I've Been Mugged Blog

Earlier reports have proven true. Five banks have plead guilty and will pay more than $5.5 billion in total penalties to U.S. and European regulators to settle charges that traders rigged foreign exchange markets. USA Today reported:

"Five major banks Wednesday agreed to plead guilty to criminal charges and pay more than $5.5 billion in collective penalties... The Department of Justice, the Federal Reserve and other U.S. and European authorities and regulators said corporate units of Citicorp, JPMorgan Chase, London-based Barclays, and Royal Bank of Scotland acknowledged their traders rigged foreign exchange prices of U.S. dollars and euros from Dec. 2007 to Jan. 2013... UBS also acknowledged involvement in the rate-rigging. However, the Swiss banking giant received conditional immunity from criminal prosecution because it was the first to report foreign-exchange misconduct to DOJ investigators."

U.S. Attorney General Loretta Lynch described in the Justice Department announcement the wrongdoing:

"Starting as early as December 2007, currency traders at several multinational banks formed a group dubbed “The Cartel.” It is perhaps fitting that those traders chose that name, as it aptly describes the brazenly illegal behavior they were engaged in on a near-daily basis. For more than five years, traders in “The Cartel” used a private electronic chatroom to manipulate the spot market’s exchange rate between euros and dollars using coded language to conceal their collusion. They acted as partners – rather than competitors – in an effort to push the exchange rate in directions favorable to their banks but detrimental to many others. The prices the market sets for those currencies influence virtually every sector of every economy in the world, and their actions inflated the banks’ profits while harming countless consumers, investors and institutions around the globe – from pension funds to major corporations, and including the banks’ own customers..."

The fines by bank:

"... to pay criminal fines totaling more than $2.5 billion – the largest set of antitrust fines ever obtained in the history of the Department of Justice. And the fine that Citicorp alone will pay – $925 million – is the largest single fine ever imposed for a violation of the Sherman Act... Switzerland’s UBS AG, has agreed to plead guilty and pay a $203 million criminal penalty for breaching the non-prosecution agreement it entered in December 2012 regarding manipulation of the London Interbank Offered Rate, or LIBOR – a benchmark interest rate used worldwide. he breach of the NPA was based in part on UBS’s fraudulent and deceptive currency trading and sales practices related to foreign exchange markets, its collusion with other participants in the FX markets and its failure to take adequate action to prevent unlawful conduct after prior civil, criminal and regulatory resolutions.  In other words, UBS promised, in other resolutions, not to commit additional crimes – but it did."

The announcement did not state which, if any, bank executives would go to prison for the wrongdoing. The announcement did not state what portion, if any, of the fines would be tax-deductible. Previously, penalties and fines paid by some banks have been tax-deductible. Some experts and politicians have stated that better disclosures are needed for settlement agreements.

Recently, sales representatives from several energy companies rang our doorbell. Some of the electric company names: Direct Energy, Just Energy, and Spark Energy. My wife and I listened to some of their pitches, because our electric bill went up during the past few months. Way up.

This blog post discusses what we experienced and learned during our search for another electric company, including some online tools and the criteria we developed. I've written about some of the companies in this blog. A sales rep from Just Energy first visited in 2010. Should you decide to switch to another electric company, that's something only you can decide. You know your electricity needs and home situation best. Hopefully, this blog post will help you identify the considerations to make the best decision possible.

Before choosing a new supplier, consumers should first understand their usage. We did. Our latest bill:

KWH is a kilowatt-hour. Electric bills include two broad categories of charges: delivery and generation. Standard stuff. The Massachusetts EEA Department site explains electric bills:

"Delivery charges include: distribution, transmission and transition charges, as well as costs related to the development of renewable energy sources and efficiency programs... The only way to reduce the delivery portion of your bill is to use less electricity..."

The EEA Definitions page explains:

"Generation is the act of converting various forms of energy (such as oil, gas, coal, sun, wind or nuclear) into electricity. Generation is the only part of the electric industry that has been opened to competition. The transmission and distribution of your electricity will continue to be regulated..."

Competition started In Massachusetts in March 1998 after passage of the Massachusetts Electric Industry Restructuring Act of 1997 (“Restructuring Act”). EverSource (formerly N-Star) is the utility that provides our electricity.

Next, we reviewed our monthly bills. This helped us understand how high the price had risen:

78 percent is a huge price increase. Our historical usage by type of charges:

You'll probably want to analyze your bills like we did. Our residential usage averages about 300 KWH monthly. So, delivery charges decreased slightly while generation charges have almost doubled. Not good. So, we started to shop around for service from another electric company.

The sales representative from Direct Energy quoted (verbally) a price of about 9 cents per KWH. An online search found a C+ rating of Direct Energy by the Better Business Bureau (BBB). Too many complaints and too many unresolved complaints. Not good. Some of the complaints were similar to what we'd learned about Just Energy. The door-to-door sales representatives were mostly college-age students. Most immediately demanded to see our monthly utility bills without first fully explaining their offers. A general statement about a fixed, lower price is not enough.

We've learned that often the devil is in the details. It is wise to closely read the contract, because that document describes what you get, what you pay, and any associated fees. We don't buy on impulse. Plus, the Massachusetts Attorney General advised consumers about door-to-door sellers of electric and gas services:

1. Check your utility bills: to make sure that your service has not be switched to a different provider
2. Protect your sensitive information: do not show your utility bills to door-to-door sales people. Only show your utility bills after you have decided to do business with a provider.
3. Be cautious: your current service provider does not send door-to-door sales people.
4. Know your rights: do not let door-to-door sales people into your home unless you know them personally. Contact local police if the sales agent refuses to leave or you believe you are threatened.

Meanwhile, the folks at Spark Energy sent (unsolicited) their flyer via postal mail:

The flyer quoted $36.00 in monthly savings. It is important to read the fine print because that quote was based upon a home using 1,000 KWH per month. Do you use 1,000 KWH in a month? We don't. Not even close. We use about a third of that, or 300 KWH per month. So, our savings would be far less: (14.90 - 10.80 cents per KWH) X 300 KWH = $12.30. Big difference.

To learn more about Spark Energy, I visited its website. To view information, the site asks you to first enter your ZIP Code. I did:

It presented several plans for where I live. Some plans included renewable energy sources, with a higher price. I selected the "Details" link for the Price Protect 12 Month plan. It mentioned a $4.95 monthly fee and a $100.00 early termination fee. Not good. This meant our savings would be even smaller: about $7.35 (equals $12.30 - $4.95) monthly if we had purchased this plan. That's about the price of two cups of coffee and a doughnut. Not much.

The Spark Energy flyer also had a postcard attached which promised big savings:

The postcard mentioned ChooseEnergy.com. I visited the site. To view information, the site asks you to first enter your five-digit ZIP Code. I did:

The site displayed recommended plans (above) and a sortable list of available plans in my area:

There were several plans; some from the same provider. The plans differed by KWH price, by duration (e.g., six, 12, or 24 months), by renewal energy mix (ranging from zero to 100%), and by fees (e.g., early termination fees from $100 to $200). The site has some strengths and weaknesses.

The key strengths: it's free, easy to read, can easily sort the list of plans, and can easily access contract details about each plan. The key weaknesses: uses a high default KWH usage, can't search for by specific fee type (e.g., monthly, termination, billing, deposit, etc.), and ambiguity about what happens at the end of the contract or when you move. At the end of the contract, many plans default to a higher, variable price. That may be good for the electric company, but not good for consumers who want a predictable low price. I wanted to search for plans that auto-renew from a low fixed price to another low fixed price. The site doesn't seem to provide that search feature.

After reading the contracts for several plans, I learned that some include terms where the plan automatically switches to  your new residence when you move. What? I expect a move to terminate the contract. The site needs to clarify this; and ideally make it a search criteria. The contract for one plan read (bold emphasis added):

"XOOM is an independent retail marketer of electricity and is not affiliated with your local utility. Your local utility will continue to deliver your electricity, read your meter, send your bill, and make necessary repairs. Your local utility will also respond to emergencies..."

What's really going on here? The Massachusetts EEA Department site explained:

"If a consumer selects a competitive supplier, he/she will be paying both the distribution company (for the delivery charge) and the competitive supplier (for the generation charge). Depending on the competitive supplier, the consumer may receive one bill (combined billing) or two separate bills. In general, smaller consumers (residential and small commercial) will receive one bill from the distribution company. The distribution company will then transmit generation charges to the consumer’s chosen competitive supplier."

So, when you switch to another electric company, it's really a partial switch. You might get a single monthly bill or you might get two monthly bills. The legacy utility still has a role to deliver your electricity and maintaining the electric grid. Deregulation hasn't changed who produces electricity. Deregulation only lets consumers select from a larger group of power suppliers.

The two-bill possibility highlights the economics of the electric power industry. It requires a massive amount of money to build (and maintain) a power plant. Even more to build (and maintain) the electric grid: the network of power lines and facilitates that carry and distribute electricity from power plants to your home. No supplier can afford to build a parallel, duplicate structure. So, regulation was used to guide a naturally monopolistic industry to avoid abuses. Maybe you studied this in economics classes during college.

We've seen this economic situation before. Telecommunications. Originally, there was a single supplier (AT&T or "Ma Bell") guided by regulation. Then, the market was deregulated in the 1980s with local service providers and long-distance providers. With that deregulation, competing companies still shared the existing infrastructure of phone lines and local facilities. Economically, it wasn't feasible to build duplicate, parallel structures. With the introduction of wireless services, suppliers began building their own networks. Some got out of the landline business.

All of this raises the question: what benefits have electric deregulation provided consumers? Deregulation seems to have fallen far short on its promises. Advocates promised lower prices from competition. The fact is competition exists only with electric generation. We consumers have gotten slightly lower prices in some instances, and far higher prices in many other instances. Remember, after crunching the numbers we found the savings were minimal; eaten up by monthly and other fees. And, that savings assumed no price spikes at the end of the contract.

So, the Choose Energy site seems like place to start your search. it's mildly helpful but lacking some key features. It would be more helpful it it included a search parameter for plans guaranteeing single, consolidated monthly bills. The site lets you filter or narrow your search results to plans that have or don't have fees. That was mildly helpful, but it seemed too general and inconsistent. For example: I filtered my list for plans to show only plans without fees. The site presented a Just Energy plan where the contract fine print stated it might pass through a Billing Fee from the Utility. What's that? How much? Neither the site nor the contract explained this. I expected more. A "no fees" filter option should mean just that.

And, there's the issue of deposits. Some plans require them. This should be a search parameter, too.

I found that whenever I left my list of plans to read other site pages and returned to my list, I had to re-enter into the calculator our (lower) KWH monthly usage instead of the (higher) default usage amount. A better site experience would:

• Prompt users for their KWH monthly usage and remember those selections,
• Provide searching by fee type (e.g., monthly, cancellation, billing, deposits, etc.),
• Be consistent about "no fees" filtering,
• Provide searching for move terms, and
• Provide searching by contract end terms.

All of this caused me to wonder exactly who Choose Energy is. I browsed the About section of its site. It didn't say much beyond the basics: company values, executive names and photos, press releases, a San Francisco street address, and this corporate description:

"Choose Energy™ is an easy-to-use online marketplace that helps residents and businesses comparison-shop for their ideal energy supplier... that provides a convenient and secure way for consumers to compare rates and plans for energy suppliers in their area – and make the switch all in one place. Plans are curated from only reliable and trusted suppliers and provide renewable options as well as flexible pricing to ensure customers find the plan that best fits their needs. Choose Energy is available in 11 states currently, with additional states coming on-line in 2014.

Typical content. I expected more. The copy was old, too. It's 2015, not 2014. If the site can't update this, then I wonder what else is lacking. The site should explain its process and criteria for curating plans and providers. If it has an explanation, I couldn't find it. A sales person from Direct Energy visited our home, but the Choose Energy site didn't display any Direct Energy plans for my ZIP Code. Why the difference? Which is correct?

The more I looked, the more questions I had. How can people based in California be experts about the Massachusetts energy marketplace? What are the details about its partnerships with energy companies? The Choose Energy site listed its corporate values:

For the executives at Choose Energy, I have this feedback: if you are serious about disrupting the industry, raising the bar, and being transparent, then do it. No half measures. Include the additional search parameters suggested above. Your site page describing Just Energy doesn't mention the company's $4 million payment to settle deceptive marketing allegations. Why not? That seems like pretty important information for consumers to know. Don't hide stuff. Elevate all of the important details from contractual copy. Make it searchable. Explain your curate process. Surface all the nitty-gritty. That's what consumers want. Half measures give the impression that your site is nothing more than a slick industry marketing scheme, and not a reliable, independent information resource for consumers.

Next, I visited the Mass Energy site to learn more. The FAQ page answered many of my questions:

"In Massachusetts, over 80% of our electricity is generated from fossil fuels and nuclear power resources... the remainder comes in the forms of trash-to-energy, large hydro projects, various, unidentified types of power imported from other regions, and other sources that are not environmentally friendly. A state law, the Renewable Portfolio Standard, requires your utility to include just 8% new renewables in 2013, with a 1% increase per year. Your utility is required to send you a quarterly disclosure label which describes in detail the energy sources and emissions resulting from the electricity you use... All New England states share one single network of power lines, called the electric grid. Generators from all over the region feed power into this grid and energy is drawn out on an as-needed basis. Since our electricity is based on a regional mix, the electricity that is actually delivered to your home is determined by which power generators are located closest to you..."

The Mass Energy FAQ page also mentioned something I hadn't read anywhere else:

"Mass Energy is a non-profit organization, and your payments are recognized as being made for the public good. They are considered a tax-deductible charitable contribution for federal income tax purposes, if you itemize on your federal return. If you are enrolled in New England GreenStart, you would be able to deduct 2.4 cents for each kilowatt hour... If you are enrolled in New England Wind, you would be able to deduct 3.8 cents per kilowatt hour... You cannot get this benefit from any other renewable energy supplier in Massachusetts..."

So, while you might pay a little more for energy from renewable sources, there is the tax-deduction benefit to consider. More numbers to crunch. As we searched for an alternative electric company, there was more to consider than we first thought. No way is this an impulse purchase.

Some states offer their residents websites that compile offers from several electric providers into a single place. If you live in Texas, visit Power To Choose. The Choose Energy site covers Massachusetts and several other states: Connecticut, Illinois, Maine, Maryland, Michigan, New Jersey, New York, Pennsylvania, and the District of Columbia. I am sure that there are other sites for other states.

As we researched suppliers, we began to compile a list of criteria about what we wanted from an electric company. Our list was based upon our needs and our values:

1. Foremost, a lower and predictable generation price
2. A contract with the most consumer-friendly terms possible. Ideally, no monthly fee and an auto-renewal process that won't hike its price of electricity.
3. A provider offering energy from "green" or renewable sources. We live in a small condominium, and the other two owners are not interested in installing solar panels or a small wind turbine. Exterior modifications must be agreed upon by all three unit owners.
4. A reputable provider with good customer satisfaction. Does it have few or many complaints? Does it respond quickly to inquiries? Does it honor its contractual commitments? There are several Internet sources consumers can use. I mentioned the BBB above. Besides news reports about Direct Energy, I read the Glass Door site, which features reviews by current and former employees. If a provider can't keep their employees happy and solve staff churn, then they probably won't keep their customers happy either.
5. A provider that doesn't abuse customers' privacy, and is transparent in their policies about customers' data collected, archived, and shared; and lists its business partners.

You'll develop your own list of criteria. You should. You may want the wireless convenience, such as programming your heating/cooling levels with your smartphone. Or you may want your heating/cooling controls integrated with your home security system. Or, you may want a provider that parses your electric usage by appliance consumption. There is a whole new world of choices available.

And, it's easy to verify an electric company's identity. The Massachusetts EEA Department maintains a list of licensed companies. If a company that contacted me (via phone, e-mail, etc.) isn't on this list, I wouldn't do business with them. And I definitely wouldn't share my bill details or any personal information.

Unhappy with your current electric company? Massachusetts residents can submit complaints online at the Department of Public Utilities (DPU) site, or via phone or postal mail.

The bottom line: it is still a roll of the dice. When you switch to another electric company, you are essentially betting that the price in their contract you sign will be lower than the market price, or what you would have paid otherwise. If it is lower, then you've won. If it's higher, then you've lost. Of course, the electric provider is betting against you; that the price you pay them will be higher than what you could have paid otherwise. If the price is lower during your contract, they hope to raise it much higher when your contract ends. After all, a for-profit business has to make its money somehow.

That sounds a lot like how consumers purchase wireless plans for smartphones. You sign a two-year contract making three bets: a) the monthly price you pay will be lower than what you might have paid otherwise; b) your calls, texts, and Internet usage won't exceed any caps so you avoid additional fees; and c) you won't have to terminate early and pay a high cancellation fee.

How well did you do with your wireless plan choice? A lot of consumers chose poorly and experienced huge monthly wireless bills. Now you know what you' face with electric suppliers. Do your homework, shop wisely, and read contracts before signing them.

We're still looking. What sites have you used to research electric suppliers? What criteria did you use when selecting an electric company? Did you switch or stay with your legacy utility? Why?

The New York Times reported on Friday that the U.S. Department of Justice is preparing an announcement that five banks will plead guilt to criminal charges:

"... Barclays, JPMorgan Chase, Citigroup and the Royal Bank of Scotland will collectively pay several billion dollars and plead guilty to criminal antitrust violations for rigging the price of foreign currencies... Most if not all of the pleas are expected to come from the banks’ holding companies... a first for Wall Street giants that until now have had only subsidiaries or their biggest banking units plead guilty."

Last week, a federal court in New York City ruled that the Royal Bank of Scotland (RBS) was liable for mortgage abuses. The fifth bank includes:

"... foreign currency misconduct at UBS. As part of that deal, prosecutors are taking the rare step of tearing up a 2012 nonprosecution agreement with the bank over the manipulation of benchmark interest rates..."

Most of the same banks paid about $4 billion in fines in 2014 for foreign exchange abuses. There is some maneuvering happening:

"... the banks’ lawyers are also seeking assurances from federal regulators — including the Securities and Exchange Commission and the Labor Department — that the banks will not be barred from certain business practices after the guilty pleas, the people said. While the S.E.C.’s five commissioners have not yet voted on the requests for waivers, which would allow the banks to conduct business as usual despite being felons, the people briefed on the matter expected a majority of commissioners to grant them."

Will bank executives go to prison? They should. Felons usually serve jail time and are barred from certain businesses. Rather, only the poor and not-connected-politically felons seem to experience these consequences.

This banking misconduct will continue as long as the money they make exceeds the fines, they can raise fees to easily pay for any fines, the fines and penalties are tax deductible, and the risk of going to jail is low. This must change. It's time for voters to gather your torches and pitchforks.

Criminals have targeted Starbucks gift card and mobile app users. In this fraud, criminals have drained victims' accounts by using the auto-reload featured with Starbucks prepaid gift-card apps linked to consumers' checking, credit-card, or Paypal accounts. Consumer reporter Bob Sullivan first reported about the fraud:

"Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."

Other customers have reported fraud this month. The coffee retail chain has had problems before with its mobile app. Starbucks announced in January 2014 a security update to its mobile app after the data of 10 million customers was exposed. Sullivan explained how criminals perpetrate the latest mobile gift-card fraud:

"Because Starbucks isn’t answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card."

So, the fraud suggests that criminals have already stolen large numbers of Starbuck customers' usernames passwords, perhaps by keylogging malware, phishing e-mails, phishing texts, vulnerabilities in the mobile app, brute-force password attacks (since many consumers use the same password at multiple sites), or a combination. Starbucks claims its mobile app has not been hacked and the problem is not widespread.

Some banks have flagged multiple reloads through checking accounts and temporarily closed victims' accounts to stop the theft. Security experts fault Starbucks for not using two-factor authentication for gift-card reloads and for not flagging multiple reloads of consumers' cards within minutes.

Security experts advise consumers:

1. Use strong passwords and don't use these weak passwords.
2. Don't use the same username and password at multiple websites and mobile apps
3. Change your passwords every 90 days

Be very careful about enabling auto-reload features with prepaid cards. Or, disable it. Instructions to disable the auto-reload feature are available at the Starbucks site.

Criminals love prepaid cards because they are a source of cash. You now know the risks for ignoring this advice. The whole situation highlights is a reminder that Apple branded mobile devices can be hacked, too.

The New York Times reported on Monday that a federal court judge:

"... ruled that two banks misled Fannie Mae and Freddie Mac in selling them mortgage bonds that contained numerous errors and misrepresentations... The ruling came in a closely watched case brought by the government against the Japanese bank Nomura Holdings and Royal Bank of Scotland. They were the only two of 18 financial firms that took their case to trial, arguing that it was the housing crash, and not deceptive loan documents, that caused the bonds to collapse."

The cased was decided by Judge Denise L. Cote of Federal District Court in Manhattan and not by a jury:

"... after the government dropped a claim that would have entitled the banks to a jury. After that, legal experts became more pessimistic about the banks’ chances: Judge Cote has a reputation for taking a hard line against the banks. They also expressed surprise that the Nomura and R.B.S. did not settle, though some suspected that as foreign banks, they were less concerned with risking their reputations in the United States. Judge Cote has asked the F.H.F.A. to submit a proposal for damages, which are expected to be about $500 million."

Nomura plans to appeal the decision. The judge's ruling (Adobe PDF) stated:

“This case is complex from almost any angle, but at its core there is a single, simple question. Did defendants accurately describe the home mortgages in the offering documents for the securities they sold that were backed by those mortgages? Following trial, the answer to that question is clear. The offering documents did not correctly describe the mortgage loans. The magnitude of falsity, conservatively measured is enormous. Given the magnitude of the falsity, it is perhaps not surprising that in defending this lawsuit defendants did not opt to prove that the statements in the Offering Documents were truthful. Instead, defendants relied, as they are entitled to do, on a multifaceted attack on plaintiff’s evidence. That attack failed, as did defendants’ sole surviving affirmative defense of loss causation.”

Pause for a moment and let that sink in. The defendant banks' didn't even try prove that their mortgage disclosures were truthful. Instead, they only attacked the evidence presented by the plaintiffs. What does this say? Plenty.

Goldman Sachs and Bank of America settled out of court and paid about $18 billion in penalties. Earlier this year, Bank of America raised prices for its checking account customers by implementing monthly fees.

In August 2014, the Bank of America agreed to a massive settlement with the U.S. Justice Department and several states' attorney generals. The $16.65 billion settlement agreement resolved both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009, and Countrywide in 2008.

In January, the chief executive at JPMorgan bank claimed that banks are under assault from regulators. Really? That's a bunch of malarkey. Stop breaking the law and investigations will stop. Government regulators, and courts, are doing their jobs based upon the facts.

On Thursday, a federal appeals court ruled that the bulk collection of Americans' phone data by the National Security Agency (NSA) violated the USA Patriot Act. The Washington Post reported:

"... a unanimous three-judge panel of the U.S. Court of Appeals for the 2nd Circuit overturned a lower court and determined that the government had stretched the meaning of the statute to enable “sweeping surveillance” of Americans’ data in “staggering” volumes... The NSA’s mass collection of phone records for counterterrorism purposes — launched after the Sept. 11, 2001, terrorist attacks... Under the program, the NSA collects “metadata” — or records of times, dates and durations of all calls — but not call content."

The NSA's massive phone collection program was revealed in June 2013 by former NSA agency contractor Edward Snowden. The U.S. Government argued that the phone records data collection program, underway since at least May 2006, was necessary to identify:

"... terrorism suspects. A series of judges on the secretive Foreign Intelligence Surveillance Court have agreed."

The plaintiffs in the original lawsuit and appellants were the American Civil Liberties Union, American Civil Liberties Union Foundation, New York Civil Liberties Union, and New York Civil Liberties Union Foundation. Named in the appeal lawsuit were James R. Clapper (Director of National Intelligence), Michael S. Rogers (Director of the National Security Agency and Chief of the Central Security Service), Ashton B. Carter (Secretary of Defense), Loretta E. Lynch (Attorney General of the United States), and James B. Comey (Director of the Federal Bureau of Investigation).

The Court opinion stated in part:

"This appeal concerns the legality of the bulk telephone metadata collection program (the “telephone metadata program”), under which the National Security Agency (“NSA”) collects in bulk “on an ongoing daily basis” the metadata associated with telephone calls made by and to Americans, and aggregates those metadata into a repository or data bank that can later be queried. Appellants challenge the program on statutory and constitutional grounds. Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision below dismissing the complaint without reaching appellants’ constitutional arguments.."

Telephone metadata does not include what people said during a phone call. Metadata includes only the date, time, call duration (in minutes), caller's phone number, and recipient's phone number. With smartphones, the metadata may also include the caller's geo-location, the recipient's geo-location, and a phone identifier. The Court opinion also stated:

"The district court held that § 215 of the PATRIOT Act impliedly precludes judicial review; that plaintiffs/appellants’ statutory claims regarding the scope of § 215 would in any event fail on the merits; and that § 215 does not violate the Fourth or First Amendments to the United States Constitution. We disagree in part, and hold that § 215 and the statutory scheme to which it relates do not preclude judicial review, and that the bulk telephone metadata program is not authorized by § 215."

The Court decision summarized some important history Americans should know:

"In the early 1970s, in a climate not altogether unlike today’s, the intelligence‐gathering and surveillance activities of the NSA, the FBI, and the CIA came under public scrutiny. The Supreme Court struck down certain warrantless surveillance procedures that the government had argued were lawful as an exercise of the President’s power to protect national security, remarking on “the inherent vagueness of the domestic security concept [and] the necessarily broad and continuing nature of intelligence gathering.” United States v. U.S. Dist. Court for the E. Dist. of Mich. (Keith), 407 U.S. 297, 320 (1972). In response to that decision and to allegations that those agencies were abusing their power in order to spy on Americans, the Senate established the Select Committee to Study Governmental Operations with Respect to Intelligence Activities (the “Church Committee”) to investigate whether the intelligence agencies had engaged in unlawful behavior and whether legislation was necessary to govern their activities. The Church Committee expressed concerns that the privacy rights of U.S. citizens had been violated by activities that had been conducted under the rubric of foreign intelligence collection. The findings of the Church Committee, along with the Supreme Court’s decision in Keith and the allegations of abuse by the intelligence agencies, prompted Congress in 1978 to enact comprehensive legislation aimed at curtailing abuses and delineating the procedures to be employed in conducting surveillance in foreign intelligence investigations. That legislation, the Foreign Intelligence Surveillance Act of 1978 (“FISA”)... established a special court, the Foreign Intelligence Surveillance Court (“FISC”), to review the government’s applications for orders permitting electronic surveillance... Unlike ordinary Article III courts, the FISC conducts its usually ex parte proceedings in secret; its decisions are not, in the ordinary course, disseminated publicly..."

To balance the competing needs of citizens' privacy and intelligence gathering:

"... Congress has amended FISA, most significantly, after the terrorist attacks of September 11, 2001, in the PATRIOT Act. See USA PATRIOT ACT of 2001, Pub. L. No. 107‐56, 115 Stat. 272 (2001). The government argues that § 215 of that Act authorizes the telephone metadata program..."

The Court added:

"We are faced today with a controversy similar to that which led to the Keith decision and the enactment of FISA. We must confront the question whether a surveillance program that the government has put in place to protect national security is lawful. That program involves the bulk collection by the government of telephone metadata created by telephone companies in the normal course of their business... "

The court recognized that while law enforcement has historically used metadata, new technologies have changed things:

"We recognize that metadata exist in more traditional formats, too, and that law enforcement and others have always been able to utilize metadata for investigative purposes. For example, just as telephone metadata may reveal the charitable organizations that an individual supports, observation of the outside of an envelope sent at the end of the year through the United States Postal Service to such an organization might well permit similar inferences, without requiring an examination of the envelope’s contents. But the structured format of telephone and other technology‐related metadata, and the vast new technological capacity for large‐scale and automated review and analysis, distinguish the type of metadata at issue here from more traditional forms. The more metadata the government collects and analyzes, furthermore, the greater the capacity for such metadata to reveal ever more private and previously unascertainable information about individuals... in today’s technologically based world, it is virtually impossible for an ordinary citizen to avoid creating metadata about himself..."

The Court opinion discussed secrecy and the Administrative Procedure Act (APA):

"The government has pointed to no affirmative evidence, whether “clear and convincing” or “fairly discernible,” that suggests that Congress intended to preclude judicial review. Indeed, the government’s argument from secrecy suggests that Congress did not contemplate a situation in which targets of § 215 orders would become aware of those orders... That Congress may not have anticipated that individuals... would become aware of the orders, and thus be in a position to seek judicial review, is not evidence that Congress affirmatively decided to revoke the right to judicial review otherwise provided by the APA... The government’s argument also ignores the fact that, in certain (albeit limited) instances, the statute does indeed contemplate disclosure. If a judge finds that “there is no reason to believe that disclosure may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person,” he may grant a petition to modify or set aside a nondisclosure order... Such a petition could presumably only be brought by a § 215 order recipient, because only the recipient, not the target, would know of the order before such disclosure. But this provision indicates that Congress did not expect that all § 215 orders would remain secret indefinitely..."

Download the U.S. Court of Appeals decision (Docket No. 14‐42‐cv, Adobe PDF). A copy is also available here.

In April, the U.S. Federal Communications Commission (FCC) announced that AT&T Services, the telephone giant, will pay $25 million to settle consumer privacy violations at the company's call centers in Mexico, Colombia, and the Philippines. The FCC announcement described how the insider breach happened:

"The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI)... According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones..."

The data breach in the Mexico call center lasted 168 days and began between November 2013 and April 2014. The FCC Enforcement Bureau began its investigation in May 2014:

"... three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal."

Also:

"... approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed..."

The FCC announcement stated that AT&T's failure to reasonably secure customers’ personal information violated a carrier’s duty under Section 222 of the Communications Act. The breach also constituted an unjust and unreasonable practice in violation of Section 201 of the Act. Terms of the settlement agreement require AT&T to:

1. Pay a $25 million civil penalty,
2. Notify all customers whose accounts were accessed,
3. Provide credit monitoring services to all consumers affected,
4. Improve its privacy and data security practices: appoint a senior compliance manager, implement an information security program
5. Conduct a privacy risk assessment,
6. Prepare an appropriate compliance manual, and
7. Regularly train employees on the company’s privacy policies and the applicable privacy legal

AT&T is also required to provide regular compliance reports to the FCC. FCC Chairman Tom Wheeler said about the breach:

“As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud... the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

According to its website, AT&T has more than 120 million wireless customers, 12.2 million U-verse high-speed Internet customers, and 3.5 million business customers. Total company revenues were $128.8 billion in 2013. Total workforces in 2014 was 243,620 employees. Download the AT&T Consent Decree with the FCC (Adobe PDF).

The breach announcement and settlement highlight the extent to which consumers' sensitive personal information is transmitted around the world, and the vulnerability of that information at offshore facilities. When companies move jobs to other countries, that often requires the transmission of consumer information to facilities in those countries.

Also, the breach emphasizes the fact that criminals have done their homework. They have identified both the corporations that are high-value targets with large amounts of consumer information, and the offshore locations. I applaud the FCC's actions and expect to hear more.

[Editor's note: in the interest of full disclosure, I am an AT&T mobile customer. I also received a breach notice from the company. I will share more about that in an upcoming blog post.]

Everyone knows that their activity is tracked online at websites and via mobile apps. Are consumers tracked in physical brick-and-mortar retail stores? The consent agreement between Nomi Technologies and the U.S. Federal Trade Commission (FTC) sheds some light on the tracking and data collection that occurs in physical retail stores.

The FTC Complaint (Adobe PDF) described how Nomi Technologies operates:

"Nomi uses mobile device tracking technology to provide analytics services to brick and mortar retailers through its “Listen” service. Nomi has been collecting information from consumers’ mobile devices to provide the Listen service since January 2013. Nomi places sensors in its clients’ retail locations that detect the media access control (“MAC”) address broadcast by a mobile device when it searches for WiFi networks. A MAC address is a 12-digit identifier that is unique to a particular device..."

So, when consumers use a retail store's WiFi hotspot, Nomi's Listen technology collects the device's signal strength, device manufacturer, date, time, and the device's geo-location data. Combined together, these data elements describe and track each consumer's movement through the physical store. The complaint also described the data collection:

"Nomi cryptographically hashes the MAC addresses it observes prior to storing them on its servers. Hashing obfuscates the MAC address, but the result is still a persistent unique identifier for that mobile device. Each time a MAC address is run through the same hash function, the resulting identifier will be the same... As a result, while Nomi does not store the MAC address, it does store a persistent unique identifier for each mobile device. Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013."

The FTC focused upon the consumer notice, opt-out, and data retention issues:

"Nomi does not require its clients to post disclosures or otherwise notify consumers that they use the Listen service. Through October 22, 2013, most, if not all, of Nomi’s clients did not post any disclosure, or otherwise notify consumers, regarding their use of the Listen service. Nomi provided, and continues to provide, an opt out on its website for consumers who do not want Nomi to store observations of their mobile device. Once a consumer has entered the MAC address of their device into Nomi’s website opt out, Nomi adds it to a blacklist of MAC addresses for which information will not be stored. Nomi did not make an opt out available through any other means, including at any of its clients’ retail locations."

The Complaint explained further the opt-out problems for consumers that don't want to be tracked:

"In order to opt out of the Listen service on Nomi’s website, consumers were required to provide Nomi with all of their mobile devices’ MAC addresses, without knowing whether they would ever shop at a retail location using the Listen service. Consumers who did not opt out on Nomi’s website and instead wanted to make the opt out decision at retail locations were unable to do so, despite the explicit promise in Nomi’s privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used."

The FTC news release described the terms of the consent agreement, which focused upon the notice, opt-out access and data collection issues:

"... Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices... The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 25, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically."

Who is Nomi? According to the company website, it's management team includes:

• President and CEO; Steve Jeffrey
• Founder and Chief Strategy Officer: Amir Hudda
• Founder and Chief Marketing Officer; Marc Ferrentino
• Chief Technology Officer: Ralph Crabtree
• SVP Global Retail Big Box And Grocery: Steve Hornyak

Another problem I see: you don't need to enter a brick-and-mortar retail store to be tracked. Maybe you are dining outside, waiting for a ride pickup, smoking a cigarette, or waiting for a shopper inside. Connect to the retailer's WiFi hotspot and you'll likely be tracked. We know this from the analytical reports Nomi produces for its retail clients. The FTC Complaint described five types of analytical reports:

"A. the percentage of consumers merely passing by the store versus entering the store; B. the average duration of consumers’ visits; C. types of mobile devices used by consumers visiting a location; D. the percentage of repeat customer s within a given time period; and E. the number of customers that have also visited another location within the client’s chain."

What are consumers to make of this? I see five things:

1. Your smartphone is a blabbermouth. So are your tablet and laptop. Know how to turn off the geo-location tracking features in your phone.
2. Decades ago, a prominent economist warned, "there's no such thing as a free lunch." That advice still applies today, and especially with "free" WiFi hotspots.
3. Just like government spy agencies, retailers and technology companies will conduct surveillance on consumers without notice. (Learn about the five ways retail stores spy on shoppers.) Retailers know that at least half of adult shoppers use their phones while in their stores. Demand to see the retailer's brick-and-mortar notices and an opt-out from any tracking. Shop elsewhere if you don't like the responses you receive. Tell your elected officials that legislation is needed to ensure notice at brick-and-mortar stores.
4. I wonder what the twisted logic is for retail executives to decide to spy on its customers and not provide any notice nor opt-out mechanisms. It raises ethical questions. What else are they hiding? What other activities in their business processes abuse consumers?
5. I also wonder about children's online privacy or COPPA. Why? First, 24 percent of teens are online constantly and 92 percent go online daily. So, it seems safe to assume similar usage statistics for children younger than 13. Second, many large supermarket chains provide dining areas for shoppers to eat prepared foods. At the large stores near me, these dining areas are popular hangout spots for students after school lets out.

In my view, there is enough blame to go around. There's enough blame for both retailers and technology firms that choose to spy in these shady and ethically-questionable manners. Companies and retailers already notify online visitors, typically with Terms of Use and Privacy policies at websites. Similar notices should be provided offline to brick-and-mortar shoppers.

Which retail store chains use Nomi's services? Which retail stores decided to treat their customers (and prospective customers) in such a poor fashion? Nomi isn't saying:

"Nomi collected information about approximately nine million unique mobile devices between January 2013 and September 2013... Through October 22, 2013, Nomi’s Listen service had approximately 45 clients. Some of these clients deployed the service in multiple locations within their chains. Nomi has not published, or otherwise made available to consumers, a list of the retailers that use or used the Listen service."

Hornyak's title provides a clue. A good bet is that retail stores or grocery chains that terminated their loyalty-card programs probably use Nomi's Listen (or a competitor's equivalent) service. That way, the retailer can track everyone: customers who would have joined their loyalty program, customers who wouldn't have joined the loyalty program, and prospective customers. The cost savings from the terminated loyalty-card program are probably used to pay Nomi's fees.

What are your opinions of the tracking and data collection? Of the consent agreement? If you submitted comments to the FTC, please share below. Do you know of any retail stores that terminated their loyalty card program?

While the country focuses on the U.S. Supreme Court as it considers arguments about whether the U.S. Constitution contains rights for gay and lesbian adults to enter into marriage contracts, there is another case before the Court that is arguably of equal, if not more, importance.

The current case is Spokeo v. Robins, U.S. Supreme Court, No. 13-1339. The U.S. Chamber of Commerce, Facebook, and Google have filed friend-of-the-court briefs to support Spokeo.com's position. Maybe you've heard about Spokeo.com, the people-finder website, or have even used it. This blog first reported about Spokeo.com back in 2010.

This is a Court case you'll want to follow. Why? Basically, the lawsuit is about who controls consumers' personal property: specifically, the profile information about consumers in various databases compiled by data brokers. Do individual consumers each control their profile data, or do the data brokers? You might say, the case is about whether we want accurate "bigdata" or not.

The plaintiff, Thomas Robbins a Virginia resident, originally filed a lawsuit in 2010 in California alleging the data collected and sold about him by Spokeo.com was incorrect, prevented him from finding a job, and as a result violated the Fair Credit Reporting Act (FCRA). The FCRA requires that consumers receive notice about their profile information and have the rights to view and correct their information collected by credit reporting agencies. Also, consumers have the right to lock down or prevent their credit reports from being sold by the three major credit reporting agencies: Experian, TransUnion, and Equifaz. Of course, in this case Spokeo.com claimed that it is not a credit reporting agency.

Robbins' suit was dismissed in 2011 by a lower court for lack of standing; that he hadn't proved harm. An Appeals Court reversed the lower court's decision in 2014. The U.S. Supreme Court will hear the case, and its decision will hopefully settle the matter.

University of Washington School of Law professor Anita Ramasastry analyzed the case:

"Spokeo attempts to immunize itself from FCRA violations by stating that it is not providing data for use in credit reporting. But as a recent lawsuit illustrates, Spokeo’s data is being used for such purposes, because the company may not have sufficient safety precautions... Robins’s lawsuit is not the first time that Spokeo has gotten into hot water. While it claims to be a site selling personal data for other uses (e.g., cultivating new clients, finding old friends, and evaluating prospects for business deals) it is skating on thin ice, as its data is also useful to landlords, employers, and even lenders, who may subscribe to the service as a way of doing additional background checks on people. These new types of data brokers are either unregulated, or claim that certain laws do not apply to them..."

Spokeo paid $800,000 in 2012 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by marketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

A 2012 survey found that most consumers are unaware about how data brokers operate. In her analysis, professor Ramasastry explained:

"[Spokeo] obtains information from dozens of sources including public records, marketing surveys, online maps, and social networks, the company says on its website. What is unclear from the company’s site is how it merges and melds data together to create a unique profile—so that data that may not be yours, or data that has an error in it, will not get wrongly compiled into your unique individual profile. In one of its blog posts, the company tells the public that “Spokeo is not a private investigator, but an information aggregator. This means that our machines do not have the human intelligence to decide which information is right, and which is wrong." This may be its assertion, but many people rely on Spokeo to serve as a sort of online detective and make decisions based on what they find in its records. Spokeo says in its Terms of Use that using the site to determine eligibility for employment, credit or other use under the FCRA is “explicitly prohibited.” "

Plus, consumers must pay to view their full profile at Spokeo.com. Professor Ramasastry concluded that the lawsuit (bold emphasis added):

"... illustrates the gray zone in which Spokeo has been operating. It is collecting data that is not traditionally the type of data that has been used for credit-reporting purposes. Employers, banks, insurers, and landlords have typically relied on financial history: how much debt a person has, whether he or she has paid their bills on time, whether he or she has a criminal record, etc. But Spokeo and other companies are compiling even more robust data sets, with new types of profiles that creditors and others will also find useful when making decisions, so Spokeo has a product that creditors want... And the underlying issue is this: when the information is used for a major life decision, such as whether someone might be hired or not, the person affected has no recourse, or ability to correct the errors."

It's not just Spokeo.com. Other data brokers operate in the same "gray zone." One example is the mugshot industry, where its data seems similarly error-filled. Mugshots from arrest records published don't seem to be updated based upon the results of court cases when charges are dropped or when defendants are found not guilty by a court. And, there are some print mugshot publications. Plus, the mugshot industry operates in an ethically questionable manner when it charges consumers with large take-down fees to have their mugshots removed (only to reappear in another site).

What can consumers conclude about all of this? Four things:

1. The data compiled by many data brokers has errors, whether they admit it or not. Consumers don't know how accurate (or inaccurate) the data compilation processes are. This can affect you. That data brokers' databases have errors should not be a surprise since errors by credit reporting agencies are well documented. the two perform similar functions.
2. What consumers share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites will sell your information to data brokers, and your profile data will find its way into sites like Spokeo.com.
3. What gets decided in this case probably will have ripple impacts upon the whole Internet of things (ioT) industry, as the Internet-connected devices installed in "smart homes" collect even more information about consumers' habits, movements, purchases, utilities, and product usage.
4. There are rarely-discussed ethical issues. Is it right for data brokers to sell information about consumers they know isn't correct, and pretend that it is? Is it right for data brokers to charge consumers a fee to see their own profile data? After all, without consumers data brokers like Spokeo wouldn't have anything to sell. Is it right for creditors and employers to sue data brokers' sites with incorrect information?

My opinion: if it walks like a duck, quacks like a duck, and smells like a duck, then it probably is a duck. Spokeo claims it's not a credit reporting agency, but it surely operates like one. The FTC case highlighted the company's operations with procedures that may not prevent creditors from performing FCRA applications. Think of it this way: to find somebody online, you can simply search Facebook, one of the major search engines, or a white-page telephone site. So, the data compiled by Spokeo seems intended for more advanced purposes beyond finding people. Spokeo can't and shouldn't have it both ways: enjoy the benefits and revenues without complying with the FCRA requirements.

At some point, one has to hold companies accountable for selling error-filled information. If not, then you have chaos. What are your opinions?

Business leaders and economists like to promote the idea of a free marketplace, where there is plenty of competition and consumers get more benefits, such as lower prices and more choice. So, are consumers getting a good deal? The facts suggest not.

On Monday, April 27, former U.S. Labor Secretary and professor Robert Reich posted the following:

"We’re paying more and getting less because giant companies face less and less competition. For example:

1. U.S. airlines have consolidated into a handful of giant carriers that divide up routes and collude on fares. In 2005 the U.S. had nine major airlines. Now we have just four.

2. 80% of Americans are served by just one Internet Service Provider – usually Comcast, AT&T, or Time-Warner.

3. The biggest banks have become far bigger. In 1990, the five biggest held just 10% of all banking assets. Now the biggest five hold almost 45%.

4. Monsanto owns the key genetic traits in more than 90% of the soybeans and 80% of the corn planted by U.S. farmers.

5. Giant health insurers are larger; the giant hospital chains, far bigger; the most powerful digital platforms (Amazon, Facebook, Google), gigantic.

Whatever happened to antitrust enforcement?"

There are more examples. Here in the Northeast, EverSource, a publicly-traded utility holding company, provides residential energy services in Connecticut, Massachusetts, and New Hampshire. EverSource was created when Northeast Utilities merged with NSTAR Electric & Gas. Northeast Utilities included Connecticut Light & Power, Public Service of New Hampshire, Western Massachusetts Electric, and Yankee Gas. Earlier this year, electricity rates in Boston rose from 29 percent higher to 63 percent higher in February than the national average.

What are your opinions? What consolidation examples come to mind? Are we consumers getting a good deal, or are we getting screwed?