Previous month:
July 2015
Next month:
September 2015

15 posts from August 2015

Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."


Study: American Adults Are Always Connected And Dependent Upon Their Mobile Devices

Bank of America logo Recently, Bank of America released the results of its second annual Trends in Mobility study.The report explored how several generations of adults -- millennials, Generation X, baby boomers, and seniors -- use their mobile devices, including banking. Key findings:

  • About three-quarters (71 percent) of respondents sleep with–or next to–their mobile phones. Younger millennials (ages 18-24) are most likely to sleep with their smartphone on the bed (34%)
  • The first thing people reach for when they wake up is their mobile device (35 percent) compared to coffee (17 percent), their toothbrush (13 percent), and their spouse (10 percent)
  • Similarly, at the end of the day almost one-quarter (23 percent) of survey respondents fall asleep with their smartphone in their hand. 44 percent of  younger millennials (ages 18-24) fall asleep with their devices
  • Throughout the day, 54 percent of younger millennials (and 36 percent of all survey respondents) constantly check and use their mobile devices. 36 percent of younger millennials and 21 percent of all survey respondents check their devices once per hour
  • Almost four in 10 (38 percent) of consumers say they never disconnect from their mobile phones. Only 7 percent unplug during vacation
  • Almost half (44 percent) of survey respondents said they couldn’t last a day without their mobile devices. Younger people are more dependent. 41 percent of older millennials (ages 25-34) and 37 percent of Generation X (ages 35-49) said they couldn't last a day without their devices
  • 46 percent of survey respondents said ages 13 - 15 is the best age for parents to buy smartphones for their children. 19 percent said ages 16 - 18. 14 percent said the best age is when children can buy their own phones
  • The constant online usage extends to online banking

Bank of America Trends in Consumer Mobility study

Mobile seems to be replacing visits to physical bank branches. 83 percent of respondents have visited a physical bank branch during the past 6 months. While half (51 percent) of all survey respondents use either mobile or online as their primary banking method, only 23 percent of respondents and 6 percent of younger millennials use physical bank branches for most transactions. That has implications for low-paid tellers and branch employees.

Earlier this year, Bank of America raised prices for its checking account customers. Last year, the bank paid $16.65 billion to settle investigations by the U.S. Justice Department (DOJ) and several states' attorney generals into the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS).

The results align with other studies. The Pew Research Center studied mobile etiquette, and found that while 92 percent of American adults have cellphones, 31 percent never turn off their devices and 45 percent rarely turn off their devices. About etiquette, Pew found:

  • 77 percent of survey respondents thought it okay to use phones while walking down the street
  • 75 percent thought it okay to use phones on public transportation (e.g., buses, subways, commuter trains)
  • 38 percent thought it okay to use phones in restaurants
  • 5 percent thought it okay to use phones during meetings
  • 89 percent used their phone during their most recent social gathering

The survey by Pew included 3,217 adults in the U.S. from May 30 to June 30, 2014. Pew also found:

"As a general proposition, Americans view cell phones as distracting and annoying when used in social settings — but at the same time, many use their own devices during group encounters... 82% of adults say that when people use their phones in these settings it frequently or occasionally hurts the conversation. Meanwhile, 33% say that cell phone use in these situations frequently or occasionally contributes to the conversation and atmosphere of the group. Women are more likely than men to feel cell use at social gatherings hurts the group... those over age 50 (45%) are more likely than younger cell owners (29%) to feel that cellphone use frequently hurts group conversations... Young adults have higher tolerance for cellphone use in public and in social settings; they also are more likely to have used their phone during a recent social gathering..."

Why people use their mobile devices during social gatherings:

  • 45 percent: post a photo or video of the social gathering
  • 41 percent: to share something that happened in the group
  • 38 percent: get information that might be of interest to the group
  • 31 percent: connect with others the group knows
  • 16 percent: no longer interested in the group's activity
  • 10 percent: to avoid participating in the group's activity

The survey results are great news for banks, telecommunications companies, mobile device manufacturers, app developers, and data brokers that want to collect location data and serve location-based advertisements.

The Bank of America survey, conducted by Braun Research, Inc. from April 13 - 26, 2015, included 1,000 U.S. adults ages 18 or older. Download the 2015 Trends in Consumer Mobility report (Adobe PDF) by Bank of America.


Silent Phone Calls Indicate The Start Of Identity Theft And Fraud

At some point we all have received these "silent" phone calls. After answering the call, there's nobody on the line. The call is silent and then we hang up. The problem is over, right?

Security experts reported that these "silent" phone calls can be the start of identity theft and fraud. An NPR report explained the identity theft and fraud process.

Step one includes an Internet-based robocall (e.g., an automated phone call using computers) from anywhere in the world -- usually offshore -- by scammers to verify your 10-digit phone number. With the multitude of corporate data breaches, the criminals may have acquired your name and phone number from hackers. Step two is another robocall pretending to be your bank, computer company, collection agency, or tax agency to trick you into revealing sensitive personal information (e.g., e-mail, address, age, bank name, bank account numbers, card numbers, etc.) over the phone.

NPR reported:

"... these robocalls are on the rise because Internet-powered phones make it cheap and easy for scammers to make illegal calls from anywhere in the world... researchers estimate 1 in every 2,200 calls is a fraud attempt."

Experts advise consumers not to disclose any personal information over the phone. Verify the caller first. Demand their name, company name, e-mail, phone number, website address, and how they acquired your phone number. (Most phone scammers will refuse or make excuses.) If the do provide contact information, check to see if matches the contact information you can verify independently (e.g., the phone numbers on the back of your bank card). If it doesn't match, then the caller is probably a scammer.

I always tell callers two things: a) I don't give out personal information over the phone, and b) I need to verify the caller first. If the caller provides a website address, I will check it during the phone call. If the site doesn't exist or looks crappy, that's a huge clue the caller is probably a scammer.

When you disclose personal information over the phone, the criminals' proceed with step three of the identity theft and fraud process. They will contact your bank or credit card company pretending to be you to takeover your account by changing the address on your account. How? The scammers will use the personal information you provided.

What should consumers do when you receive these robocalls? Experts advise that you simply hang up. Don't ask to be taken off their phone lists. Don't access their voicemail system to be removed from their calls. All that does it help the scammers verify your existence.

Parents: now you know what to teach your children about phone calls, privacy, and safety.


Payment Scam Dupes Airbnb Customer. Was There A Data Breach?

Airbnb logo Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.


Can You Legally Shoot Down a Drone Hovering Over Your Property?

Image of a drone or unmanned aircraft During the coming months and years, this is a question more and more people will ask: can citizens shoot down a drone hovering over your property? Many drones are outfitted with surveillance cameras. One person outfitted a drone with a handgun (video). Some hobbyists outfitted their drones with paintball handguns. Newsweek explored the problem:

"A New Jersey resident who shot down a neighbor’s drone was arrested and charged with possession of a weapon for an unlawful purpose and criminal mischief. After a Californian shot down a neighbor’s drone thinking “it was a CIA surveillance device, ”the drone’s owner won a suit in a small claims court that found the man “acted unreasonably... regardless of whether it was over his property or not." "

Last month, a Kentucky homeowner was arrested after shooting down a camera-equipped drone that hovered directly over his property while his teenage daughter sunbathed in the back yard. You might think that the case should have favored the homeowner, but it didn't. Why? Keep reading.

The legality of shooting down a drone depends upon whether or not it is threatening. The Newsweek article explored the legal issues:

"... unlike pedestrian trespass, your options for removing drones from your property are limited. More troubling is this: How do you know when a drone is truly threatening? As Michael Froomkin, a professor at the University of Miami School of Law, writes, neither the law nor technology has developed far enough to clarify what constitutes a threat and what measure of self-help is appropriate."

So, there is ambiguity about what constitutes a threat and what a reasonable response is. Our laws both lag behind the rapidly advancing technology and inconsistency treat crime versus privacy:

"Ryan Calo, a professor at the University of Washington School of Law, writes, “[T]he lack of a coherent mental model of privacy harm helps account for the lag between the advancement of technology and privacy law.” But not so in criminal law, where tough-on-crime mania routinely drives quick application of broadly phrased statutes to new contexts."

Reportedly, the Federal Aviation Administration (FAA) has responsibility for all civil airspace (e.g., non military) above cities and towns. Based upon the 2012 FAA Modernization and Reform Act, there are different rules for government, non-government, and recreational operators of Unmanned Aircraft Systems (UAS), commonly referred to as drones. The FAA rules for recreational or hobby drone usage:

"Fly below 400 feet and remain clear of surrounding obstacles; Keep the aircraft within visual line of sight at all times; Remain well clear of and do not interfere with manned aircraft operations; Don't fly within 5 miles of an airport unless you contact the airport and control tower before flying; Don't fly near people or stadiums; Don't fly an aircraft that weighs more than 55 lbs; Don't be careless or reckless with your unmanned aircraft – you could be fined for endangering people or other aircraft"

How close is "near" -- 3 feet, 30 feet, 30 yards? That seems vague. Nor do the rules mention privacy, so i guess it is legal to film anyone without consent. And, I guess you can modify your recreational drone with any attachment, as long as you stay under the 55-pound limit.

Some people have used drones to record natural sights, such as a volcano and lava river, that would be too dangerous to record otherwise. Some local governments have used drones to inspect building rooftops after snowstorms for damage or collapse risks. Other local governments want to use camera-equipped drones to inspect structures, such as bridges, that otherwise would be costly or inaccessible. Both make sense.

There already are film festivals for drone operators. The New York City Drone Film Festival debuted in March, and the Flying Robot International Film Festival is scheduled for November 19. Some consumers have already used drones to record landmarks such as the Golden Gate Bridge near San Francisco. Predictably, one recreational drone crashed into the bridge's roadway. While it didn't cause a traffic accident, the risk is there. I'd hate to think that legislators waited until a catastrophe before taking action.

Does this bother you? I hope so. Contact your elected officials and demand updated, effective drone laws that protect both your safety and privacy.

What are your opinions?


History: Mississippi Sovereignty Commission Spied On Citizens And Civil Rights Activists

Mississippi State flag It was arguably the largest government spy program on U.S. citizens prior to September 11, 2001. And, you probably have not heard about it.

The documentary "Spies of Mississippi" describes the structure, goals, and activities of the Mississippi State Sovereignty Commission (MSSC) when it spied during the 1950s and 1960s upon more than 87,000 American citizens, mostly civil rights (voting) rights activists, to maintain a White-supremacist controlled government in the state:

"A no-nonsense group called the  Mississippi State Sovereignty Commission has quietly created a secret, state-funded spy agency answering directly to the Governor.  The Commission has infiltrated the civil rights coalition, eavesdropping on its most private meetings, and pilfering its most sensitive documents. The spies’ method of obtaining such sensitive information can be traced to an even more explosive secret known only to a handful of state officials that oversee the Commission and its anti-civil rights spy apparatus..."

Freedom Summer was a campaign during the summer of 1964 to register African-American voters in southern states. Campaign participants included mostly white college students from northern states working with African-American residents in several southern states to register voters. The MSSC, formed, funded, and controlled by the Mississippi state government, was central to using informants and paid investigators to identify, monitor, and track activists, who were often beaten and murdered. The murders received national and worldwide attention in 1963 with the murder of Medgar Evers, the head of the Mississippi NAACP, and in 1964 when three Freedom Summer students went missing. The students' bodies were later found buried underneath a 14-foot earthen dam.

Besides watching the documentary, you can learn more online.The Mississippi Department of Archives And History contains information and documents that describe the MSSC:

"... was created by an act of the Mississippi legislature on March 29, 1956. The agency was established in the wake of the May 1954 Brown v. Board of Education ruling. Like other states below the Mason-Dixon Line, Mississippi responded to Brown with legislation to shore up the walls of racial separation. The act creating the Commission provided the agency with broad powers. The Commission's objective was to "do and perform any and all acts deemed necessary and proper to protect the sovereignty of the state of Mississippi, and her sister states... the Commission was granted extensive investigative powers. The governor was appointed ex-officio chairman of the Commission. Other ex-officio members were the president of the Senate, who was vice-chairman of the Commission; the attorney general; and the speaker of the House of Representatives. In addition, the Commission comprised the following members: two members from the Senate, appointed by the president of the Senate; and three members from the House of Representatives, appointed by the speaker. The governor, attorney general and legislators served on the Commission during their tenures in office..."

The American Civil Liberties Union (ACLU) wrote that the documentary:

"... is a grim reminder of the depths that Mississippi authorities plumbed in their efforts to subvert the civil rights movement... The film draws on a trove of Commission records, which are available and searchable online thanks to a 1994 court order in a lawsuit brought by the ACLU of Mississippi... within a few years it had mushroomed into a full-scale spy agency, employing a network of investigators and agents who surveilled civil rights activists, tapped their phones, monitored their meetings, stole sensitive documents, and undermined voter rights efforts. The Commission was ruthless, waging an all-out war against change. Perhaps most painfully, it assembled a cadre of African American informants.. It destroyed the lives of people like Clyde Kennard, a Black Korean War veteran who attempted to enroll at what was then Mississippi Southern College. The Commission orchestrated the planting of evidence used to convict Mr. Kennard of stealing chicken feed. He served seven years in prison. Commission agents also funneled information to local law enforcement (which was rife with KKK members) about student activists who were descending on Mississippi for the "Freedom Summer" of 1964... films such as "Spies of Mississippi" serve two vital purposes: remembrance and reminder. They advance the long project of accounting for America's history of racial subjugation, in brutal detail. They also remind us, in the words of Mississippi Congressman Bennie Thompson, of the "need to keep us safe from terrorists, but also from ourselves." "

The MSSC highlights the consequences when a government spies upon its citizens without notice, consent, transparency, and accountability; and fails to comply with the U.S. Constitution. The documentary is currently being shown on Public Broadcasting Stations (PBS). The film and the book are available online for purchase and download. Watch the trailer:


Researchers Conclude AT&T Was The Best Corporate Collaborator With NSA Spying

N.S.A. logo Based upon recently released reports, experts have deduced that while many telecommunications companies helped the National Security Agency (NSA) perform various spy programs, AT&T had a closer relationship with the agency. The New York Times reported:

"... the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities... from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T... The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil..."

AT&T logo The documents, which discussed a program with the code name Fairview, do not mention AT&T by name. The documents came from former agency contractor Edward Snowden.

"After the terrorist attacks of Sept. 11, 2001, AT&T and MCI were instrumental in the Bush administration’s warrantless wiretapping programs, according to a draft report by the N.S.A.’s inspector general. The report, disclosed by Mr. Snowden and previously published by The Guardian, does not identify the companies by name but describes their market share in numbers that correspond to those two businesses..."

The New York Times and ProPublica reviewed the documents jointly.

What can consumers make of this? I see three messages.

First, ProPublica described well the privacy concerns with online surveillance:

".., a single email traverses the Internet in hundreds of tiny slices, called “packets,’’ that travel separate routes. Grabbing even one email requires a computer search of many slices of other people’s messages. Privacy advocates have long argued in court that grabbing portions of so many emails — involving people not suspected of anything — is a violation of the protection against unreasonable searches and seizures provided by the Fourth Amendment to the Constitution. The Electronic Frontier Foundation, a digital civil liberties group, is now hoping that the new documents will bolster their claims in a long-running case, Jewel v. NSA."

Second, after the terror attacks of September 11, 2001 American citizens wanted safety. It matters how government achieves safety while adhering to our values. Some people seem quick to trade freedoms for security. A wise person once said, you can't just run away from the Fourth Amendment.

Third, if you're the NSA and need to reach out and touch somebody, AT&T is your go-to company:


Reddit Shuts Down Racist Communities

Reddit logo Mashable reported that Reddit, a social networking, entertainment, and news website where registered users submit content:

"...  banned at least half a dozen offensive communities that focus on racist content or "animated" child pornography, marking the biggest one-day purge of groups on the social news service to date. The names of the newly banned groups speak for themselves: Coontown, WatchNiggersDie and CoonTownMeta. The bans coincide with the introduction of a new content policy for Reddit, which aims to provide a clearer set of guidelines for what the company considers to be acceptable posts..."

The new content policy prohibits content that is illegal, promotes violence, threatens or harasses others, bullies others, is personal and confidential information, is spam, and impersonates others in a misleading or deceptive manner.

Good. This was long overdue.


Researchers Find Major Security Flow In Biometric Storage in Android Phones

HTC logo Many consumers like the security of locking their smartphone with a fingerprint. That security approach works if the phone manufacturer adequately protects consumers' fingerprints. It seems that the phone manufacturer HTC is not doing enough to protect consumers' sensitive and very personal fingerprint information. The Register reported:

"Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder... Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data."

That means the fingerprint information wasn't encrypted. That means any person or app accessing files on the phones can access (and steal) users' fingerprint information. This is a no-no in data security. This should not happen. This is data security 101.

TechCrunch highlighted the situation at HTC:

"Internet hyperbole (and financial analysis) have rendered HTC, a once high-flying mobile brand, essentially valueless. In short, the company is trading below cash on hand which means if you bought all HTC stock the company would have to pay, you, the buyer to take it over. This means the company’s factories, stock, and brand are worth nothing, at least on Wall Street. Furthermore, the researchers have discovered that the HTC One Max X has been keeping fingerprint biometrics used to unlock the cellphones in an unencrypted “world-readable” file, a definite no-no in the world of security. Hackers could easily open the file /data/dbgraw.bmp on the phone’s memory and capture your fingerprint data. It’s bad. In short, HTC is hosed."

Lately, the news hasn't been good for smartphones that run Google's Android operating system. Last month, researchers found a security flaw that would let hackers access Android phones via a text message. With access, hackers can view, copy, and delete files, remotely take over the camera, and remotely take over the microphone.

The security flaw highlighted the fact that while Google had developed a patch to fix the flaw in the software, it was up to the phone manufacturers (e.g., HTC, Samsung, etc.) and wireless carriers (e.g., Verizon, T-Mobile, etc.) to distribute the software security update to users. And, some vendors provided updates far faster than others.

Another reminder to consumers that when you buy a smartphone, you are doing business with several companies: the phone manufacturer, the developer of the operating system, the wireless carrier, and the dveloper of each mobile app. The security of your phone is only as strong as the weakest vendor.


The $30 Device Thieves Can Use To Hack Your Car And Garage Door

Stealing automobiles just got a lot easier. Ars Technica reported about a new mobile device criminals can use to open both your garage door and steal your car. The $30 hacking device takes advantage of vulnerabilities in the way keyless entry systems operate:

"... serial hacker Samy Kamkar has devised RollJam... It works against a variety of market-leading chips, including the KeeLoq access control system from Microchip Technology Inc. and the High Security Rolling Code generator made by National Semiconductor. RollJam is capable of opening electronic locks on cars from Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. It also works against a variety of garage-door openers, including the rolling code garage door opener made by King Cobra."

Ars Technica explained how the RollJam device works. Thieves use it when within broadcast distance of both the targeted vehicle and the owner's electronic key:

"The device contains two radios. The first jams the airwaves to prevent the lock from receiving the rolling code sent by the electronic key. Since the car or garage door doesn't unlock, a user almost certainly will press the lock or unlock button again. Once RollJam has collected the latter rolling code, it uses the second radio to broadcast the earlier rolling code to the lock. RollJam then stores the latter rolling code. Because the code was never received by the lock, it remains valid. By replaying it later—say, after the car owner has locked the car and walked away—RollJam is able to unlock the car or garage... The reason many electronic locks are vulnerable to RollJam is that the rolling codes are invalidated only after it or a subsequent rolling code is received."

Nice, eh?


SEC Adopts Pay Ratio Rule For Public Companies

Securities and Exchange Commission logo The U.S. Securities and Exchange Commission (SEC) announced this week that it has adopted a final rule that requires public companies to disclose the ratio of the compensation of its chief executive officer (CEO) to the median compensation of its employees. The median pay is the amount which half of a company's employees earn less and half of its employees earn more. The SEC announcement:

"The new rule will provide shareholders with information they can use to evaluate a CEO’s compensation, and will require disclosure of the pay ratio in registration statements, proxy and information statements, and annual reports that call for executive compensation disclosure.  Companies will be required to provide disclosure of their pay ratios for their first fiscal year beginning on or after Jan. 1, 2017."

The new rule was required by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Adobe PDF). The rule does not apply to:

"...smaller reporting companies, emerging growth companies, foreign private issuers, MJDS filers, or registered investment companies."

Critics claimed that the cost is high for companies to comply with the rule. The Los Angeles Times reported:

"The SEC estimated the requirement would cost companies about $73 million, but the U.S. Chamber of Commerce puts the price tag far higher -- at an "egregious" $700 million a year or more. The chamber said most large companies do not have a centralized payroll, which would make the cost of compiling data 'prohibitively high.' "

The new rule provides flexibility for companies to calculate their pay ratios. In its Fact Sheet, the SEC explained:

"To identify the median employee, the rule would allow companies to select a methodology based on their own facts and circumstances.  A company could use its total employee population or a statistical sampling of that population and/or other reasonable methods... A company could apply a cost-of-living adjustment to the compensation measure used to identify the median employee...  A company also would be permitted to identify its median employee once every three years unless there has been a change in its employee population or employee compensation arrangements that it reasonably believes would result in a significant change to its pay ratio disclosure...  A company would be required to calculate the annual total compensation for its median employee using the same rules that apply to the CEO’s compensation..."

The Fact Sheet contains more details about the methodology, disclosures, assumptions, and estimates for calculating pay ratios.

College professor and former U.S. Secretary of Labor Robert Reich said Wednesday on Facebook:

"This is an important step. It will focus public attention on the pay gap that's become a giant chasm. It won't shame corporations into reducing the gap, but it may prompt shareholders to take some action and perhaps even consumers to boycott companies with the largest gaps. It could also bolster efforts, such as I've outlined in recent days, to increase corporate taxes on companies with high ratios and reduce them on companies with low ratios."

I agree. What are your opinions?


Justice Department Considers Changes To The Patriot Act And Rule 41 For Online Warrants

[Editor's Note: I am happy to feature another post by guest author Arkady Bukh. He leads the law firm of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. He is a frequent contributor on CNN, Wired, Forbes, Huffington Post, and several other sites.]

By Arkady Bukh, Esq.

In the days and months following 9/11, Americans shuffled between wincing in fear and screaming for retribution.

Forgetting Benjamin Franklin’s admonishment that people who give up security for liberty lose both, Americans sat by while some of the most restrictive legislation ever signed was enacted. Justified by claims of “national security,” American citizens watched as their rights were softened. The Patriot Act arguably was the legislative high point during President George W. Bush’s administration.

Lately, calmer heads have prevailed and Congress has started to move to relax some aspects of The Patriot Act as it eliminated others.

One small section of the Patriot Act, Rule 41, may get toughened and expanded while much of America is sidetracked by smartphones and the Kardashians. If the legislation is signed into law, the impact will not only be felt across American, but the tsunami wave of snooping and privacy invasion will perseverate globally.

Tweaks are “Monumental” Violation

While the U.S. Department of Justice (DOJ) has been working to modify a federal criminal procedure making it easier for judges to issue search warrants outside their areas of jurisdiction, Google has been busy warning others about the potential consequences.

Rule 41

The proposed change in Rule 41 of The Patriot Act would allow judges to assign warrants even if the source of a botnet, or another unidentified action, is anonymous and its location unknown. University of California Hastings law professor Ahmed Ghappour told the Ars Technica blog:

"This is another example of the FBI obtaining a warrant that they are not empowered to obtain based on the lack of technological expertise of the courts."

Ars Technica concluded:

"If the proposal is passed as currently drafted, federal authorities would gain an expanded ability to conduct "remote access" under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts."

In responding to public comments regarding the proposed expansion of Rule 41, the DOJ replied:

“These objections are misplaced here because the proposed amendment is solely about the appropriate venue for applying for such warrants. The existing rules already allow the government to obtain and execute such warrants when the district of the targeted computer is known. Thus, the issue before the Committee is not whether to allow warrants to be executed by remote search; it is whether such warrants should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications. Finally, we note that none of the commenters who expressed opposition to the proposal offered any substantive alternative solution...”

Google’s stance is that the proposal is too broad and would have unintended consequences. Google’s rebuttal adds that Congress should pass laws authorizing the changes, and not a DOJ proposal. Google’s response was filed along with 30 others during the comment period by groups that included the ACLU and the Electronic Frontier Foundation.

Under the proposed modifications, Rule 41 of the Federal Rules of Criminal Procedure authorizes the government to appear before a single Federal magistrate judge in any judicial district in which activities relating to terrorism may have occurred.

This means that the government could go before a single judge to get a warrant to search the property of a person — anywhere. If the state chose to appear in New York, an individual in California who wished to have the warrant squashed, would have to discover a way to appear before the New York Court that issued the warrant.

Rule 41 isn’t the only clause in The Patriot Act that concerns observers.

The Patriot Act

The dangers of The Patriot Act, specifically Section 802, is the definition of “terrorism.”  As defined, domestic terrorism is broad enough to include the actions of several prominent activist groups including Greenpeace, Operation Rescue and others.

The American Civil Liberties Union (ACLU) cited the Vieques Island protests as an example:

"... when many people, including several prominent Americans, participated in civil disobedience on a military installation where the United States government has been engaging in regular military exercises, which these protesters oppose. The protesters illegally entered the military base and tried to obstruct the bombing exercises. This conduct would fall within the definition of domestic terrorism because the protesters broke federal law by unlawfully entering the airbase and their acts were for the purpose of influencing a government policy by intimidation or coercion.The act of trying to disrupt bombing exercises arguably created a danger to human life - their own and those of military personnel."

Using the Vieques Island protests as a starting point, the new government powers can be examined.

Seizure of Assets

Section 806 of The Patriot Act would result in the civil seizure of individual assets without prior hearings and without being convicted of a crime. The language in Section 806 is widespread enough to authorize the government to seize any resources and belongings of any individual involved in Vieques or any group supporting the protests.

Additionally, any individual who supported the groups that supported the Vieques Island protesters would also be subject to Section 806.

The civil asset forfeiture power of the US government is incredible. The government can seize the assets based on the mere assertion that there is a possible cause to think that the assets were linked to“domestic terrorism.”

Educational Record Disclosure

Section 507 requires a judge to issue an order permitting the government to obtain private educational records if the US Attorney General certifies that the records are necessary for investigating terrorism. An independent judicial finding is not required to prove the records are relevant.

The types of records that can be seized include information such as a student’s grades, private medication information, and organizations the student belongs to.

Criminal defense attorneys do not oppose the criminal prosecution of people who violate the law — even if they are performing for political purposes. However, what is anathema is the broad definition of terrorism and the authorization that flows from that meaning.

One way to ensure that the behavior that falls within the meaning of terrorism is, in fact, to limit the scope of the behavior that triggers the charges.


Banks Pay Most of Their Tellers Less Than $15 Per Hour

Everyone knows that many low wage employees work in restaurants, fast food, and construction. Add banks to the list.

The National Employment Law Project (NELP) published an August 2015 report about the earnings of employees in banks. The report focused upon retail banks, where consumers and small businesses typically have checking accounts, savings accounts, and loans. NELP studied the pay at banks because:

"Bank tellers constitute the largest banking-related occupation in the United States, with almost half a million workers nationwide. Three in four (74.1 percent) earn less than $15 an hour, compared with 42.4 percent of the total U.S. workforce, according to NELP’s report. Tellers’ median hourly wage is just $12.44. The workforce is overwhelmingly female: more than five in six bank tellers are women."

The media hourly wage is the amount that divides any group in half. Half of the group earns less and half of the group earns more that the median hourly pay. The median hourly pay for several positions in retail banks:

  • Financial clerks: $18.52
  • Secretaries and administrative assistants: $18.22
  • Credit authorizers, checkers, and clerks: $17.65
  • Loan interviewers and clerks: $17.34
  • Bill and account collectors: $17.20
  • Bookkeeping, accounting, and auditing clerks: $17.04
  • New accounts clerks: $16.33
  • Customer service representatives: $15.94
  • Office clerks: $14.64
  • Receptionists and information clerks: $12.93
  • Janitors and cleaners: $10.65

Additional findings from the report (click any image to view a larger version):

Figure 1: Bank employees earning less than $15 per hour. NELP. Click to view larger image

Figure 2: Most bank tellers are women. NELP. Click to view larger image

Figure 3: Most bank tellers are white. Latinos are over-represented. NELP. Click to view larger image

Christine Owens, executive director of NELP said:

“Many people hear about bank profits and lavish CEO compensation and assume that all jobs in banking pay well. But the reality is far different for bank tellers: Though they handle other people’s money all day, many tellers struggle to survive on wages too low to sustain families... In New York, the families of nearly 4 in 10 bank tellers must rely on some form of public assistance to get by; nationally, almost one in three do so.”

The last sentence is worthy of emphasis: 4 in 10 bank tellers must rely on some form of public assistance. So, when companies pay extremely low wages, the rest of us -- taxpayers -- end up paying to support companies that have decided not to pay their employees what many call a "living wage." You can conclude: minimum wage jobs encourage bigger government via assistance programs.

Don't like big government? Then, support minimum wage increases in the state where you live.

Download the full report (Adobe PDF). What are your opinions of these wages?


Drones: Near Misses Over New York, Shoot Down In Kentucky, And DHS Bulletins

On Sunday, CNN reported two near misses between a drone and passenger airplanes in the skies over New York:

"Two airplanes flying near one of the nation's busiest airports each came within 100 feet of a drone on Friday, according to audio from each flight's radio calls. The first, JetBlue Flight 1843, reported spotting a drone at 2:24 p.m. while approaching John F. Kennedy International Airport, according to the Federal Aviation Administration. In the audio recording, the cockpit says that the drone passed just below the planes nose when the jet was flying at an altitude of about 800 to 900 feet."

Details about the second near miss:

"Then at about 5 p.m., Delta Flight 407 -- which had 154 people on board -- was preparing to land when the cockpit reported seeing a drone below its right wing. The Delta flight had its drone encounter near Floyd Bennett Field, located in Gateway National Recreation Area. A Gateway National Recreation Service park ranger told CNN that the field does not permit drone flying but many aviation enthusiasts can be found flying "radio-controlled propeller crafts and unmanned small jets." However, there is a space within Floyd Bennett field where people with a permit and members of an aviation club may fly their own small craft, the ranger said."

The Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies in the United States. The incident highlights the need for continued and stronger enforcement of aviation safety laws by drone operators:

Unmanned aircraft systems are neither supposed to fly within five miles of an airport without notifying the airport operator and control tower nor are they supposed to go above 400 feet."

On Friday, National Public Radio report a dispute between two Kentucky residents after one shot down a drone the other person was operating:

"William Meredith, 47, of Bullitt County, Ky., was arrested after he used his shotgun to bring down a drone that he said hovered above his property in Hillview, a suburb of Louisville..."

Meredith alleged shot down the drone when it flew over his property. NPR also reported:

"Police were called to the scene; Meredith now faces felony charges of wanton endangerment and criminal mischief, with a court date set for September. The drone's owner, David Boggs, says the drone wasn't hovering low over anyone's property, showing flight tracking data to local media that indicates an altitude of more than 250 feet. And he says he wasn't trying to invade anyone's privacy."

The FAA began investigations in November last year after reports of rogue drones outfitted with cameras at large, outdoor sporting events... college football stadiums.

Last Friday, the Department of Homeland Security (DHS) sent bulletins with intelligence assessments to police departments around the nation. CBS News reported that the bulletins:

"... warned that unmanned aircraft systems (UAS) or drones could be used in the U.S. to advance terrorist and criminal activities... According to federal officials, "The rising trend in UAS incidents within the National Airspace System will continue, as UAS gain wider appeal with recreational users and commercial applications." The bulletin goes on to say, "while many of these encounters are not malicious in nature, they underscore potential security vulnerabilities... that could be used by adversaries..."


Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.