Previous month:
November 2014
Next month:
January 2015

15 posts from December 2014

Pew Research Reviews Key Statistics From 2014

Pew Reviewed published 14 statistics from 2014 that it views as noteworthy. I found several items from the list particularly interesting.

First, privacy is still a problem. A clear majority of American adult consumers -- 91 percent responded agree or strongly agree -- believe that they have lost control of how their personal information is collected and used by private companies:

Second, a clear majority -- 80% said they agree or strongly agree -- that Americans should be concerned about government monitoring of e-mail messages and Internet usage.

Third, since 2006 more Americans value highly Internet access and their mobile phones, compared to other devices:

You can bet that Internet service providers are aware of this, and will prices their services accordingly.


Dark Social Channels: What They Are, Who Uses Them, And Why

Apparently, there are dark and ligh social channels on the Internet. MediaPost reported:

"Nearly a third (32%) of consumers who share content with other people digitally say they do it via so-called “dark social” channels such as email, SMS or other peer-to-peer platforms that are not as easy to see and monitor as so-called “light social” networks such as Facebook, Twitter, Instagram and Pinterest."

This statistics was based upon an October 2014 survey by Tpoli of 9,000 consumers. However:

"According to RadiumOne, which released the Tpoll findings this morning as part of a new report, “The Light and Dark of Social Sharing,” found that actual content sharing is more like 69% “dark,” based on trends from its PO.ST content-sharing widgets. That finding is much closer to the patterns found by 33Across’s Tynt database, which tracks actual copy-and-pasting of digital content across all channels and has consistently found that more than 70% of content-sharing is via dark social channels."

Reportedly, about one third of users survey only use dark social channels. That sharing rate is higher among older users. Also, users tend to share socially-acceptable content in light social channels; a finding consistent with research about the spiral of silence.


FTC Sues Data Broker For Selling Consumers' Sensitive Information To Fraudsters

Federal Trade Commission logo Do you know how much your bank account information is worth to fraudsters? Read on.

Just before the Christmas holiday, the U.S. Federal Trade Commission (FTC) announced that it had charged a data broker with selling consumers' sensitive personal information to fraudsters to commit theft and fraud:

"... LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization."

Defendants named in the lawsuit include Sitesearch Corporation (doing business as LeapLab), LeapLab, LLC (based in Arizona), Leads Company (based in Nevada), and John Ayers. LeapLab's Twitter account seems dormant, and its website is not operating. BusinessWeek lists John Ayers as Chairman of the Board of LeapLab.

In its complaint, the FTC alleged that LeapLab:

"... collected hundreds of thousands of payday loan applications from payday loan websites known as publishers. Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers’ sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved... The defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead... the defendants sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information."

So, your bank account information is worth 50 cents to fraudsters. The sensitive consumer information LeapLab allegedly sold to non-lender third parties included consumer’s names, addresses, phone numbers, employers, Social Security numbers, bank account numbers, and bank routing numbers. Who were these non-lender third parties? They included:

"... marketers that made unsolicited sales offers to consumers via email, text message, or telephone call; data brokers that aggregated and then resold consumer information; and phony internet merchants like Ideal Financial Solutions. According to the FTC’s complaint, the defendants had reason to believe these marketers had no legitimate need for the sensitive information they were selling..."

In a separate complaint, the FTC sued Ideal Financial Solutions (based in Las Vegas, Nevada), for allegedly buying information about 2.4 million consumers between 2009 and 2013 from data brokers and using that information:

"... to make millions of dollars in unauthorized debits and charges for purported financial products that the consumers never purchased. LeapLab provided account information for at least 16 percent these victims."

The New York Times reported:

"The complaints are part of a multiyear government crackdown on fraudulent debt collection and other scams that target people in financial distress. But the case against LeapLab indicates that federal regulators are now widening their investigation to include the middlemen who traffic in the kind of closely held consumer details that can make consumers vulnerable to financial scams... Frederick G. Gamble, a lawyer in Tempe, Ariz., who was listed as a statutory agent of LeapLab, did not respond a voice mail message seeking comment..."

Thanks to the FTC staff for enforcing credit laws. I look forward to the FTC pursuing more data brokers and non-lender third parties who engage in similar behaviors.

Thee has to be strong consequences for this type of wrongdoing. I hope that the defendants pay fines, pay the credit monitoring and resolution costs for affected consumers, and serve time in prison. That sounds about right for the amount of damages inflicted upon consumers.

What are your opinions?


Lawmakers Prepare New Net Neutrality Proposal

Federal communications Commission logo Things are happening behind closed doors regarding net neutrality and Internet access. The Washington Post reported on December 19:

"Republicans in Congress appear likely to introduce legislation next month aimed at preventing Internet providers from speeding up some Web sites over others... The industry-backed proposal would preempt efforts by the Federal Communications Commission to draw up new rules for Internet providers."

Details of the new legislation aren't final, but it does not reclassify Internet access as a utility. It would create:

"... a separate provision of the Communications Act known as "Title X"... Title X would enshrine elements of the tough net neutrality principles called for by President Obama last month. For example, it would give FCC Chairman Tom Wheeler the authority to prevent broadband companies from blocking or slowing traffic to Web sites, or charging content companies such as Netflix for faster access to their subscribers — a tactic known as "paid prioritization." But those new powers would come with a trade-off... In exchange for Title X, the FCC would refrain from regulating net neutrality using Title II of the Communications Act..."

Some of the politics:

"The FCC is widely expected to unveil its net neutrality proposal in February or March, leaving little time for lawmakers to introduce a bill. By unveiling their legislation before [FCC Chairman] Wheeler's draft rules, Republicans could draw momentum away from the agency... If Wheeler struck first with proposed rules with aggressive net neutrality rules, many Democrats would likely find it harder to support a Republican alternative. On Thursday, Democrats led by Sen. Ed Markey (D-Mass.) and Rep. Anna Eshoo (D-Calif.) sent a bicameral letter to Wheeler demanding that he act more swiftly to adopt new rules."

Reportedly, the proposal is backed by several unnamed telecommunications. The news article didn't say if the proposal will address "broadband deserts" (e.g., often rural area where consumers cannot get any high-speed Internet services), nor the high price of bradband services. A recent report found that the cost to consumers of Internet access is far higher in the United States compared to than other countries. Another report found that consumers seeking high-speed Internet service have few choices:

"... competition among broadband providers remains lacking... That's according to the Commerce Department, which this week released a new report regarding the state of broadband availability. Researchers found that people who want service of at least 10 Mbps -- which Federal Communications Commission Chairman Tom Wheeler says should be the new definition of broadband -- typically have a choice of just two wireline providers. In other words, broadband at that speed typically is a duopoly service."

The article didn't state whether the new proposal addresses the duopoly problem. Local laws in 20 states already prevent broadband competition by stopping cities and towns from building their own (low-cost to users) fiber Internet services. This keeps monthly prices by your Internet Service Provider (ISP) high. This limits the freedom of consumers to build broadband alternatives through their cities and towns. Bad for you; good for your ISP.

Given the extremely bank-friendly language drafted by Citigroup which was included in the recent spending omnibus bill, it is probably a safe bet that some mix of the largest telecommunications are drafting language for the lawmakers.

I guess lawmakers have become lazy, and are willing to let others do the work they were elected and sent to Washington to do: write the legislation themselves.


Sony At The Center Of Several Issues, Not Just A Decision To Cancel A Movie Release

Sony Pictures logo News media and social networking sites are ablaze with discussions about Sony Pictures and its film, "The Interview." Everyone has an opinion, and many seem to want the company to stand up for First Amendment rights of creative artists, and not surrender to threats by politically-motivated hackers.

These are all valid concerns. However, Sony seems to be at the nexus of several important, related issues that shouldn't be confused nor overlooked:

  1. Whether or not Sony Pictures should have made the film, "The Interview."
  2. Sony Pictures decided to cancel the Christmas release of the film. Many people feel this was a bad decision, arguing that the company surrendered to the hacker's threats, and that surrender encourages more attacks by politically-motivated hackers.
  3. Sony Pictures considers how to release the film (e.g., streaming?) given liability and safety concerns. It may use its Crackle video-streaming service.
  4. Several news media outlets published the content of e-mail messages stolen during the hack attack. Despite First Amendment rights in the U.S., Sony threatened legal action against news media outlets that published more e-mail messages. Some people supported Sony's position.
  5. The theft and publication of e-mails with embarrassing and insulting content is a reminder of the fragility of online privacy: nothing you say, type, text, post or do online can be guaranteed to remain private. This is important, especially given the growth in usage of  "erasable" social services (e.g., Snapchat) and cloud services.
  6. The data breach raised concerns that Sony allegedly failed to adequately protect both its networks and servers wtih sensitive information it was entrusted with. The latest data breach affected both current and former employees.
  7. Several lawsuits have been filed against the company by current and former employees regarding #6, and
  8. The U.S. government weighs a "proportional response" given national security concerns of hacking attacks by a foreign country. North Korea denied the cyber-attack, and then proposed a joint investigation with the USA. The USA later rejected that proposal.

Sony Corporation logo Sony Corporation's headquarters is in Tokyo, Japan. Sony Pictures' headquarters is in Culver City, California in the USA. Issues #6 and #7 merit further discussion.

This latest data breach at Sony was not the company's first incident. It experienced several breaches during 2011, notably a massive incident at Sony Playstation Network affecting 77 million customers, and at Sony Entertainment Network. Later that year, Sony executives apologized. Earlier this year, the company agreed to a settlement resolving lawsuits about its Playstation Network breach. However, there's more. Forbes magazine reported:

"An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birth dates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker. On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly."

After the Sony Pictures cyberattack, both current and former employees have already filed lawsuits. TechCrunch described some of the details:

"... Christina Mathis and Michael Corona have filed a federal court complaint against the movie studio, alleging that the company did not take enough precautions to keep employee and employee family data safe... The complaint references tech blog reporting to note that Sony was aware of the insecurity on its network..And it cites several instances of Sony failing to adequately inform former employees of the situation... there were only 11 people on the Sony information security team at the time of the hack..."

The plaintiffs seem to have several valid concerns. Krebs On Security reported:

"According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems."

Krebs on Security also reported:

"Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals... Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data."

So, the sensitive personal data stolen is out in the open where criminals can use and abuse it. And, there may be more. The hackers have threatened to release more stolen information if Sony Pictures releases the film.

On December 15, Sony Pictures published several breach notices, including this general breach notice to its current and former employees (Adobe PDF) worldwide. Accompanying this general notice are several specific notices for residents in the United States, Canada, and Puerto Rico. There are detailed breach notices for residents of Maryland, Massachusetts, North Carolina, and Puerto Rico.

The Sony Pictures breach notice for Massachusetts residents (Adobe PDF) listed the specific data exposed and probably stolen:

"... the following types of personally identifiable information that you provided to SPE may have been subject to unauthorized acquisition: (i) name, (ii) address, (iii) social security number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to SPE outside of SPE health plans..."

If any items had been encrypted, Sony Pictures probably would have mentioned it. Why wasn't this sensitive information encrypted? That's one problem. Next, the data stolen includes the mother-lode of personal, financial, and healthcare information; stuff identity criminals seek for reselling proftiably to other criminals, for impersonating breach victims both online and offline, for taking out fraudulent loans, and for obtaining free health care services.

Sony Pictures has arranged for 12 months of free identity-protection services with AllClearID. As I have written before repeatedly, 12 months is insufficient. the data elements stolen do not magically become obsolete in 12 months. Five or ten years of identity-protection services would be better.

Sony's latest breach, and unencrypted data storage, makes one doubt that its executives have truly learned from prior data breaches; whether the company's executives have truly embraced best practices for data security, or continue to cut corners. As TechCrunch reported:

"Sony Director of Information Security Jason Spaltro even gave an interview in 2007 whose whole point was to revel in Sony’s security loopholes: “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he said at the time. This hack is estimated to cost Sony $100 million after all is said and done. The last one cost the company a cool $171 million..."

What are your opinions about Sony, its data security, or the above list of issues? Are there any additional issues?

Click for larger image. Movie approved by the DPRK

[December 24 update: Sony Pictures reversed its prior decision and will release the film in select theatres on Christmas.]


Digital Advertising Firm Pays $750K To Settle Online Privacy Abuses

Pointroll logo Six states, including Illinois Attorney General Lisa Madigan, announced a $750,000 settlement with Pointroll, a digital advertising firm, after investigations for privacy violations. The Illinois AG announced:

"... Madigan and her counterparts from five other states alleged that PointRoll unlawfully deployed a browser circumvention technique that allowed it to place browser cookies on consumers’ Safari web browsers despite privacy settings configured to “block cookies from third-parties and advertisers” or alternatively set to “accept cookies” from “visited sites” (for Safari browsers on Apple iPhones and iPads) between December 13, 2011, and February 15, 2012."

Browser cookie files, often referred to as "cookies," are small text files web browsers create, update, and save to users' computers. These files allow advertisers to gather information about users online habits often including the sites you visit online. Pointroll is owned by the Gannett Corporation.

The settlement agreement requires Pointroll to respect and comply with consumers' cookie-blocking choices, provide prominent Privacy Policy buttons with links to complete policies on any websites it operates, and to implement a privacy program within six months that trains its employees about consumer privacy and how to maintain it. That program must include yearly assessments and make ongoing changes as needed. Additional terms of the settlement:

  • "Never misrepresent or omit material facts concerning the purposes for which it collects and uses consumer information, or the extent to which consumers may exercise control over the collection, disclosure or use of such information.
  • Ensure that its servers are configured to instruct Safari web browsers to expire any cookie placed by PointRoll using its browser circumvention technique, if those systems encounter such a cookie, for a period of two years.
  • Cooperate with compliance monitoring by the participating states, including providing a written report that describes PointRoll’s compliance with the privacy program requirement and allowing the inspection and copying of all records that may be required to verify compliance."

Besides Illinois, the states involved in the settlement include Connecticut ($110,000), Florida, Maryland ($110,000), New Jersey ($200,000), and New York ($110,000). The Connecticut Attorney General's announcement included a statement by the state's Consumer Protection Commissioner, William M. Rubenstein:

"Brazenly disregarding consumer preferences is an unwise business practice that borders on unethical conduct... We applaud New Jersey’s leadership in the investigation and negotiation with PointRoll and we will continue to uphold Connecticut consumers’ right to choose.”

Borders on unethical conduct? The settlement terms are pretty standard stuff (e.g., requires Pointroll to respect and comply with users' browser settings to block cookies, train employees, submit to annual assessments, and prominently display buttons with links to privacy-policies on its websites). That the firm had to be forced to do this makes one wonder what Pointroll's internal company culture is regarding ethics and privacy. It makes one wonder how trustworthy, or not, the executives at Pointroll are. Are executives at Gannett paying attention?

Readers of this blog know that advertisers have used a variety of technologies (e.g., browser cookies, "zombie cookies," Flash cookies ("super cookies," etags) to ignore and circumvent  consumers' explicit decisions and web browser settings not to be tracked online. I congratulate the six attorneys general and their staff for protecting and enforcing consumers' privacy.

What are your opinions of this settlement agreement?


Police Investigate Assaults On Ride-Share Customers. How To Stay Safe

The Boston Police Department is investigating reports of assaults on ride-sharing customers by imposter drivers. Reports included three incidents during the early morning hours on Sunday morning, December 13, 2014:

"... officers spoke to a victim who stated that she had been assaulted by an individual she believed to be employed by a rideshare service. According to the victim, she arranged for transportation from 1030 Commonwealth Avenue to her home. Once inside the vehicle, the victim states that the operator made attempts to touch her inappropriately. After refusing unwanted advances, the victim ordered the operator to stop the car so that she could exit the vehicle."

Arlington, Massachusetts Police also issued an alert about an alleged assault. The threat is not just imposter drivers. Chicago Police are investigating the alleged rape by a driver of a ride-share customer. There were several incidents this past summer of alleged assaults and rapes of ride-share customers in other cities by drivers.

To avoid getting mugged or assaulted, the Boston Police Department provided the following advice for consumers using any transportation service, and not only ride-sharing services:

  • "Have a plan on how you will get home before you go out.
  • Travel with friends if possible.
  • Whenever possible, schedule a designated driver.
  • Have credible and regulated cab company phone numbers saved to your phone ahead of time.
  • Use only licensed cabs or clearly identifiable livery or rideshare service vehicles that you call to your location.
  • Before entering any vehicle, ask to see the operator’s license and any information confirming the driver’s employee status with the service hired."

Besides checking the driver's name, auto license plate number, and texting the driver to identify both yourself and the driver, Uber advises its customers:

"Check the driver phone! You should see YOUR name and YOUR phone number at the bottom of the screen. If the phone is not mounted on the dash please feel free to ask the driver to see it before he starts the trip. If you don’t see your name and number…hop out! This is also a good time to call your actual driver to see where they are..."

Lyft advises its customers:

"Track your driver’s route and ETA in the app. You’ll also see a photo of your driver and their car, so you always know who you’re riding with. That said, our pink car mustaches make us pretty hard to miss."

Meanwhile, the sites' primarily promote convenience. Lyft highlights three benefits on its website main page: "Easy, Affordable, and Friendly." See:

Lyft benefits. Click to view larger image

On its main page, Uber promotes six benefits:

Uber benefits. Click to view larger image

Neither site mentions safety as a key benefit. Huh? Maybe, ride-sharing executives will wake up and give customer safety more prominence by adding another benefit: Safe.

To stay safe, the bottom line seems to be: like any other transportation service, use the service's app to identify your driver, pay attention, and check the driver's credentials before entering any vehicle. If anything seems odd, don't get in the vehicle. If you are already inside, demand the driver to stop, and you get out.

What are your opinions of the safety of ride-sharing services?

[Update, Dec. 18: ABC TV affiliate in Boston reported that an Uber driver charged with rape is also being investigated about two other assaults.]


What Data Does Your Web Browser Collect About You?

While many people use mobile apps, most people use web browsers to access the Internet. Last week, Mozilla released a new version of its popular Firefox browser. If you use this browser and haven't reviewed some of its newer features, you probably should. The web browser software contains several options that collect data about how you use the Interenet, and then transmits this information back to the developers at Mozilla.

To view these options, open the Firefox browser on your computer and open the Tools drop-down menu. Then, select Options, then Data Choices. You'll see:

  • Telemetry
  • Firefox Health Report
  • Crash Reporter

What are these options? What data do they collect? First, Firefox defines Telemetry as:

"Usage statistics or "Telemetry" is a feature in Firefox that sends Mozilla usage, performance, and responsiveness statistics about user interface features, memory and hardware configuration. Your IP address is also collected as a part of a standard web log. Usage statistics are transmitted using SSL and help us improve future versions of Firefox. Once sent to Mozilla, usage statistics are aggregated and made available to a broad range of developers, including both Mozilla employees and public contributors. This feature is turned on by default in Nightly, Developer Edition, Aurora and Beta builds of Firefox to help those users provide feedback to Mozilla. In the general release version of Firefox, this feature is turned off by default."

Are you comfortable with your browser collecting and transmiting this data? That's your choice. The default for this option is off, so you have to opt-in or enable it. To enable it, click the check box next to Telemetry in the pop-up Options box.

The second option is the Firefox Health Report:

"Firefox Health Report (FHR) is designed to provide you with insights about your browser's stability and performance and with support tips should you experience issues, such as high crash rates or slow startup times. Mozilla collects and aggregates your data with that of other Firefox users and sends it back to your browser so you can see how your Firefox performance changes over time. This data includes, for example: device hardware, operating system, Firefox version, add-ons (count and type), timing of browser events, rendering, session restores, length of session, how old a profile is, count of crashes, and count of pages. FHR does not send Mozilla URLs that you visit. We use the data sent through FHR to provide users with FHR's functionality, such as helping you analyze and address performance issues with your browser..."

Anytime I see the phrase, "includes, for example" that tells me the option collects and transmits more data elements than those listed above. Why didn't Mozilla provide the entire list of data elements? Not doing so forces users to hunt for the complete list.

The third option is the Crash Reporter:

"This report contains technical information for us to improve Firefox including why Firefox crashed, the active URL at time of crash, and the state of computer memory during the crash. The crash report we receive may include personal information. We make portions of crash reports available publicly at https://crash-stats.mozilla.com/). Before publicly posting crash reports, we take steps to automatically redact personal information. We do not redact anything you may write in the comments box."

Maybe your Firefox browser is stable, or not. Mine is pretty stable. It rarely crashes. I have a hard time remembering the last time it crashed... probably four or five years ago. The default for this option is already enabled, so you have to opt out or remove the check box next to the Crash Reporter option.

To me, this crash data seems worthwhile, so I left the Crash Reporter opinion enabled. The other two options didn't seem critical, so I decided not to enabled them. My point: wise Internet users know what data their web browsers collect.

I like that Mozilla provided these options with their web browser. I feel informed and in control of my personal information and privacy. Perhaps, you feel similarly. I hope so.

It'd be great if all other web browser software developers offered similar options to help their users. It'd be great if all manufacturers of mobile devices (e.g., tablets, smart phones, fitness accessories, watches, cameras, auto insurance trackers, etc.) provided consumers with similar options to maintain control of their information and privacy.

What are your options of the Firefox options? Of the options device manufacturers provide?


TD Bank Agrees To Pay $625K To Several States To Settle Allegations About Its Data Breach

TD Bank logo Nine states joined in an agreement with TD Bank to settle allegations about the bank's March 2012 data breach that affected 260,000 persons, including more than 90,000 in Massaschusetts. In a statement, the Office of Martha Coakley, Attorney General for the Commonwealth of Massachusetts, announced that the bank:

"... violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012."

The breach occurred when the bank's back-up tapes containing unencrypted information (e.g., names, Social Security numbers, bank account numbers, drivers' license numbers, etc.) were lost during shipment to a vendor. Terms of the settlement agreement with Massachusetts:

"... TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education or to fund local consumer aid programs. In addition, TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident."

The bank also agreed to provide prompt notice of any future data breaches and to comply with Massachusetts data security laws:

  • Encrypt customers' personal information stored on back-up tapes,
  • Require third-party vendors to implement and maintain appropriate security procedures,
  • Review the data security practices and procedures of third-party vendors,
  • Complete a review of the bank’s compliance with its own security policies and procedures, and
  • Monitor for instances of unauthorized access or use of the personal information resulting from the breach.

Other states participating in the settlement agreement Connecticut, Florida, Maryland, New Jersey ($103,760), Maine ($130,015), New York, North Carolina, and Vermont.

Unencrypted computer backup tapes surely make it convenient for identity thieves and criminals. A visit Tuesday to the bank's home page showed an http browser connection instead of a more secure https connection. You'd think that the bank would have upgraded tits home page connection to show both current and prospective customers that it is serious about security. Do the bank's executives get it? Perhaps, the settlement penalty amount was not large enough.

What are your opinions of the settlement agreement?


Judge Rules Lawsuit Can Proceed Against Target Corporation For Its Massive 2013 Data Breach

Target Bullseye logo Paul A Magnuson, a U.S. District Court Judge in Minnesota, ruled on December 2, 2014 that the class-action lawsuit can proceed against Target Corporation for its 2013 data breach.

Target, one of the largest retailers in the country, is headquartered in Minnesota. During its 2013 data breach, hackers stole the credit- and debit-card information for about 110 million shoppers. Lawsuits by both consumers and banks followed, and they were consolidated into the litigation Judge Magnuson ruled upon. Judge Magnuson heard arguments about four complaintss:

"Plaintiffs’ Complaint consists of four claims against Target. Count One contends that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. Count Two asserts that Target violated Minnesota’s Plastic Security Card Act, and Count Three alleges that this violation constitutes negligence per se. Count Four claims that Target’s failure to inform Plaintiffs of its insufficient security constitutes a negligent misrepresentation by omission."

Target sought dismissal of all four claims arguing that the plaintiffs did not prove their case. Judge Magnuson ruled in favor of the plaintiffs on three of the four counts:

"Plaintiffs have plausibly pled a claim for negligence, a violation of the PCSA, and negligence per se. Plaintiffs failed to plead reliance, however, and therefore their negligent-misrepresentation claim must be dismissed without prejudice.

This meant that the lawsuit can continue based upon the allegations of negligent data security, violation of Minnesota's Plastic Security Card Act (PSCA), that Target's actions were negligent. The judge agreed with the plaintiff's argument that:

"Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s “own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff."

The InfoSecurity blog reported about the security features:

"... the attackers were able to access the POS network and exfiltrate payment card data for 40 million victims via an HVAC contractor’s credentials...  Also, the big-box giant admitted that an early-warning system from FireEye that was in place was ignored despite multiple alarms..."

While most people believe the HVAC vendor's credentials story, I am not so sure it was only an HVAC vendor's credentials. Anyway, this court ruling has huge implications for both banks and retailers. According to InfoSecurity:

"Industry watchers have long expected Target and other retailers to eventually find themselves liable for stolen identities and bank fraud stemming from the high-profile point-of-sale (POS) breaches that have become a sad norm on the cyber-incident front. Now, a Minnesota court has paved the way for a series of lawsuits by banks looking to recover their losses, which they say range into the billions for the last year alone."

Read the Minnesota U.S.District Court ruling (Adobe PDF).

One thing is certain: we will hear more about both this lawsuit and the squabble between retailers, banks, and credit unions about who should pay for breach-related costs when replacement debit/credit cards and accounts must be issued to breach victims.


Newspaper Uncovers Secret Alliance Between Energy Companies And Several States' Attorney Generals

To write this blog, I often monitor announcements by several states' attorney generals. I was saddened to read an investigative report describing a secretive alliance betwen several energy companies and state's attorney generals. The New York Times reported:

"The email exchange from October 2011, obtained through an open-records request, offers a hint of the unprecedented, secretive alliance that Mr. Pruitt and other Republican attorneys general have formed with some of the nation’s top energy producers to push back against the Obama regulatory agenda, an investigation by The New York Times has found."

What the newspaper's investigation uncovered:

"The letter to the Environmental Protection Agency from Attorney General Scott Pruitt of Oklahoma carried a blunt accusation: Federal regulators were grossly overestimating the amount of air pollution caused by energy companies drilling new natural gas wells in his state. But Mr. Pruitt left out one critical point. The three-page letter was written by lawyers for Devon Energy, one of Oklahoma’s biggest oil and gas companies, and was delivered to him by Devon’s chief of lobbying."

The newspaper also uncovered:

"Industries that [Mr. Pruitt] regulates have also joined him as plaintiffs in court challenges, a departure from the usual role of the state attorney general, who traditionally sues companies to force compliance with state law."

According to the newspaper's report, the Southern Company of Gergia, an electric utility, also sent similar letters to states' attorney generals. The goal seems to be to roll back regulations that currently ensure clean air, water, and land -- a spun in terms of advancing states' right and limiting federal government rights. This may be happening in 15 other states; most with Republican attorney generals.One set of documents describe a former state attorney general who became a lobbyist.

It is also troubling because the state attorney general represents the state and its residents, not advocate for a specific company:

“When you use a public office, pretty shamelessly, to vouch for a private party with substantial financial interest without the disclosure of the true authorship, that is a dangerous practice,” said David B. Frohnmayer, a Republican who served a decade as attorney general in Oregon. “The puppeteer behind the stage is pulling strings, and you can’t see. I don’t like that. And when it is exposed, it makes you feel used.”

I am not an attorney nor a resident of Oklahoma. Perhaps, some concerned citizens in the applicable states will challenge their attorney generals' conduct. Example: a section from the Oklahoma Rules of Professional Conduct which seems applicable:

"Chapter 1, App. 3-A
Transactions with Persons Other than Clients
Rule 4.1. Truthfulness In Statements To Others
In the course of representing a client a lawyer shall not knowingly: (a) make a false statement of material fact or law to a third person; or (b) fail to disclose a material fact to a third person when disclosure is necessary to avoid assisting a criminal or fraudulent act by a client, unless disclosure is prohibited by Rule 1.6."

Another section of the code:

"Rule 3.9. Advocate in Nonadjudicative Proceedings
A lawyer representing a client before a legislative body or administrative agency in a nonadjudicative proceeding shall disclose that the appearance is in a representative capacity and shall conform to the provisions of Rules 3.3 (a) through (c), 3.4 (a) through (c), and 3.5.

Comment: [1] In representation before bodies such as legislatures, municipal councils, and executive and administrative agencies acting in a rule-making or policy-making capacity, lawyers present facts, formulate issues and advance argument in the matters under consideration. The decision-making body, like a court, should be able to rely on the integrity of the submissions made to it. A lawyer appearing before such a body must deal with the it honestly and in conformity with applicable rules of procedure..."

What are your opinions of Mr. Pruitt's alleged actions? Of the secret alliance? Any readers in Oklahoma care to comment below? I expect these actions from elected politicians, not lawyers responsible for enforcing the state's laws. These alleged actions put a democracy in peril.


Package Delivery Scam. How To Spot It And Not Get Duped

The gift-giving holiday season is upon us. Monday was "Cyber Monday," the retail industry's term for the online shopping frenzy on the first Monday after the Thanksgiving holiday. With plenty of packages to be delivered from online shopping, the story below applies to everyone.

A friend, Celeste (not her real name), called me on the phone Sunday evening about an official-looking e-mail message she had received from the FedEx package delivery service. She thought that the e-mail was a scam and wanted to confirm it with me. Since she was expecting a package, she admitted to have already opened both the e-mail message and the file attached to it.

I explained that this probably a scam. A quick online search found the fraud page at the FedEx website:

"FedEx has received reports that there has been an increase in fraudulent emails claiming to come from FedEx. These messages typically have a vague subject referencing a FedEx tracking, invoice or item number and an attached zip file with 'FEDEXInvoice' in the file name that may contain a computer virus. If you receive a message matching this description do not open the attachment. Delete the email immediately."

Identity-theft criminals know that year round, and especially during the holiday season, consumers send and receive gift packages. The scam takes advantage of this to trick consumers into revealing sensitive personal and financial information. Celeste read part of the e-mail message, which had several telltale grammatical errors and a corporate logo with the wrong colors. Plus, the message sounded similar to others package scams reported:

"Your parcel has arrived at the post office at December 24. Our courier was unable to deliver the parcel to you.To receive a parcel, please, go to the nearest our office and show this receipt. DOWNLOAD POSTAL RECEIPT.

Best Regards, The FedEx Team"

FedEx does not send unrequested e-mail messages about the status of packages, invoices, nor personal information. Since Celeste had already downloaded and opened the bogus receipt, I explained to her that her laptop probably was infected with a computer virus. This is the purpose of bogus file attachments. I suggested that she not do anything online until the virus is removed, since it could compromise her online passwords. If the anti-virus software on her laptop can't remove the malware, then she'll probably need to take her laptop to a computer repair service.

I suggested that Celeste delete the e-mail message and file attachment, log out from her home WiFi network, and run a full virus scan of her laptop. She deleted the e-mail and attachment, but didn't know how to log out from the home WiFi network which her daughter operates.

For privacy, mobile devices contain the option to disable wireless connections; a necessary feature when using devices airplane flights. When a computer is infected, it is important to disable the wireless connection so that the virus doesn't spread to other devices on a home WiFi network, send out spam to the contacts in your address book, nor alert criminals of a successfully infected computer. Ransomware scams and keystroke-logging spyware usually communicate remotely to the criminals that distributed the malware.

The wireless modem on Celeste's laptop was controlled by the software and not a physical switch. While I looking for a user manual online for the specific keystrokes to disable WiFi on her Toshiba Satellite laptop, she restarted her computer. When her laptop restarted, it was immediately clear that a computer virus was present, since the Windows operating system displayed several error messages. Ultimately, she was able to successfully restart her laptop, download updates for her anti-virus software, and perform a full anti-virus scan.

However, the virus was a stubborn one, and she was only able to fully remove it with the help of the anti-virus vendor's technical support staff.

Online scams can be bogus e-mail messages, like the one Celeste received, or bogus websites. The industry term is "phishing" as in fishing for consumers' information. The FedEx website lists several warning signs of phishing scams:

"- Unexpected requests for money in return for delivery of a package, often with a sense of urgency.
- Requests for personal and/or financial information.
- Links to misspelled or slightly altered Web-site addresses (fedx.com, fed-ex.com, etc.)
- Spelling and grammatical errors or excessive use of capitalization and exclamation points.
- Claims that you have won a large sum of money in a lottery or settlement.
- Certificate errors or lack of SSL for sensitive activities"

Celeste's experience highlights several things for consumers:

  1. Learn to spot e-mail scams
  2. Don't open file attachments from strangers
  3. Know how to disable the WiFi connection on your mobile device(s)
  4. Keep the anti-virus software up-to-date on your mobile device(s)
  5. Know that password protecting your device and logging into a home network are two separate steps.

To learn more, read:


Class Action Proceeds About Drivers Data Sales, Privacy, And Protections For Domestic Violence Victims

Just before the Thanksgiving holiday, a Texas court ruled that a class-action lawsuit can proceed against Compact Information Systems, Inc. (CIS) and several corporate defendants for alleged violations of the Driver Privacy Protection Act (DPPA). This lawsuit is important not only because of the alleged privacy violations, but also because sales of drivers' personal information by state governments can place domestic-violence victims at risk of being victimized again.

The National Organization For Victim Assistance (NOVA) has seen:

"... an explosion in identity theft and cyber stalking victimization. These criminals thrive on access to personal information through electronic data sources, using these bits of PII or personally identifying information to continually harass and re-victimize their targets... With the increase in focus on cyber safety, more attention is being paid to how criminals access their victims’ PII."

NOVA described how drivers' data is acquired and abused:

"The DPPA protects “personal information… that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information.”  The DPPA states it is “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b)... This infers that the data will only be used for legitimate government agencies or for licensing purposes without consent of the individual. This is not the case. Many states have chosen to interpret this to mean that unless an individual “opts out” of information sharing, they have consented. States are required to determine that your data is being sold to companies with a permissible use. But recent Court rulings have determined that businesses are being allowed to purchase this aggregate data then re-sell it over and over with very little oversight."

The Doe v. CIS lawsuit was originally filed in December, 2013. At that time, the Top Class Actions site reported:

"Plaintiffs Jane Doe and Toby Cross filed the class action lawsuit on behalf of themselves and a proposed class of individuals... plaintiff Jane Doe (who is using a pseudonym to protect her identity) moved to Florida to protect herself from an abusive relationship. Like thousands of other motorists, her PII was requested in bulk, without any information about who is actually requesting the records. She is “outraged by the privacy implications” of this practice... She fears her current physical address could be acquired by her former predator, who poses a serious threat to Doe and her family. According to the class action lawsuit, the state of Texas sells 33 million motor vehicle registration records to bulk requestors each month. Although the entities that request the records claim they are requesting them for DPPA permissible purposes, the plaintiffs claim that they are “willing to ignore the legal implications of the DPPA by providing false and misleading information to the State Motor Vehicle Departments..."

On November 20, 2014, a Magistrate Judge in U.S. District Court in Northern Texas/Dallas Division ruled (Adobe PDF) that the class-action should proceed against CIS, Data Solutions of America, Inc., KMB Statistics LLc, and others. The judge also allowed the plaintiffs to proceed with a motion filed in July to amend their complaint and add AccuData Integrated Marketing, Inc. as a defendant.

During 2014, a third plaintiff, Arthur Lopez, was added to the suit. During the process, the defendants argued that Jane Doe's real identity should be disclosed. A decision about that is pending. In September 2014, a judge dismissed defendant Endurance Warranty Services (EWS) from the suit.

While reading the latest court documents, I noticed that plaintiffs are represented by the Law Office of Joseph H. Malley, P.C. I recognize that name, since Malley has often been referred to as the "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, the plaintiffs have experienced, knowledgeable, and relentless representation. Maybe, "Privacy Pitbull" is a better nickname.

Top Class Actions also provided background information about the DPPA:

"The DPPA was enacted by Congress to protect the personal identifying information (PII) citizens are required to provide to their state Department of Motor Vehicles when acquiring or renewing a drivers’ license. The protection of consumers’ PII is essential to limit the risk of identity theft. For victims of domestic violence, the protection of PII is even more critical. Before the enactment of the DPPA, anyone was able to access public motor vehicle records and could use that information for any purpose. Even with the protections offered by the DPPA, most states sell motor vehicle records."

Additional background information about the DPPA is available at The Electronic Privacy Information Center (EPIC) site:

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

The problem isn't new. There have been lawsuits as far back as 2010 about alleged DPPA violations. If companies (and executives) are providing false information in order to buy drivers' information, or are using drivers' data for impermissible purposes, then there has to be verification and enforcement. Otherwise, chaos results.

There is a possible solution. The credit reporting industry developed a secure method for consumers to maintain control of their information and prevent their credit reports from being resold. The states' motor vehicle registries could, and should, adopt a similar system, so domestic violence victims and other at-risk consumers can maintain control of their personal data and prevent their drivers' data from being resold.

Does your state sell drivers' personal information? Probably, because it's a revenue generation source. Florida made $63 million in 2010, and Texas made in 2012 probably far more than the $2.1 million known. It can be difficult to determine because most states seem not to want to discuss the matter. You'd think that states' motor vehicle registry websites would clearly display this information, but few seem to and the information is often buried and hard to find.

What are your opinions of the DPPA? Of states' selling of drivers' data? Of the businesses that buy drivers data?


Developer Of Mobile Spyware App To Pay $500K Fine

Department of Justice logo The U.S. Justice Department announced the results of a court case where the developer of StealthGenie, a mobile spyware app, pled guilty and will pay a $500,000 fine. The app remotely monitors phone calls, text messages, video, and other communications on mobile phones.

Assistant Attorney General Leslie R. Caldwell said:

"Spyware is an electronic eavesdropping tool that secretly and illegally invades individual privacy... Make no mistake: selling spyware is a federal crime, and the Criminal Division will make a federal case out if it.”

Mr. Hammad Akbar, 31 and a Danish citizen, was the chief executive officer of InvoCode Pvt. Limited and Cubitium Limited, the companies that advertised and sold StealthGenie online. Users could install StealthGenie on a variety of mobile phones including Apple’s iPhone, Google’s Android, and Blackberry Limited’s Blackberry. The app was advertised as being untraceable.

This is the first ever criminal conviction involving the marketing of a mobile device spyware app. U.S. Attorney Dana J. Boente described how the app worked:

"The defendant advertised and sold a spyware app that could be secretly installed on smart phones without the knowledge of the phone's owner... This spyware app allowed individuals to intercept phone calls, electronic mail, text messages, voice-mails and photographs of others. The product allowed for the wholesale invasion of privacy by other individuals..."

Kudos to the Justice Department and F.B.I. for this conviction. I look forward to reading about more prosecutions and convictions of developers of similar mobile apps.


ACLU Requests Information About Government Surveillance Programs Using Fake Cell Phone Towers

U.S. Marshals Service seal The American Civil Liberties Union (ACLU) has filed a Freedom of Information Act (FOIA) request for information about the airborne "cell site simulators" program within the U.S. Marshals Service (USMS). You've probably never heard of "cell site simulators." Basically, they are fake cell phone towers:

"Cell site simulators, also called IMSI catchers, impersonate a wireless service provider’s cell tower, prompting cell phones and other wireless devices to communicate with them instead of the nearest tower. In doing do so, the simulators can learn all sorts of information that facilitates accurate location tracking..."

So, the technology tricks your mobile phone into communicating with a simulator while thinking it is a valid cell tower operated by your phone/Internet service provider. When your mobile device pings a cell tower, it sends out information identifying your device (hence, identifying you), so you can send/receive phone calls and text messages.

Reportedly, the USMS uses Cessna airplanes outfitted with cell site simulator equipment to perform the tracking and data collection. The data collected includes mobile device serial numbers, GPS location information, direction of movement, date/time stamp, and related sensitive data.

"The government apparently calls cell site simulators deployed on airplanes “DRT boxes” or “dirtboxes”, after their manufacturer, Digital Receiver Technology, Inc. (DRT). (Other cell site simulator models, produced by Harris Corporation, are the “Stingray," “Triggerfish,” “Kingfish,” and “Hailstorm”)..."

The U.S. Marshals Service (USMS), a unit within the U.S. Department of Justice (DOJ), celebrated its 225th anniversary on September 24, 2014. The unit's duties include protecting the federal courts, apprehending federal fugitives, managing and selling assets seized from criminals performing illegal activities, housing and transporting federal prisoners, and operating the Witness Security Program.

The Federal Communications Commission (FCC) is studying how criminals illegally use the fake cell tower equipment to spy on citizens. IMSI Catchers can be bought for as little as $1,800, and operated by individuals with little technical expertise. One company developed CryptoPhone to help businesses discover the location of fake cell towers.

The Electronic Privacy Information Center (EPIC) filed a FOIA request in February 2012 about fake cell tower usage by the Federal Bureau of Investigation (FBI). At the EPIC site, you can browse several documents released by the FBI.

While the dirtboxes are supposedly used only for criminal investigations, the ACLU filed the FOIA request because:

"The problem is that, during each flight, a dirtbox is able to collect data from tens of thousands of cell phones. And, inexplicably, that is pretty much all we know about this program."

Citizens need to know how the data collected, how long it is stored, how the USMS and DOJ protect the data collected, the legal basis and guidance for the data collection, what other agencies the data collected is shared with, the success rate of prosecution based only upon simulators, and how the data collection targets only suspected criminals. It'd be a huge waste of taxpayers' money if the data collection did not result in any prosecutions or convictions.

If there is no targeting, then the cell site simulators collect information about everyone, including youth and thousands of innocent, law-abiding citizens. The data collection would be greater and broader, since aircraft move unlike stationary cell site simulators. If the data collection is not targeted, then it seems to be a huge privacy violation.

Download the ACLU's FOIA request. What are your opinions of cell site simulators? Are you concerned that local police departments and/or foreign governments also use the spy technology?