181 miles of shoreline were heavily to moderately soaked with crude oil
  • About 9,000 vessels and 835 skimmers were involved in the cleanup efforts
  • 411 situ sites burned off about 250,000 barrels of oil
  • 68,530 gallons (1,632 barrels) of dispersant were used during the cleanup
  • About 47,000 people worked on the cleanup: on ships drilling relief wells, applying dispersant, applying containment booms, in support aircraft, and performing onshore cleanup

Former Vice President Dick Cheney worked as CEO of Halliburton from 1995 to 2000. In 2012, Halliburton's fiscal year-end revenues were $28.5 billion. For the same period, its net income was $2.6 billion.

Both the fine and the voluntary payment seem miniscule compared to the corporation's revenues. Nor do the fine and voluntary payment seem to be much of a deterrent either to future wrong doing. Hopefully, several senior-level executives will go to prison as a result of the criminal investigation. This type of wrongdoing will stop only when executives know that a fine is insufficient and they will go to prison for a long time.


Push Begins In Germany To Stop U.S. Internet Firms From Operating in Europe

A prior blog post discussed the possible negative impacts upon U.S. Internet and technology companies' businesses and revenues by their forced participation (although some may have participated voluntarily) in several NSA and U.S. government surveillance programs. Well, the push-back has begun against USA government surveillance programs. Gigaom reported:

"The so-called Safe Harbor agreement that allows U.S. web firms to take on customers in the European Union is in deep trouble. EU Justice Commissioner Viviane Reding has launched a review of the deal, and on Wednesday it emerged that data protection watchdogs from around Germany have urged Chancellor Angela Merkel to push for its suspension, due to NSA surveillance fears."

The Safe Harbor agreement allows U.S.-based tech companies to operate in Europe by "self-certifying" that they comply with European privacy laws, which are more strict than laws in the USA. Reportedly, several tech companies -- Facebook, Google, Microsoft, and AOL -- have claimed compliance with European Safe Harbor laws:

"Privacy officials at the European level argued more than a year ago that self-certification was a bad way of ensuring compliance, but the PRISM scandal has, to a large extent, rendered that argument moot... Frankly it now looks like the whole system is in tatters..."

Also, modest crowds protested on Saturday July 27 in about 30 cities in Germany. The protesters used the "Stop Watching Us" slogan, and circulated petitions. Online petitions seemsed to have generated more participation in Germany.

Do U.S. government officials really believe that there would not be any negative (unintended) consequences for its extensive surveillance programs with NSA code embedded in commercial software products and services? Do U.S. government officials really believe that there would not be any negative consequences for mass surveillance of our European allies? It has undermined our allies' trust in the USA.


Hackers Arrested In Large Identity Theft Ring That Stole 160 Million Cards

Yesterday, the U.S. Attorney's Office in New Jersey announced the indictment of five persons for operating a worldwide and data breach and hacking ring that stole information about more than 160 million credit- and debit-cards, resulted in losses of hundreds of millions of dollars. The theft and fraud ring targeted financial institutions and companies, including alleged:

"... attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard."

How the theft ring operated:

"The five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks... The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine.  Dmitriy Smilianets, 29, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants. Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc.,..."

Drinkman and Smilianets were arrested in the Netherlands on June 28, 2012. Smilianets was extradited to the USA on Sept. 7, 2012, The other three defendants are still at large. Four defendants are Russian citizens. Rytikov is a citizen of Ukraine. The number of 160 million cards stolen is an estimate, and could be higher.

Addition information from the announcement:

"The five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders."

Thanks to the several federal agencies involved in pursuing and capturing these defendants.

To me, this case is another example that identity-theft thieves and fraudsters are smart, creative, organized, and persistent. The days of the lone hacker are gone. Identity thieves target firms they believe are vulnerable. Identity thieves go where the money is.

I find this case highly interesting, as both Global Payments and Heartland experienced massive breaches previously. That the hackers targeted these and other payments processors means that all of these firms' computer systems are still vulnerable, despite executives' claims otherwise.


How The FISA Court Undermines the Public's Trust

Here is a brief and easy-to-understand explanation of how the FISA court undermines (or destroys) the public's trust in government:

"When judges make the laws, Congress can always go back and remake the laws. The changes the court makes are public, and so is their reasoning. Both the voters and Congress know what the court has done, and can choose to revisit it... The Foreign Intelligence Surveillance Court (FISA court) that governs the national surveillance state is also remaking the law. But it’s remaking the law in secret. The public has no opportunity to weigh in, and Congress can’t really make changes, because few know what the court is deciding, and almost no one can discuss the decisions without endangering themselves."

Moreover:

"... the FISA court quietly reinterpreted the language of the PATRIOT Act so the word “relevant” — which governs the information the government can scoop up — no longer means, well, 'relevant.' It means 'yeah, sure, whatever you want.' "

To me, that sounds like truly activist (and unaccountable) judges at work.

To summarize, we have a secret court, secret laws, secret processes, and secret operations. Learn more about the current surveillance state:


Study: Employees Face Huge Difficulties Collecting Unpaid Wages From Employers

UCLA Center for Labor Research and Education logo Late in June 2013, the National Employment Law Project (NELP) released the results of a study about wage theft in America. The NELP press release stated key findings from the study:

"Over 83 percent of workers in California are unable to hold employers accountable and recover their unpaid wages after receiving a legal judgment in their favor... The study... exposes the challenges that workers face in collecting wages owed from their employers—even after state authorities rule in the workers’ favor and order employers to pay... The first of its kind, the study finds that the majority 60 percent of businesses found liable for unpaid wages ultimately suspend, forfeit, cancel or dissolve their businesses, making it more difficult for employees to collect the wages they are owed."

The study, "Hollow Victories: The Crisis in Collecting Unpaid Wages for California’s Workers" (Adobe PDF; 422K bytes) was produced by the National Employment Law Project (NELP) and the UCLA Center for Labor Research and Education. The researchers performed a detailed, comprehensive analysis of records from 2008 to 2011 released by the California Division of Labor Standards Enforcement (DLSE). The researchers also interviewed 50 workers in California who had attempted to collect unpaid wages through legal methods. The NELP is a non-partisan, not-for-profit organization that conducts research and advocates on issues affecting low-wage and unemployed workers.

Wage theft is:

"... paying workers less than the minimum wage or agreed-upon wage, requiring employees to work “off the clock”without pay, failing to pay overtime, stealing tips, illegally deducting fees from wages owed, or simply not paying a worker at all. Pay violations are shockingly high in low-wage industries... retail, restaurant and grocery stores; domestic work and homecare; manufacturing, construction, and janitorial services; car washes, and beauty and nail salons..."

Interviews with employees revealed even more ways employers practice wage theft:

"... employers paid them with invalid checks with insufficient funds; other employers simply stopped issuing workers their paychecks at all because the company had run out of money. Other employers would fail to pay their workers, and when pressed, would break promises to pay at a later date. Still other employers forced workers to record fewer hours than actually worked on their timesheets, or failed to pay for overtime. More often than not, workers reported that patterns of wage theft occurred over a lengthy period of time, lasting months or even years."

The wage theft affects everyone, not just employees:

"... the state loses valuable revenue in payroll taxes... In a sense, taxpayers are subsidizing unscrupulous and law-breaking behavior by these employers. Wage theft hurts communities and other businesses that abide by the law. Unpaid wages also means that fewer dollars circulate to local businesses, stunting economic recovery, depressing employment by small businesses, limiting local sales tax collections, and diminishing opportunities for local economic development. Even other businesses are hurt; when responsible employers must compete with unscrupulous employers..."

Besides wage theft, employees experienced several hardships. After reporting wage theft to authorities, many employees experienced retaliation by employers:

"... Several workers reported that their employers lowered wages, fired them, or threatened to call the police or immigration enforcement after learning that workers had filed a wage claim or lawsuit. These reports echo prior data on retaliation against low-wage workers: the same national study found that 43 percent of workers who made a complaint or attempted to form a union experienced one or more forms of retaliation."

Additional hardships:

"The lengthy duration of the wage claim and collections process, including the DLSE process and private lawsuits, caused severe economic distress on workers and their families... Several workers reported going without food or medicine and difficulty in paying bills and rent as a result of unpaid and uncollected wages."

Detailed findings from the report about unpaid wage collections by employees:

"... workers recovered only 42 percent, or $165 million of approximately $390 million in total wages verified as owed by the DLSE. This figure includes amounts agreed to in settlement and after judgment.

Only 17 percent of California workers who prevailed in their wage claims before the DLSE and received a judgment were able to recover any payment at all between 2008 and 2011.

Although the DLSE issued awards for unpaid wages of more than $282 million between 2008 and 2011, workers were able to collect a mere $42 million—roughly 15 percent—of those awards from their employers. Our research also finds that workers who try to enforce DLSE judgments for unpaid wages often find that their employers have disappeared, hidden assets, or shut down operations and reorganized as a new entity.

Employers who did not pay their workers, refused to settle, were found by DLSE to owe wages, and then became subject to a court judgment were more likely than not to have suspended, forfeited, cancelled, or dissolved business status within a year of the wage claim.

In 60 percent of cases where judgments were issued against business entities by the DLSE, employers who were found to owe their workers for unpaid wages were also found to be “non-active” business entities by the California Franchise Tax Board or the California Secretary of State. “Non-active” businesses include those that have forfeited, cancelled, or dissolved status. In 24 percent of all cases, employers were found to be non-active before the DLSE was able to issue its finding."

The researcher look at several tools available to employees, such as a post-judgement lien, a mechanic's lien, collection agencies, and collection by the DLSE. The researchers concluded:

"A stacked deck: current collections tools are inadequate for victims of wage theft"

Why employees have huge difficulties collecting unpaid wages with the current set of collections tools:

  • The collections process for available tools is complicated and expensive
  • Some businesses have few assets and/or no property to collect from
  • Some businesses have hidden their assets or closed to re-organize under a different name

The researchers also compared findings about California to findings:

"... released by the Wisconsin Labor Standards Bureau, Wisconsin Department of Workforce Development, and Wisconsin Department of Justice... We examine Wisconsin data, as the state has the oldest and one of the most extensive wage lien programs in the country."

Some comparisons between California and Wisconsin:

"In Wisconsin, which does not have an administrative hearing process for wage claims, 80 percent of suits to enforce the wage lien result in some payment of unpaid wages for the worker. In cases where wage liens are used to recover unpaid wages for a worker, workers recover 25 percent of the amount found to be owed, more than 1.5 times more than in California."

Some states have laws allowing employees to attach wage-liens against an employer's property, but many don't or the laws are limited to certain industries:

"Many states have wage lien laws in some form, providing good experience and success with this mechanism, including Georgia, Idaho, Maryland, New Hampshire, Texas, and Wisconsin. Alaska, Pennsylvania, Washington, and Florida allow wage liens for specific industries, and Tennessee and Indiana allow wage liens for corporate or partnership employers."

The researchers concluded:

"The good news is that other states have enacted policy solutions that encourage prompt settlement and promote efficiency in their wage collections process. For example, states like Wisconsin that have enacted laws that authorize the worker to impose a lien on the employer’s property in cases involving unpaid wage have higher rates of collection for wage theft... California and other states around the country can provide more effective legal tools, such as wage liens... to increase efficiency in the enforcement of judgments for unpaid wages."

What does all of this mean? Several things:

  • Employees experiencing wage theft must know the laws in your state
  • Employees have a better chance to collect unpaid wages in states that allow workers to attach a lien on the employer's property
  • Some ethics-challenged executives won't hesitate to not pay employees all of the wages they've worked for and earned. Others will conveniently look the other way and not challenge the wrong-doing they see.
  • Many ethics-challenged executives use what I call a cut-and-run strategy to avoid paying debts: close the business and re-organize under a different company name
  • Despite state laws, these ethics-challenged executives are not being held accountable
  • If ethics-challenged executives already use a cut-and-run strategy in California, then executives in other states are probably practicing the same wage-theft habits
  • Ethics-challenged executives will probably practice the same wage-theft behavior on skilled, higher-paid employees, not just unskilled, low wage earners
  • Ethics-challenged executives will likely practice the same wage-theft behavior on individuals working as independent contractors or freelancers

What's your opinion about wage theft? Is it getting better or worse? What about the laws in your state?

UCLA Center for Labor Research and Education logo


HR 2414 IH: The Black Box Protection Act, Or Your Car Is Tracking You

NHTSA logo In December 2012, the National Highway Traffic Safety Administration (NHTSA) proposed new rules requiring manufacturers to install event data recorders (EDRs, or often called "black boxes) in all cars weighing less than 8,500 pounds and motorcycles built on or after September 1, 2014. The new rules supposedly are for safety reasons. Transportation Secretary Ray LaHood said:

"By understanding how drivers respond in a crash and whether key safety systems operate properly, NHTSA and automakers can make our vehicles and our roadways even safer..."

About 96% of passenger cars and light-duty vehicles built for 2013 are already equipped with EDRs. Auto manufacturers ahave voluntarily included EDRs. EDRs can collect data about several types of crashes: front, rear, side, and rollover crashes.

The NHTSA announcement mentioned a partial list of data elements collected by EDRs:

  • vehicle speed;
  • whether the brake was activated in the moments before a crash;
  • crash forces at the moment of impact;
  • information about the state of the engine throttle;
  • air bag deployment timing and air bag readiness prior to the crash; and
  • whether the vehicle occupant's seat belt was buckled.

The announcement also stated:

"... the EDR data would be treated by NHTSA as the property of the vehicle owner and would not be used or accessed by the agency without owner consent."

Most people are familiar with black boxes used in commercial airplanes. After a crash, officials search and recover the black boxes to learn exactly what happened, and to determine the cause of the airplane crash. Well, it works for airplanes. So, it'd be a good idea for cars too, right? What could be wrong with improved auto safety?

Think of an EDR as a mobile computer attached to your car. Like any other computer, it has memory to save data and some computational capabilities. In this instance, the EDR accepts inputs from your car's engine, breaks, speedometer, air bags, seat belt restraint systems, and bumpers.

In a recent news report, NBC News said:

"The boxes have long been used by car companies to assess the performance of their vehicles. But data stored in the devices is increasingly being used to identify safety problems in cars and as evidence in traffic accidents and criminal cases. And the trove of data inside the boxes has raised privacy concerns, including questions about who owns the information, and what it can be used for, even as critics have raised questions about its reliability... to consumer advocates, the data is only the latest example of governments and companies having too much access to private information. Once gathered, they say, the data can be used against car owners... consumer advocates say, government officials have yet to provide consistent guidelines over how the data should be used."

The NHTSA maintains a website with research about EDRs. The Insurance Institute For Highway Safety (IIHS) operates a website (updated in February 2013) with answers to common questions about EDRs. The IIHS site also provides a more complete list data elements collected by EDRs. If you want to see the detailed lists of data elements collected under various conditions, see the 49 Code of Federal Regulations Part 563 regulations dated July 9, 2013.

Well, there still seem to be privacy issues and too many unanswered questions.

1. The announcement includes two instances of conflicting information. The announcement includes both the above list of data elements collected and the following statement:

"EDRs do not collect any personal identifying information or record conversations and do not run continuously."

What? First, in order to make the data meaningful, it EDRs have to record the make and model of the vehicle, plus a time stamp with the date and time. That data can easily identify the vehicle owner or driver. Without make and model, the NHTSA won't know which makes and vehicle models to focus upon when reviewing aggregate data for possible fleet-wide solutions.

Second, the announcement claims to not collect data continuously, but it does collect speed. The collection of speed data must be continuous since the EDR won't know beforehand when a crash will happen. If only collects speed data at or after the point of impact, then the data seems far less meaningful and reliable. The same applies for braking data.

2. The program announcement is incomplete. It did not list the meta data collected. For the NHTSA to effectively use the aggregate data collected, meta data is required. I've mention above four types of meta data: make, model, date, and time. there are plenty more data elements.

3. The program announcement is incomplete. It does not address data security and retention. Where will NHTSA save the data collected? How will data transmission from EDRs to NHTSA computers be protected? Will it be encrypted? How long will EDRs save the data collected? How long will NHTSA computers save the data collected?

4. The program announcement is incomplete. It does not address data sharing and privacy. What other government agencies and corporations will the NHTSA share the data with? One can easily imagine scenarios where auto dealers, insurance companies, and others would love access to consumers' EDR data. Claiming the NHTSA won't use the data without the vehicle owner's consent is not enough. A complete privacy policy would outline the government agencies and companies the NHTSA would share the data with.

Obviously law enforcement agencies (federal and local) would love to access the data collected by EDRs. So would spy organizations like the NSA.

5. Important details seem to vary greatly and are dependent upon state laws -- which aren't necessarily consumer-friendly. What happens when a vehicle is sold, stolen, or crashed beyond repair? In these instances, what are the rights and responsibilities of the vehicle owners? According to an Edmunds news report:

"In most states, the current vehicle owner, or their legal representative, can give or withhold permission to download EDR data... Courts can subpoena EDR data through court orders and some states collect data under their existing laws governing crash investigations.... It's an extremely complex area... auto insurance policies can contain an "Agreement to Cooperate" clause. Such language allows an insurer access to EDR data if it wants it. However, some states have statutes that override these provisions... When a vehicle is sold, the EDR data becomes the property of the new owner... if a car is in a crash and is deemed a total loss by an insurance company, the insurer now owns the vehicle. The insurance company can then access the data on the EDR and could possibly use it in legal proceedings against the former owner..."

6. Can data collection consent by the owner be revoked? In this instance, what happens to data saved by the NHTSA?

7. Since data collected by an EDR would be the property of the vehicle owner that EDR is installed in, can the vehicle owner download data from their vehicle's EDR? If not, why not?

8. How will compliance be performed? The compliance issues I see:

  • That EDRs operate as promised
  • That the NHTSA does not collect data from vehicle owners that don't provide consent
  • That the NHTSA performs adequate data security for data collected

I am sure that there are more issues.

9. How are vehicle owners protected against abuses using the data collected?

In response to the NHTSA rules, several Congressional House representatives proposed in June 2013 the Black Box Privacy Protection Act (HR 2414):

"To require automobile manufacturers to disclose to consumers the presence of event data recorders, or `black boxes', on new automobiles, and to require manufacturers to provide the consumer with the option to enable and disable such devices on future automobiles."

First, congratulations to Representatives Michael Capuano (D-MA) and Frank Sensenbrenner (R-WI) for taking the lead on consumer privacy by introducing HR 2414. It is a good first step. The proposed bill has been sent to a committee for further discussion.

The bill allows auto dealers to access EDR data for diagnosing, servicing, or repairing vehicles. How will data usage be limited to these activities? Other systems (e.g., Onstar by GM) in cars send out notifications after a crash. What EDR data elements do these systems access, save, and transmit?

I'd like to see the proposed bill strengthened beyond simply requiring auto manufacturers to notify consumers that their car has an EDR:

  • Requirements for auto manufacturers to provide consumers with privacy policies before and after auto purchase (or rental) that describe the data collected, shared, and retained by EDRs,
  • Clear opt-in mechanisms and consent for consumers to authorize the NHTSA with data collection,
  • More protections for consumers regarding abuses, lack of privacy policy notification, and unauthorized data sharing,
  • Clarification of rights and responsibilities (for consumers, the NHTSA, and auto manufacturers)
  • A complete listing of meta data collected

EDRs are another example of technologies that facilitate the collection of data about consumers by governments; data that is ripe for sharing and abuse. Other examples include utility smart meters, drones, automated license plate readers, and mobile devices. This trend makes it imperative for consumers to demand privacy protections and policies from governments and vendors.

What is your opinion of EDRs? Of the Black Box Privacy Protection Act?


Survey: A Growing Ethics Problem On Wall Street And In Banks

Labaton Sucharow logo Last Tuesday, the law firm of Labaton Sucharow announced survey results about ethics, executive misconduct, and the role of regulators in the financial services and banking industry. The survey, part of the "Wall Street In Crisis: A Financial Storm Looming" (Adobe PDF) report, concluded:

"A particularly troubling and consistent finding from our survey is what the future holds for Wall Street. Many of the young professionals who will one day assume control of the trillions of dollars that the industry manages have lost their moral compass, accepted corporate wrongdoing as a necessary evil and fear reporting misconduct. This is a ticking economic timebomb that responsible organizations must immediately defuse."

Some detailed results from the survey:

"Despite the many reforms put in place in the wake of the financial crisis, only 36% of respondents felt that Wall Street has changed for the better since Dodd-Frank’s passage in 2010. More than half of respondents–52%–felt it was likely that their competitors have engaged in unethical or illegal activity to gain an edge in the market; 24% felt employees at their own company likely have engaged in misconduct to get ahead. Misconduct is still widespread... 23% of respondents indicated that they had observed or had firsthand knowledge of wrongdoing... 26% believed the compensation plans or bonus structures in place at their companies incentivize employees to compromise ethical standards or violate the law... 28% of respondents felt that the financial services industry does not put the interests of clients first."

According to the survey, younger professionals were more likely to know about, accept and participate in illegal or unethical behavior than older workers:

"... 24% of financial services professionals likely would engage in insider trading to make $10 million... if they wouldn't get arrested. That figure surges to 38% for individuals with 10 years or less in the industry."

Perhaps most importantly, bad executives don't act alone or unseen:

"... there are always witnesses. Indeed, 23%–more than one in five professionals–have personally observed or have first-hand knowledge of wrongdoing in the workplace. The data suggests that the longer you work in the financial services sector, the more you’ll see: 29% of professionals with more than 20 years’ experience have observed or have firsthand knowledge of misconduct, a full 9 percentage points higher than those with 10 years or less in the field."

Regarding regulators, the survey found (links added):

"... 62% of financial services professionals felt the SEC is an effective watchdog and 57% felt that FINRA is effective. Despite the encouraging 89% of financial services professionals who indicated a willingness to report wrongdoing given the protections and incentives such as those offered by the SEC Whistleblower Program, 40% of respondents were still unaware of the SEC’s Whistleblower Program."

Despite the whistle-blower protections, Wall Street workers fear retaliation (emphasis added in bold):

"Given the pressure to perform and a concerning lack of faith in leaders to address criminal activity... 24% of respondents felt their employers would likely retaliate if they were to report wrongdoing in the workplace. This astonishing figure is a full 9 percentage points higher than our 2012 survey... 36% of female respondents believing that they would be retaliated against... compared to 17% of male respondents... 32% of professionals with 10 years or less experience would fear retaliation, which represents a 21 percentage point increase over those with more than 20 years’ experience..."

So, things are getting worse, not better.

The survey, conducted June 18 to 27, 2013, was part of the "Wall Street In Crisis: A Financial Storm Looming" (Adobe PDF) report. Labaton Sucharow commissioned ORC International to conduct the survey, which included 250 respondents ages 18 years or older who work in the financial services industry as traders, portfolio managers, investment bankers, hedge fund professionals, financial analysts, investment advisors, asset managers, and stock brokers.

This is the second survey by Labaton Sucharow, which often represents SEC whistle blowers. Read about the firm's 2012 survey.


The EFF And Several Organizations Demand That The U.S. Government Allow Greater Transparency For Internet Companies

Electronic Frontier Foundation logo

Yesterday, the Electronic Frontier Foundations (EFF) and a broad group of civil liberties advocates and companies sent a letter to the U.S. Government demanded that Internet companies be allowed greater transparency to disclose the government's requests for data about consumers and online users. The EFF announcement stated, in part:

"... no company has been allowed to reveal to users or in transparency reports complete information about National Security Letters, Section 702 FISA requests, and Section 215 business records requests."

The companies want to be able to share the following data elements about the above types of requests by the government:

  • the number of requests the provider has received
  • the number of users or accounts affected by the requests, and
  • the number of times the provider contested the request.

The letter was sent to the President, senior executives in the intelligence community, the Justice Department, and leaders in the both the House of Representatives and Senate. Some of the associations and civil liberties advocacy groups that signed the letter include the ACLU, the American Library Association, the Center for Democracy & Technology, the Center For Effective Government, FreedomWorks, Human Rights Watch, and Reporters Without Borders. Some of the Internet companies that signed the letter include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo.

Read the Joint Transparency Letter at the EFF website.


Soldiers Abused By Pentagon Payroll System Errors

If you haven't read it, there is a report by Reuters about impacts of payroll errors upon military personnel and their families. The investigation found widespread payroll errors. Some of the errors reported:

  • Too much withheld for pay for payments for supposed debts, without notice and without explanations
  • Pay errors (e.g., too much, too little) affected both active-duty and discharged soldiers
  • Some solders (e.g., deserters) received pay they were not entitled to
  • Active-duty personnel both in war zones and state-side in rehabilitation hospitals have been affected
  • Soldiers must wait weeks or months for the errors to be corrected
  • The payroll system does not seem to be in compliance with Congressional laws mandating annual audits

The Defense Finance and Accounting Service (DFAS), with a $1.36 billion budget and 12,000 employees, is responsible for paying 2.7 million active-duty and reserve military personnel. A December 2012 report by the Government Accountability Office (GAO) concluded that the U.S. Army has no way to ensure its soldiers are paid correctly. The GAO report stated:

"A soldier who separated from the Army in 2009 continued to receive active duty pay totaling about $185,000 until 2011. A soldier who was absent without leave from January 2010 to September 2011 received military pay of $33,268 to which she was not entitled. A soldier under investigation for possible fraud allegedly received over $34,000 in paratrooper and language proficiency pay but did not have a documented record of jumps performed or up-to-date proficiency certifications.... an Army National Guard colonel deployed on active duty to Afghanistan reported that he experienced financial hardship when his military pay was stopped for 1-1/2 months."

The GAO report also found:

"... DFAS and the Army have procedures and metrics in place that focus on the timeliness of manual processing and payroll adjustments for error corrections. However, they do not have procedures and metrics to enable them to gather data on active duty pay errors that were related to causes other than timeliness, such as over- and underpayments, data entry errors, and unauthorized payments. Further, the design of existing Defense Joint Military Pay System-Active Component and DFAS-IN Case Management System procedures for transaction processing and error correction did not provide for monitoring to capture data on all types of pay errors and their causes... The absence of data on the extent and causes of all types of Army active duty military payroll errors impairs the Army's ability to identify and address any adverse trends..."

The GAO report concluded:

"... the control deficiencies that GAO identified increase the risk that the nearly $47 billion in reported fiscal year 2011 Army active duty military payroll includes Army service members who received pay to which they were not entitled and others who did not receive the full pay they were due.... to the extent that errors in Army active duty pay are not identified and addressed in a timely manner, they can have a negative effect on soldier welfare and, ultimately, could erode soldiers' focus on their Army mission."

This is truly a "mugging" of military personnel. It's tough enough to fight the enemy on the battlefield. Military personnel should not have to also fight their government at the same time.

Military personnel and their families should not have to experience this wage abuse. Officials in the Pentagon need to be help accountable, and lose their jobs if this situation continues. Contact your elected officials today and demand this be fixed immediately.


11 Dangers To Personal Information

[Editor's Note: I am pleased to present in today's post the press release below by ID Experts.]

PORTLAND, Ore. — July 10, 2013 — The security of personal information is at greater risk now than a decade ago. Financial identity theft and medical identity theft—with life-threatening implications—are impacting millions of people. In fact, experts estimate that an identity is stolen every three seconds. The infographic, Is Your Information Safe?, provides a snapshot of identity theft and data breach over the last decade. According to leading experts, global networks and use of advanced sinister technologies are expected to escalate, threatening consumers’ information:

1. Global criminals. Criminals are now globally connected and increasingly part of organized crime rings.
-- Rick Kam, president and co-founder, ID Experts

2. Undetected hackers. Advanced persistent threat (APT) is when hackers gain access to a company’s network and remain there undetected for a long period of time.
-- James Christiansen, chief information risk officer, RiskyData

3. Malicious attackers. Hacktivists have an advantage over today’s corporate data.
-- Dr. Larry Ponemon, chairman and founder, the Ponemon Institute

4. Data breaches affect everyone and everything. Breaches affect large and small businesses of all kinds, regardless of sophistication, and high- and low-tech information.
-- Kirk Nahra, partner, Wiley Rein, LLC

5. Electronic breaches are infinite. Electronic health information can be stolen from anywhere in the world, distributed to an infinite number of locations for an infinite period of time and can cause limitless damage for an unlimited period of time.
-- James C. Pyles, principal and co-founder, Powers Pyles Sutter & Verville PC

6. More devices, science fiction type-technologies, to digitize personal data. Drones, utility smart meters, automated license plate readers, and more powerful facial recognition software—all used to collect and digitize consumers' sensitive personal data—are on the horizon, and will force consumers to demand better privacy protections.
-- George Jenkins, editor, I’ve Been Mugged

7. The Insider Threat. Dishonest and poorly trained employees pose one of the greatest threats to consumers' personal information; it's much easier to do damage once inside the castle.
-- Philip L. Gordon, shareholder, Littler Mendelson, P.C.

8. Data cannot be protected. The rate of exposure for personally identifiable information is now so great, we must concede that the data itself is no longer able to be protected.
-- Anthony M. Freed, community engagement coordinator, Tripwire Inc.

9. Bring Your Own Device (BYOD). More employers are allowing employees to utilize their own personally-owned mobile devices for work. While this can increase productivity and convenience, it introduces several potential data security threats.
-- Joanna Crane, senior consultant, Identity Theft Assistance Center

10. Data breaches involving sensitive consumer information have become the new normal. Consumers must play an active and long-term role in the privacy and security of their personal information and regularly monitor their financial account statements, credit reports and healthcare explanation of benefits.
-- Robin Slade, development coordinator, Medical Identity Fraud Alliance (MIFA) and president & CEO, FraudAvengers.org

11. The Surveillance Economy. With technologies such as Google Glass that can record video without anyone's knowledge or approval, we are always on candid camera. Combine that with location-based tracking on our mobile devices and suddenly privacy seems to be an outdated concept.
-- John Sileo, privacy evangelist and CEO of The Sileo Group

“Identity theft will not go away, until the issue of identity is solved,” said Robert Siciliano, CEO, IDTheftSecurity and personal security and identity theft expert. “‘Identity-proofing’" consumers involves verifying and authenticating with numerous technologies, and the flexibility of consumers to recognize a slight trade-off of privacy for security.”

About ID Experts

ID Experts delivers complete data breach care. The company's solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project. For more information, join the LinkedIn All Things HITECH discussion or All Things Data Breach; follow ID Experts on Twitter @IDExperts; and visit http://www2.idexpertscorp.com/.

###

Media Contacts:

Kelly Stremel or Lisa MacKenzie
MacKenzie Marketing Group
Phone: 503-225-0725


To Learn More About Prepaid Cards, Try The 'Ask CFPB' Service

Logo for Consumer Financial Protection Bureau Last year, the Consumer Financial Protection Bureau (CFPB) launched its "Ask CFPB" service with answers to frequent questions by consumers. I visited the website to see what it said about prepaid cards.

The Prepaid Cards section of Ask CFPB provides basic answers to these and other key questions:

  • What is a prepaid card?
  • What is a payroll card?
  • What is the difference between a debit card and a prepaid debit card?
  • What are some of the main types of prepaid cards?
  • If my employer offers me a payroll card, do I have to accept it?

Some prepaid cards are "closed-loop" and some are "open-loop." For example, gift cards from Dunkin' Donuts, The Old Spaghetti Factory, Starbucks, or Barnes & Noble are closed-loop cards -- usable only at each retailer's stores. Open-loop prepaid cards (GPR) can be used in many retail stores, like traditional debit cards and credit cards. The prepaid cards for some public transit systems (e.g., subways, buses, commuter trains) are closed-loop, and others are open-loop. Another example, when its prepaid features are activated the AAA Prepaid Card is an open-loop card. It's important for consumers to remember that while open-loop GPR prepaid cards may look like traditional debit cards, they aren't because of the different regulations, disclosures, and rights for consumers.

You can browse on your own the answers about prepaid cards at the "Ask CFPB" website, so I won't repeat the answers here. If you have a problem, you can submit a complaint at the CFPB website. However, if you want to know more than the basic answers, keep reading.

Consumers should know that prepaid cards are huge revenue generators for banks and card issuers. The cards represent a fast-growth opportunity, as the CFPB highlighted in a 2012 announcement:

"According to a 2009 FDIC study, 9.7 percent of all households used these prepaid cards. Mercator Advisory Group reports that the prepaid market totals $57 billion and is expected to grow at a rate of 42 percent per year from 2010-2014. The two largest prepaid card program managers have reported a jump from 3.4 million active cards in 2009 to over 7 million this year. It is projected that the total dollar amount loaded onto prepaid cards will hit $167 billion in 2014... The largest prepaid card program manager in the United States reported that funds directly deposited onto its prepaid cards increased by nearly 70 percent from 2010 to 2011..."

In 2012, the CFPB noted some of the key issues about some prepaid cards (bold emphasis added):

"Fees and Terms Disclosure: The lack of an industry-wide standard on prepaid card fee disclosure may make it difficult for consumers to understand the cost of the product or compare fees. Often, consumers do not know what protections or fees come along with their prepaid cards prior to purchase because such disclosures are contained inside the packaging... Consumers should also know whether or not their funds are protected by FDIC insurance..."

"Unauthorized Transactions: Federal regulations require that credit and debit card issuers limit consumers’ liability when their cards are used without their authorization. These regulations do not extend to prepaid cards. Many prepaid card issuers voluntarily offer this protection, but it is not standard across the industry..."

"Product Features: Most prepaid cards do not offer any credit features. In general, cardholders may not be able to withdraw or spend more than the funds loaded on their cards. However, some prepaid cards allow their cardholders to overdraw their accounts, and some offer small-dollar loans or a line of credit. Similarly, very few prepaid cards have a savings account. Even though such savings accounts typically have high interest rates, consumers do not seem to take advantage of the opportunity to save. Another feature is that of credit repair, which claims to offer consumers the opportunity to improve or build credit..."

To better understand GPR prepaid cards, I also read the CFPB's "2012 Advanced Notice on Proposed Rulemaking" (a/k/a ANPR - Adobe PDF) document:

"... Some [prepaid] cards are “closed-loop cards,” which a consumer can use only at a specific merchant or group of merchants. Other cards are "open-loop cards," which a consumer can use anywhere that accepts payment from a retail electronic payments network, such as Visa, MasterCard, American Express, or Discover..."

The ANPR document explained:

"Many, but not all, GPR card accounts are insured by Federal Deposit Insurance Corporation (FDIC) pass-through insurance (coverage that "passes through" the agent to the holders of the accounts). Other GPR cards may provide alternative security mechanisms, but do not offer FDIC pass-through insurance..."

Why buy a prepaid card without that protection for your money? If you didn't know before, you know now to shop for GPR prepaid cards with that protection. And, I bet you will, provided the prepaid card's exterior packaging includes these disclosures. Obviously, a GPR prepaid card with FDIC insurance protections is more valuable than a card without that protection. Wise consumers want their money protected.

Last week, the CFPB announced:

"We are also expecting to build on an Advance Notice of Proposed Rulemaking that we published last year concerning prepaid cards, by developing a proposed rule to strengthen federal consumer protections for these products."

I look forward to reading later this year the CFPB's updated rules about prepaid cards, even though the agency did not seek feedback in 2012 about (closed-loop) gift cards, payroll prepaid cards, and electronic benefits transfer (EBT) prepaid cards. Given recent news stories about payroll prepaid cards, consumers need improved disclosures to avoid losing choice and getting "mugged" with undisclosed fees.

Many consumers consider switching to GPR prepaid cards to avoid overdraft fees with debit cards attached to traditional checking accounts. Is this wise? Only you can decide for yourself as you know your lifestyle and finances best. Do your research first.

Wise consumers understand their rights and responsibilities before buying any prepaid card. It is wise to shop around and compare first, so you don't get "mugged" by other fees. Both CNN Money and Consumer Reports found a wide variety of fees when it investigated prepaid cards: activation fees, monthly fees, reload fees, cash withdrawal fees, inactivity fees, online payment fees, paper statement fees, customer service phone call fees, and more.

If you need to build your credit history, then a prepaid card may not be right for you. Wise consumers do the research first to determine whether a prepaid card fits your lifestyle and spending habits. Read this FDIC comparison between debit cards, credit cards, and prepaid cards. For me, a GPR prepaid card does not meet my needs. I don't buy nor use GPR prepaid cards, unless they are a gift from a family member or friend.

To learn more, this blog offers several related articles:

What's your opinion of prepaid cards?


Operating System Software For Android Mobile Devices Includes NSA Code

NSA Android logo While you have probably been busy during the past couple weeks with work, vacation, and/or celebrating the July 4th Independence Day holiday, there have been some interesting developments regarding government surveillance programs and familiar high-tech firms. BusinessWeek reported on July 3 that:

"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."

The explanation the NSA gave for its code in the Android operating system (OS):

"Improve our understanding of Android security."

Experts say the NSA code has been reviewed by peers and is not devious in any manner. Is this accurate? There don't seem to be any rules that the code will remain unchanged, or that Android device users will be notified of any changes.

Really? That's all? Nothing else? Are we to believe the NSA at its word? I find this explanation difficult to believe given some less than truthful statements recently by an NSA representative to the U.S. Congress. When they lie, you break the trust with the public. If they will lie to the U.S. Congress, they will definitely lie to journalists and to citizens. I expect the NSA will continue to do what it does: spy. As a wise person once said, "a leopard does not change his spots."

Like any other consumer (who is not a computer programmer), I am trying to make sense of these revelations and understand what is happening. New disclosures and revelations about government spying seem to happen weekly, like peeling layers off an onion. Perhaps, some programming experts will weigh in on this blog post about the technical aspects. That Google decided to do business with the NSA and include NSA code in the operating system software for its mobile devices, I found very interesting for several reasons:

1. Back in June, we learned the the NSA PRISM program taps into the computing and network systems of several high-tech companies, including Google. At that time, Google said in a statement:

"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."

I guess one could argue about the meaning of what a "back door" is. They seem to have another back door now.

2. As the article highlights, any devices running the Android operating system (OS) will include this NSA code: smart phones, tables, televisions, automobiles, and any or mobile devices. I assume the NSA code is also in the new Google Glass devices too, albeit that new device has a customized OS. So, that shiny new mobile device you just bought -- the HTC One, the Samsung Galaxy S4, and others -- all include programming code written by the National Security Agency (NSA). I didn't know that. Did you?

3. So, the NSA decided to "enhance the security of Android mobile devices (that is what the NSA labeled its own code). And, since the NSA gets its funding from your and my tax dollars, it is using public money to enhance the security of the devices by a private manufacturer. Is this how you want your hard-earned tax dollars spent?

It' was really nice of the NSA to donate programming code without asking for any payments or royalties in return. Given the huge federal government deficits and debt, some payments would have been great, but I guess we'll just have to look elsewhere for financial solutions.

4. Vermont Senator Sanders asked what else the government is doing that they haven't told us. Well, we now know that, besides spying, the NSA is also in the mobile device software development business. Is this NSA code in any other companies' mobile devices? And if not, why only Google Android?

NSA Inside logo While the Google-NSA partnership was explored some in 2010, we now know more. A simple online search found this CNN news story form 1999:

"Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it. The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000."

Reportedly, Microsoft assisted the NSA and the FBI with breaking encryption codes, and collecting data from cloud storage severs and Skype phone calls. So, the NSA has been in the commercial software development business for a while.

5. Let's take the NSA at its word, that the code in Android devices is benign and it will help the agency better understand the security of those mobile devices. What exactly might the NSA want to better understand or learn? They could easily buy (if they haven't done already) usage reports about Android users from Google, or from any number of market research firms.

In my business experience, I reviewed, managed, and executed data licensing agreements -- contracts -- with other organizations to share data. Companies enter into these types of contracts to generate revenues and/or to learn more about an industry or groups of users. In some instances, other companies wanted to learn more about my prior employer's industry. Those contracts specified usage reports with a certain frequency (e.g., monthly, quarterly, daily) and certain data elements (e.g., customer name, location, amounts purchased, items purchased, etc.). I must assume that the folks at the NSA are smart and have already purchased usage reports about mobile users directly from market research firms and/or directly from Google. For whatever reasons the NSA has decided to go the next step beyond usage reports to modify OS code to obtain more data directly.

And that data includes everyone who uses Android mobile devices, not just foreign people communicating with U.S. citizens whom the NSA is supposed to target. Readers who are unclear on the scope of geolocation data collected about your by your mobile devices, should read this blog post.

In my business experience, that initial contract (e.g., often 5 to 7 years in duration) is usually followed by a more detailed and extensive contract. Simply, after you learn more you can execute a better contract with more data reporting. So, one could conclude that the NSA has even bigger, more extensive plans for Google Android OS mobile devices and other high-tech firms.

6. Given the BYOD ("Bring Your Own Device") trend during the past few years, I'll bet that plenty of CIO, CTO, and C-Suite executives in companies worldwide are now wondering what to do next. Both their companies' servers (e.g., NSA code is embedded in Linux servers, too) and their employees' mobile devices are embedded with NSA programming code. As the BusinessWeek article reported:

"... an information technology consultant in Dublin, says his clients in European governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently... With Prism, the same accusations can be laid against the U.S. government...”

One wonders what the unintended consequences will be. How much revenue will Google lose as a result of corporations (and/or governments) rejecting or limiting Android OS usage in their countries? How much revenue will the online and high-tech industries lose because foreign governments and corporations conclude that the NSA has compromised the products and services produced by those industries? Along with the revenue loss, what might other consequences be, such as employment cutbacks and fewer jobs?

And, it no longer seems so surprising that Android smart phones sold in China include a stripped down OS without several Google services (e.g., search, map, Gmail). The Chinese did this partly to promote the growth of the mobile app development and online industries in their country, but you still have to wonder given all of the claims and denials flying back and forth about hacking and spying.

The limitations on Google services with Android OS in China limit Google's revenues. Given the NSA code revelations, what other countries will place tighter controls or bans? Where else might there be negative affects on Google's revenues?

7. There have been plenty of articles in the news media about the really smart, innovative engineers at Google. But, maybe Google really does need beefed-up security given its (poor) history of data beaches, privacy incursions, and reported vulnerabilities:

Overall, there seem to be two over-arching issues:

  1. Trust
  2. 4th Amendment of the U.S. Constitution

Lies break the public's trust. Lies break customers' trust. When a government forces corporations to lie, it breaks the public's trust with both. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Do you trust the NSA? Do you trust Google? Do you trust your government? And, is this NSA code okay with you? Really?


Hellmann's Recipe Shopping Carts. A Good Program?

Hellmann's logo Recently, an interactive agency posted an article about the new Hellmann's Recipe Cart used in a grocery store in Brazil. You can follow the link and watch the video about the new shopping carts. (The video is also available on Youtube.) The brand outfitted shopping carts in a grocery store with mobile tablet computers that read the RFID tags (e.g., radio frequency) on grocery items and suggested recipes using Hellmann's brand products. Shoppers can interact with the tablet's screen to browse and select recipes.

Reportedly, the brand partnered with the grocery store and also installed software in the store's cashier machines. Essentially, the new shopping carts:

  • Read RFID tags on items in the shopper's carts,
  • Read RFID tags on nearby grocery items as shoppers walked by,
  • Tracked shoppers' paths within the store, and made suggestions about where in the store shoppers could find recipe items, and
  • Printed requested recipes on shopper's store receipts

The video and news stories did not discuss what data was collected and transmitted by the new software installed in the cashier machines, nor whether the shoppers were given policy information about the new devices. I could not find any more data about the recipe carts at either the Hellmann's website or the Unilever website, its parent company.

The video and articles cited a 44% increase in sales of Hellmann's products. So, one can assume the data collection and tracking is rather extensive: grocery items purchased, grocery items passed/viewed, preferred shopping paths in the store, item sizes, item prices, shopping dates, coupons used and amounts, payment method, receipt amounts, and perhaps more.

A check of the agency's Twitter stream showed mostly positive comments about the Hellmann's Recipe Carts. People seemed focused on the new technology and not the privacy or data collection aspects:

Twitter comments about Hellmann's Recipe Carts

When I see new technology about this, several questions come to my mind. Early on, many mobile app developers failed to provide consumers with usage and privacy policies. The RFID technology has its own set of privacy issues. So, some questions that must be answered before one can judge this recipe cart program a success or not:

  1. What has Hellmann's done to deserve collecting data about everything in shoppers' carts? To me, the convenience of serving up recipes is not enough to justify Hellmann's knowing everything else I have purchased. Maybe you think it is sufficient justification, but I don't. In today's big-box supermarkets, shoppers can buy a variety of items, including healthcare and medications. Is Hellmann's entitled to this, too? I think not. Also, it is a fair assumption (in the absence of an explicit privacy policy otherwise) that the software in the cashiers' registers transmits data about shoppers' entire purchases, amounts spent, and the recipes printed. This way, Hellmann's learns which recipes are most popular, which Hellmann's products are most popular, and the types/brands of other products used in recipes. If I were a marketer at Hellmann's (or at their interactive agency), I'd want this level of detail so Hellmann's can evaluate the program, segment users, and develop more recipes.
  2. Did the brand or the grocery store present policies to shoppers informing them of the program's usage, privacy, and data collection policies? The above list includes extensive data collection. Just like mobile apps, both usage terms and privacy policies are important here, too. Consumers need to know what data is collected, how long it is retailed, how it is protected, and what other companies the collected data is shared with.
  3. Did the grocery store and brand comply with any privacy policies provided to shoppers? If shoppers were not provided with privacy policies, I would want to know why.
  4. Did the brand allow shoppers to not participate, or were the new carts forced upon all shoppers? Remember, the new software was installed in the cashier machines. Also, some people may not eat mayonnaise or simply prefer and use other brands (e.g., generic, organic).
  5. Was the program design based upon opt-in (e.g., shoppers could choose to participate) or opt-out (e.g., everyone is automatically included and given the new carts)? Did the grocery store provide shoppers who didn't want to participate with standard carts, or could the mobile recipe devices be disabled or turned off? Shoppers should have a choice.
  6. What about scanning of other RFID-enabled items in or near shoppers' carts? Many shoppers place their purses or backpacks in their shopping carts. Other RFID-enabled items include credit cards, passports, and other documents. Did the tablets in the Hellmann's Recipe Carts also read these items? If not, what verification is there that the carts didn't read these other items?
  7. What methods does the grocery store use to protect the data security of the new shopping carts? History is littered with multiple data breaches where identity thieves and criminals hacked cashiers' registers or pin-pads in supermarkets; or the unencrypted wireless transmissions by supermarkets.

Of course, brands and retail store should explore new technologies like this. Some are already including mannequins outfitted with video recording technologies to enable tracking via facial recognition. My points are that retailers should: a) keep consumers and shoppers in charge of their information, b) inform shoppers beforehand of the usage and privacy policies, and c) design programs based upon opt-in. Only after knowing all the answers to the above questions can one judge a program like this a success or not.

What are your opinions of the Hellmann's Recipe Carts?


Geolocation Data. What They Know And Collect About You Via Your Mobile Devices

Most of us have mobile devices: smartphones and/or tablets. At May 2013, 91% of American adults have cell phones and 56% have smartphones. We all know that our telecommunications service providers collect data about our phone calls (e.g., inbound and outbound) and where we are (e.g., where our devices are) - and where our children are. What exactly is the data collected?

A couple sources highlight the scope and detail of the data collection; in particular the geolocation data, or where you are physically in the world. First, a report by Business Insider Intelligence documents the types of geolocation data collected in decreasing levels of precision:

  1. Fine GPS coordinates: the global positioning coordinates reported by your mobile device (even when your device is turned off). Only 19% of cell phone users have turned off the geolocation tracking features on their devices. When this data is not available, see items #2 through #5
  2. Cellular tower data: the cellular tower your mobile device communicates with. It's not as accurate, but companies and governments use it.
  3. WiFi hotspot: when you use your mobile device in WiFi mode, this location data is collected. By providing "free" WiFi hotspots, retailers can serve to you more and more precise mobile advertisements. (You didn't think that free WiFi hotspot was really free, did you?)
  4. IP address: the Internet address where you connect to the Internet
  5. User reported locations: when you "check in" at a social networking service and tell your friends (and effectively companies and the government) where you are. I have some friends on Facebook who seem to think it's cute to post status messages such as, "At Carl's bed" (name changed to protect an identity). Facebook already knows where you are since your mobile device probably blasted out your GPS coordinates.

Attached to that mobile location data is metadata about that location:

  • The unique identifier of your device(s) (e.g., UDID)
  • The date and time you arrived (or your device first pinged that cellular tower or WiFi server)
  • How long you stayed at that location
  • Any phone calls you made (or received) at that location (e.g., date, time, phone number, call duration) and the location the call ended (if different)
  • Any text messages you made (or received) at that location (e.g., date, time, phone number)
  • Any websites you visited while at that location
  • Any emails you received or sent at that location
  • Any video games or mobile apps you used at that location (assuming the apps communicate and send data to the developer, as most do)
  • Any videos or photos you recorded at that location (e.g., your device saves geo-location data automatically to the metadata with your videos/photos, unless you turn off that feature -- but, social networking websites can re-add this geolocation data often without notice)

Remember, many consumers use their personal mobile devices also for work (e.g., check business email), so the tracking and data collection are even more extensive than simply the collection of personal data.

This should help consumers better understand what companies, marketers, retailers, and the government know about you and your children's physical movements in the world, since most people keep their mobile device with them 24/7/365.

A second source are legal documents, often filed with warrant-less government tracking and/or class-action lawsuits. The American Civil Liberties Union (ACLU), the ACLU of Maryland, the Center for Democracy & Technology, the Electronic Frontier Foundation, and National Association of Criminal Defense Lawyers, filed an amicus brief about United States v. Graham. The amicus brief argued that the Fourth Amendment requires the government to get a warrant first. This case also illustrates both the staggering amount of geolocation data collected, and the data collection methods.

The amicus brief described the data collection methods:

"Most cell sites consist of three directional antennas that divide the cell site into sectors (usually of 120 degrees each). Service providers automatically retain sector information too, which reveals even more precise information about the user’s location. In addition to cell site and sector, some carriers also calculate and log the caller’s distance from the cell site... The availability of historical cell site location information and the length of time it is stored depends on the policies of individual wireless carriers. Sprint/Nextel stores data for 18–24 months; other carriers vary from one year of storage (T-Mobile) to indefinite retention... The precision of a user’s location revealed by the cell site identifier in the carrier’s records depends on the size of the sector. The coverage area for a cell site is reduced in areas with greater density of cell towers, with the greatest cell site density and thus smallest coverage areas in urban areas... the number of cell sites in the United States has more than doubled in the last decade, with 285,561 as of June 2012”

The industry refers this as cell site density. It refers to cell tower data collection as CSLI: Cell Site Location Information. So, as telecommunications providers install more cellular towers, they will be able to collect more precise geolocation data. Perhaps more importantly, your smartphone communicates differently than cell phones:

"... smartphone that communicates with the carrier’s network (and thus generates location data) every few minutes, or a traditional feature phone that communicates less frequently. Knowing periodic information about which cell sites a phone connects to over time can be used to interpolate the path the phone user traveled..."

In this lawsuit, local law enforcement had obtained without a warrant 221 days of the defendant's geolocation data. That's about 7.5 months of data. The privacy implications:

"Location surveillance, particularly over a long period of time, can reveal a great deal about a person. 'A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups—and not just one such fact about a person, but all such facts.' "

How does your mobile activity reveal so much detail. Keep reading:

"Mr. Graham’s data include 14,805 separate call records for which CSLI was logged, comprising 29,659 cell site location data points. (JA 2668–3224.) Mr. Jordan’s records reveal 14,208 calls for which location information was logged, comprising 28,410 cell site location data points. Mr. Graham and Mr. Jordan respectively placed or received an average of 67 and 73.8 calls per day for which location data was recorded and later obtained by the government... For example, Mr. Graham’s calls include location records from 167 towers and 369 separate sectors, and over the course of a typical day his records chart his movements between multiple sectors. On November 4, 2010, for example (a randomly selected day), he made and received 69 calls in 36 unique cell site sectors. Even more revealing, during one 38-hour period in October 2010, Mr. Graham made and received 209 calls (an average of 5.5 calls per hour) while located in 55 different cell site sectors. Even records of individual calls provide information about movement: 2,212 of his calls were initiated within one cell site sector and terminated in another, suggesting that he was not stationary during the call... during the period for which records were obtained Mr. Graham’s wife was pregnant, and he often accompanied her to appointments with her OB/GYN.25 Twenty-nine calls during business hours began or ended in the sector where the OB/GYN’s office is located, allowing the inference that they were at the doctor’s office at those times... By sorting the data for the first and last calls of each day, one can infer whether a person slept at home or elsewhere..."

Perhaps, more importantly the brief stated:

"The Supreme Court has made clear that when the government engages in prolonged location tracking, or when tracking reveals information about a private space that could not otherwise be observed, that tracking violates a reasonable expectation of privacy and therefore constitutes a search within the meaning of the Fourth Amendment. Acquisition of Defendants’ cell phone location information is a search for both of these reasons."

Given this, I take seriously geolocation surveillance and the resulting loss of privacy. I hope that you do, too. Basically, a government can't just walk away from the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."


Security Team Discovers Threat Affecting 99% of Android Mobile Devices

The security research team at Bluebox Labs has discovered a threat that affects 99% of Android mobile devices:

"... a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user...."

Clearly, this threatens both consumers and employers because many employers allow employees to use their devices for work. Why users of Android devices should be concerned:

"... this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access. Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet."

Read the Bluebox Labs article to learn more about the technical details of the threat, which was presented at the Black Hat USA 2013 conference. The company advises consumers to, a) use caution and identify the app's publisher before downloading a new app; and b) update your devices (e.g., operating system, browser, anti-virus software).


Video: Guardian UK Interview With Whistle Blower Edward Snowden

On Monday, the Guardian UK newspaper posted video of its interview with Edward Snowden, the whistle blower about U.S. government surveillance programs (e.g., NSA, PRISM). You can watch online part one and part two of the interview.

What would have to happen to make you leave your home, your job, your country, and take these risks? Snowden answers that. Watch the videos.

In related news, this MIT project which sifts through your (Gmail) emails and maps your connections, can provide you with an idea of what the NSA and PRISM programs know about you.


New York State Attorney General Investigates Payroll Cards Programs By Walmart, McDonalds, Home Depot, And Walgreens

McDonald's logo The Office of the Attorney General (AG) for the State of New York is investigating several employers about their use of prepaid payroll cards to pay employees. Forbes magazine reported that the investigation is focused on:

"... the process; if it’s costing employees more in fees and whether or not employees have an easy way to choose how they are paid... Walmart launched its payroll card in 2009. Shortly after, the company met with New York’s Department of Labor to provide it “full details” on how the program works... McDonalds says it offers payroll options in the form of direct deposits or pay cards..."

Walmart logo The crux of the situation:

"Under New York state law employees must give advance written consent to be paid by payroll cards and any agreement to receive wages by the cards can’t be a condition of employment."

Besides McDonald's, and Walmart, other companies being investigated include Home Depot and Walgreens. More employers offer prepaid payroll cards to employees because prepaid payroll cards are one of the least expensive methods to pay employees.

A class-action lawsuit is underway in Pennsylvania where employers allegedly forced employees to accept pay via prepaid payroll cards. The suit also alleged under-payment of pay due to the numerous fees with the payroll cards. When an employer offers an employee pay via a prepaid payroll card this situation highlights the importance for job seekers and employees to:

  • Know your payroll rights in the state where you live
  • Read closely any prepaid payroll card agreements to understand the costs and fees involved
  • Compare those costs and fees to other banking options, such as a checking account at a credit union or a bank
  • Visit the website for the attorney general's office or the local agency, to learn more about prepaid payroll card rules in your state

The New York State AG offers this brochure about pay options to help consumers (Adobe PDF). In January 2013, the State of Florida Attorney General reached a settlement with several companies (Account Now, Inc., First Data Corporation, Green Dot Corporation, Net Spend Corporation, and Unirush, LLC) about alleged prepaid debit card abuses:

"Following an investigation based upon concerns that consumers where not clearly advised of important fees and misled by claims that using the cards would build positive credit history, the settlements require the companies to provide clear and conspicuous notice of fees and prohibits them from making misleading claims about the ability of prepaid debit cards to build positive credit history. Additionally, the companies have agreed to pay $115,000 to the Central Florida Chapter of Junior Achievement."

I applaud the New York State AG for this investigation, and hope that other states' attorney generals do the same.

This investigation is good news for several reasons. First, employers' payroll programs should comply with federal and state laws. Second, employees demand choice. Many consumers already have checking and savings accounts where direct deposit is applicable. Third, it is unfair for employers to dodge the costs of direct deposit programs by using payroll cards -- which effectively shift those administrative costs to employees. Once again, the banks are trying to influence administrative processes in a way to produce more revenues for themselves.

To learn more, this blog offers several related articles:

What's your opinion of prepaid payroll cards?

[Update July9: McDonald's employer in Pennsylvania makes prepaid payroll cards optional. Meanwhile, politicians in New York State introduced a proposed bill S04392 to make it easier for employers to pay employees with fee-laden prepaid payroll cards.]


Surveillance: A New I've Been Mugged Topic

Since the whistle blower leak in June about NSA spying programs targeting U.S. citizens, news media organizations have reported heavily about government spying programs. Some news reports have focused on the difficulty achieving a balance between protection from terrorists and maintaining civil liberties. Some believe that balance is way off. Some people refuse to give up the civil liberties for protection. Some people are happy to make that trade.

Regardless, the subject is very controversial. So, I have added a new topic in the tag cloud in the near right column for this content. The "Surveillance" topic includes content where we will explore these and related issues. If you seek similar content about programs by corporations, you should also browse the "Behavioral Advertising" topic.

I hope that you like the new category.


Supermarket Rewards In Boston: What Does It All Mean, Mr. Natural?

[Editor's Note: today's post is by R. Michelle Green, a frequent guest author. She is the Principal for her company, Client Solutions, and a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. In a business world focused on data mining and the tracking of consumers, her post discusses a very interesting program change by a retailer.]

By R. Michelle Green

Shaw’s and Star Markets have discontinued their rewards program as of last Friday June 28th, despite the fact that the web site is still set up to enroll customers. The third largest supermarket chain in New England says all customers should benefit from low prices, and not just some. Several articles focused on the customers' point-of-view, how they feel about it.

While I should have learned about it with Friday’s news, I learned about it Wednesday when I offered my key chain card for groceries. Ok, no problem, programs come and go. But my ears pricked up when the check out lady said, if you turn in your card, you get a Coca-Cola 12-pack for $.99. I believe she talked the couple in front of me into getting a discount on a bag of ice, again for turning in the card. Why are we actively being incented to turn the cards in?

Maybe I’m just too cynical – but wouldn’t it have been just as easy to say – those don’t work anymore? The check-out lady’s take on the decision to cancel the program – less trouble at checkout. Everyone had a sob story about where their card was and could the clerk help?

The Boston Globe quoted a Shaw's spokesperson:

“Our internal processes have become more sophisticated... Tracking individual shopping habits isn’t as critical to our overall strategy.”

I don’t believe that they’ve suddenly lost interest in tracking shopping habits. I could believe that the common use of manager- or clerk-cards, to assist shoppers without their loyalty cards, may have clouded or diluted the data to the point of minimal utility. And it’s possible that Coca Cola and/or ice is so cheap that it’s serving as a loss leader. But why collect the card? Maybe it’s clearing the wallet and the key chain for a new one? Should I just take a chill pill, and listen to Mr. Natural?

What do you think?