Previous month:
August 2015
Next month:
October 2015

14 posts from September 2015

Luxury Trump Hotel In Las Vegas Begins Notification Of Consumers About Data Breach

Trump International Hotel and Tower Las Vegas logo The law firm representing the luxury Trump International Hotel and Tower property in Las Vegas announced at data breach affecting its client. To comply with breach notification laws in many states, corporations (or their agents) typically submit breach notices (e.g., sample or final) to the attorney general or applicable legal agency in each state where there are affected residents.

The breach notice at the California Attorney General website (Adobe PDF) read, in part:

"... we are providing notice of a security incident possibly affecting certain individuals who made payment card purchases at Trump International Hotel & Tower Las Vegas, located at 2000 Fashion Show Drive, Las Vegas, NV... Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident... it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems... including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected..."

It seems that payment information was stolen by malware installed within infected terminals. The breach notice also mentioned that the hotel is working with law enforcement, banks, and an independent forensic investigation vendor. All, pretty standard stuff. The notice did not disclose the total number of records or consumers affected.

The breach notice includes instructions for affected customers to sign up for one year of free fraud resolution and identity protection services with Experian ProtectMyID. The offer is only for U.S. residents who used a payment card at the Hotel between May 19, 2014, and June 2, 2015. (Since the hotel's website includes content in several languages besides English, I guess that deep-pocketed customers from other countries are simply screwed.) That duration seems skimpy, since many other corporations have offered two years. The breach notice lists a hotel toll-free number for affected customers to get assistance and ask questions.

A check this morning of the hotel's home page did not find a link to a breach notice. Typically, a well-organized post-breach response also includes a website providing affecting customers with more information (or dedicated pages at their main site).

So, there seems to be two massive failures in this data breach. The first was a failure to promptly detect the unauthorized access. The second was a lengthy delay of more than a year to notify affected consumers. And, the investigation is still underway so things could be even worse.

Note: the Krebs On Security blog first broke news in July about data breaches at several hotels, including the Trump hotel in Las Vegas. One wonders why the hotel didn't announce the breach then.


Study: The 5 Cars Most Vulnerable To Getting Hacked. Is Your Car On The List?

Modern cars have plenty of features, gadgets, and conveniences. Consumers expect their cars to be safe. IT World reported the results of a study that found the cars most vulnerable to being hacked:

"The results of the study, by PT&C/LWG Forensic Consulting Services, were based on published research by hackers, vehicle recall information and media reports. The most hackable list includes the 2014 Jeep Cherokee, the 2014 Infiniti Q50, the 2015 Cadillac Escalade, the 2010 and 2014 Toyota Prius and the 2014 Ford Fusion."

Hackers don't have to be nearby to be effective. They can be out of sight, since some technologies allow them to be further away. While hackers can be as close as 5 to 20 meters to hack your car's smart key, the y can be 100 meters away to hack your car's radio data system; or anywhere to hack the WiFi system. This is possible because the average new car contains anywhere from 20 to 70 computers, each with varying technologies, capabilities, and protections.

There are several threats including a $30 device criminals use to intercept wireless transmissions between any smart key, your vehicle, and garage door. Automakers control the security of your vehicle, and one U.S. Senator has lobbied for greater protections for drivers.

To stay safe and protect your vehicle, experts advise consumers to keep your vehicle locked, be aware of the systems your car contains, and get software security updates at a reputable dealer.

The article includes an infographic with more information.


Transcript: Pope Francis' Speech To The U.S. Congress

Earlier today, Pope Francis spoke to the U.S. Congress. He said some very interesting things, mentioned several names That was the first time a Pope spoke to a joint session of Congress. He mentioned topics I didn't expect to hear, and emphasized working together to support each other to solve some challenging problems facing society:

"... no religion is immune from forms of individual delusion or ideological extremism. This means that we must be especially attentive to every type of fundamentalism, whether religious or of any other kind. A delicate balance is required to combat violence perpetrated in the name of a religion, an ideology or an economic system... The challenges facing us today call for a renewal of that spirit of cooperation, which has accomplished so much good throughout the history of the United States. The complexity, the gravity and the urgency of these challenges demand that we pool our resources and talents, and resolve to support one another, with respect for our differences... If politics must truly be at the service of the human person, it follows that it cannot be a slave to the economy and finance... I think of the march which Martin Luther King led from Selma to Montgomery fifty years ago as part of the campaign to fulfill his "dream" of full civil and political rights for African Americans. That dream continues to inspire us all..."

While video of the speech is available online at many sites, often it is helpful to read (and re-read) the words. CNN provided a transcript, which I am happy to provide in full below. I am not a Catholic. I am a resident of this planet and concerned citizen of the USA.

The transcript of the Pope's speech:

"Mr. Vice-President,

Mr. Speaker,

Honorable Members of Congress,

Dear Friends,
I am most grateful for your invitation to address this Joint Session of Congress in "the land of the free and the home of the brave". I would like to think that the reason for this is that I too am a son of this great continent, from which we have all received so much and toward which we share a common responsibility.

Each son or daughter of a given country has a mission, a personal and social responsibility. Your own responsibility as members of Congress is to enable this country, by your legislative activity, to grow as a nation. You are the face of its people, their representatives. You are called to defend and preserve the dignity of your fellow citizens in the tireless and demanding pursuit of the common good, for this is the chief aim of all politics. A political society endures when it seeks, as a vocation, to satisfy common needs by stimulating the growth of all its members, especially those in situations of greater vulnerability or risk. Legislative activity is always based on care for the people. To this you have been invited, called and convened by those who elected you.

Yours is a work which makes me reflect in two ways on the figure of Moses. On the one hand, the patriarch and lawgiver of the people of Israel symbolizes the need of peoples to keep alive their sense of unity by means of just legislation. On the other, the figure of Moses leads us directly to God and thus to the transcendent dignity of the human being. Moses provides us with a good synthesis of your work: you are asked to protect, by means of the law, the image and likeness fashioned by God on every human face.

Today I would like not only to address you, but through you the entire people of the United States. Here, together with their representatives, I would like to take this opportunity to dialogue with the many thousands of men and women who strive each day to do an honest day's work, to bring home their daily bread, to save money and --one step at a time -- to build a better life for their families. These are men and women who are not concerned simply with paying their taxes, but in their own quiet way sustain the life of society. They generate solidarity by their actions, and they create organizations which offer a helping hand to those most in need.

I would also like to enter into dialogue with the many elderly persons who are a storehouse of wisdom forged by experience, and who seek in many ways, especially through volunteer work, to share their stories and their insights. I know that many of them are retired, but still active; they keep working to build up this land. I also want to dialogue with all those young people who are working to realize their great and noble aspirations, who are not led astray by facile proposals, and who face difficult situations, often as a result of immaturity on the part of many adults. I wish to dialogue with all of you, and I would like to do so through the historical memory of your people.

My visit takes place at a time when men and women of good will are marking the anniversaries of several great Americans. The complexities of history and the reality of human weakness notwithstanding, these men and women, for all their many differences and limitations, were able by hard work and self-sacrifice -- some at the cost of their lives -- to build a better future. They shaped fundamental values which will endure forever in the spirit of the American people. A people with this spirit can live through many crises, tensions and conflicts, while always finding the resources to move forward, and to do so with dignity. These men and women offer us a way of seeing and interpreting reality. In honoring their memory, we are inspired, even amid conflicts, and in the here and now of each day, to draw upon our deepest cultural reserves.

I would like to mention four of these Americans: Abraham Lincoln, Martin Luther King, Dorothy Day and Thomas Merton.

This year marks the one hundred and fiftieth anniversary of the assassination of President Abraham Lincoln, the guardian of liberty, who labored tirelessly that "this nation, under God, [might] have a new birth of freedom". Building a future of freedom requires love of the common good and cooperation in a spirit of subsidiarity and solidarity.

All of us are quite aware of, and deeply worried by, the disturbing social and political situation of the world today. Our world is increasingly a place of violent conflict, hatred and brutal atrocities, committed even in the name of God and of religion. We know that no religion is immune from forms of individual delusion or ideological extremism. This means that we must be especially attentive to every type of fundamentalism, whether religious or of any other kind. A delicate balance is required to combat violence perpetrated in the name of a religion, an ideology or an economic system, while also safeguarding religious freedom, intellectual freedom and individual freedoms. But there is another temptation which we must especially guard against: the simplistic reductionism which sees only good or evil; or, if you will, the righteous and sinners. The contemporary world, with its open wounds which affect so many of our brothers and sisters, demands that we confront every form of polarization which would divide it into these two camps. We know that in the attempt to be freed of the enemy without, we can be tempted to feed the enemy within. To imitate the hatred and violence of tyrants and murderers is the best way to take their place. That is something which you, as a people, reject.

Our response must instead be one of hope and healing, of peace and justice. We are asked to summon the courage and the intelligence to resolve today's many geopolitical and economic crises. Even in the developed world, the effects of unjust structures and actions are all too apparent. Our efforts must aim at restoring hope, righting wrongs, maintaining commitments, and thus promoting the well-being of individuals and of peoples. We must move forward together, as one, in a renewed spirit of fraternity and solidarity, cooperating generously for the common good.

The challenges facing us today call for a renewal of that spirit of cooperation, which has accomplished so much good throughout the history of the United States. The complexity, the gravity and the urgency of these challenges demand that we pool our resources and talents, and resolve to support one another, with respect for our differences and our convictions of conscience.

In this land, the various religious denominations have greatly contributed to building and strengthening society. It is important that today, as in the past, the voice of faith continue to be heard, for it is a voice of fraternity and love, which tries to bring out the best in each person and in each society. Such cooperation is a powerful resource in the battle to eliminate new global forms of slavery, born of grave injustices which can be overcome only through new policies and new forms of social consensus.

Here I think of the political history of the United States, where democracy is deeply rooted in the mind of the American people. All political activity must serve and promote the good of the human person and be based on respect for his or her dignity. "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable rights, that among these are life, liberty and the pursuit of happiness" (Declaration of Independence, 4 July 1776). If politics must truly be at the service of the human person, it follows that it cannot be a slave to the economy and finance. Politics is, instead, an expression of our compelling need to live as one, in order to build as one the greatest common good: that of a community which sacrifices particular interests in order to share, in justice and peace, its goods, its interests, its social life. I do not underestimate the difficulty that this involves, but I encourage you in this effort.

Here too I think of the march which Martin Luther King led from Selma to Montgomery fifty years ago as part of the campaign to fulfill his "dream" of full civil and political rights for African Americans. That dream continues to inspire us all. I am happy that America continues to be, for many, a land of "dreams". Dreams which lead to action, to participation, to commitment. Dreams which awaken what is deepest and truest in the life of a people.

In recent centuries, millions of people came to this land to pursue their dream of building a future in freedom. We, the people of this continent, are not fearful of foreigners, because most of us were once foreigners. I say this to you as the son of immigrants, knowing that so many of you are also descended from immigrants. Tragically, the rights of those who were here long before us were not always respected. For those peoples and their nations, from the heart of American democracy, I wish to reaffirm my highest esteem and appreciation. Those first contacts were often turbulent and violent, but it is difficult to judge the past by the criteria of the present. Nonetheless, when the stranger in our midst appeals to us, we must not repeat the sins and the errors of the past. We must resolve now to live as nobly and as justly as possible, as we educate new generations not to turn their back on our "neighbors" and everything around us. Building a nation calls us to recognize that we must constantly relate to others, rejecting a mindset of hostility in order to adopt one of reciprocal subsidiarity, in a constant effort to do our best. I am confident that we can do this.

Our world is facing a refugee crisis of a magnitude not seen since the Second World War. This presents us with great challenges and many hard decisions. On this continent, too, thousands of persons are led to travel north in search of a better life for themselves and for their loved ones, in search of greater opportunities. Is this not what we want for our own children? We must not be taken aback by their numbers, but rather view them as persons, seeing their faces and listening to their stories, trying to respond as best we can to their situation. To respond in a way which is always humane, just and fraternal. We need to avoid a common temptation nowadays: to discard whatever proves troublesome. Let us remember the Golden Rule: "Do unto others as you would have them do unto you" (Mt 7:12).

This Rule points us in a clear direction. Let us treat others with the same passion and compassion with which we want to be treated. Let us seek for others the same possibilities which we seek for ourselves. Let us help others to grow, as we would like to be helped ourselves. In a word, if we want security, let us give security; if we want life, let us give life; if we want opportunities, let us provide opportunities. The yardstick we use for others will be the yardstick which time will use for us. The Golden Rule also reminds us of our responsibility to protect and defend human life at every stage of its development.

This conviction has led me, from the beginning of my ministry, to advocate at different levels for the global abolition of the death penalty. I am convinced that this way is the best, since every life is sacred, every human person is endowed with an inalienable dignity, and society can only benefit from the rehabilitation of those convicted of crimes. Recently my brother bishops here in the United States renewed their call for the abolition of the death penalty. Not only do I support them, but I also offer encouragement to all those who are convinced that a just and necessary punishment must never exclude the dimension of hope and the goal of rehabilitation.

In these times when social concerns are so important, I cannot fail to mention the Servant of God Dorothy Day, who founded the Catholic Worker Movement. Her social activism, her passion for justice and for the cause of the oppressed, were inspired by the Gospel, her faith, and the example of the saints.

How much progress has been made in this area in so many parts of the world! How much has been done in these first years of the third millennium to raise people out of extreme poverty! I know that you share my conviction that much more still needs to be done, and that in times of crisis and economic hardship a spirit of global solidarity must not be lost. At the same time I would encourage you to keep in mind all those people around us who are trapped in a cycle of poverty. They too need to be given hope. The fight against poverty and hunger must be fought constantly and on many fronts, especially in its causes. I know that many Americans today, as in the past, are working to deal with this problem.

It goes without saying that part of this great effort is the creation and distribution of wealth. The right use of natural resources, the proper application of technology and the harnessing of the spirit of enterprise are essential elements of an economy which seeks to be modern, inclusive and sustainable. "Business is a noble vocation, directed to producing wealth and improving the world. It can be a fruitful source of prosperity for the area in which it operates, especially if it sees the creation of jobs as an essential part of its service to the common good" (Laudato Si', 129). This common good also includes the earth, a central theme of the encyclical which I recently wrote in order to "enter into dialogue with all people about our common home" (ibid., 3). "We need a conversation which includes everyone, since the environmental challenge we are undergoing, and its human roots, concern and affect us all" (ibid., 14).

In Laudato Si', I call for a courageous and responsible effort to "redirect our steps" (ibid., 61), and to avert the most serious effects of the environmental deterioration caused by human activity. I am convinced that we can make a difference and I have no doubt that the United States -- and this Congress -- have an important role to play. Now is the time for courageous actions and strategies, aimed at implementing a "culture of care" (ibid., 231) and "an integrated approach to combating poverty, restoring dignity to the excluded, and at the same time protecting nature" (ibid., 139). "We have the freedom needed to limit and direct technology" (ibid., 112); "to devise intelligent ways of... developing and limiting our power" (ibid., 78); and to put technology "at the service of another type of progress, one which is healthier, more human, more social, more integral" (ibid., 112). In this regard, I am confident that America's outstanding academic and research institutions can make a vital contribution in the years ahead.

A century ago, at the beginning of the Great War, which Pope Benedict XV termed a "pointless slaughter", another notable American was born: the Cistercian monk Thomas Merton. He remains a source of spiritual inspiration and a guide for many people. In his autobiography he wrote: "I came into the world. Free by nature, in the image of God, I was nevertheless the prisoner of my own violence and my own selfishness, in the image of the world into which I was born. That world was the picture of Hell, full of men like myself, loving God, and yet hating him; born to love him, living instead in fear of hopeless self-contradictory hungers". Merton was above all a man of prayer, a thinker who challenged the certitudes of his time and opened new horizons for souls and for the Church. He was also a man of dialogue, a promoter of peace between peoples and religions.

From this perspective of dialogue, I would like to recognize the efforts made in recent months to help overcome historic differences linked to painful episodes of the past. It is my duty to build bridges and to help all men and women, in any way possible, to do the same. When countries which have been at odds resume the path of dialogue -- a dialogue which may have been interrupted for the most legitimate of reasons -- new opportunities open up for all. This has required, and requires, courage and daring, which is not the same as irresponsibility. A good political leader is one who, with the interests of all in mind, seizes the moment in a spirit of openness and pragmatism. A good political leader always opts to initiate processes rather than possessing spaces (cf. Evangelii Gaudium, 222-223).

Being at the service of dialogue and peace also means being truly determined to minimize and, in the long term, to end the many armed conflicts throughout our world. Here we have to ask ourselves: Why are deadly weapons being sold to those who plan to inflict untold suffering on individuals and society? Sadly, the answer, as we all know, is simply for money: money that is drenched in blood, often innocent blood. In the face of this shameful and culpable silence, it is our duty to confront the problem and to stop the arms trade.

Three sons and a daughter of this land, four individuals and four dreams: Lincoln, liberty; Martin Luther King, liberty in plurality and non-exclusion; Dorothy Day, social justice and the rights of persons; and Thomas Merton, the capacity for dialogue and openness to God.

Four representatives of the American people.

I will end my visit to your country in Philadelphia, where I will take part in the World Meeting of Families. It is my wish that throughout my visit the family should be a recurrent theme. How essential the family has been to the building of this country! And how worthy it remains of our support and encouragement! Yet I cannot hide my concern for the family, which is threatened, perhaps as never before, from within and without. Fundamental relationships are being called into question, as is the very basis of marriage and the family. I can only reiterate the importance and, above all, the richness and the beauty of family life.

In particular, I would like to call attention to those family members who are the most vulnerable, the young. For many of them, a future filled with countless possibilities beckons, yet so many others seem disoriented and aimless, trapped in a hopeless maze of violence, abuse and despair. Their problems are our problems. We cannot avoid them. We need to face them together, to talk about them and to seek effective solutions rather than getting bogged down in discussions. At the risk of oversimplifying, we might say that we live in a culture which pressures young people not to start a family, because they lack possibilities for the future. Yet this same culture presents others with so many options that they too are dissuaded from starting a family.

A nation can be considered great when it defends liberty as Lincoln did, when it fosters a culture which enables people to "dream" of full rights for all their brothers and sisters, as Martin Luther King sought to do; when it strives for justice and the cause of the oppressed, as Dorothy Day did by her tireless work, the fruit of a faith which becomes dialogue and sows peace in the contemplative style of Thomas Merton.

In these remarks I have sought to present some of the richness of your cultural heritage, of the spirit of the American people. It is my desire that this spirit continue to develop and grow, so that as many young people as possible can inherit and dwell in a land which has inspired so many people to dream.

God bless America!


Comcast Pay $33 Million To Settle Privacy Violations of Its Phone Customers

Comcast logo The Attorney General for the State of California announced a settlement with Comcast, the telecommunications provider, to resolve allegations that the company listed telephone customers' numbers which should have remained unlisted.

The settlement includes $33 million in payments. The settlement requires Comcast to pay $25 million in penalties and investigative costs to the California Department of Justice and to the California Public Utilities Commission. Comcast will also pay about $8 million in restitution to 75,000 VOIP (e.g., Internet-based phone) customers whose numbers were improperly disclosed.

The restitution payment includes two years worth of refunds the affected customers paid for unlisted services. That equals about $2 million. Comcast will also pay and additional $100 to each customer whose safety was compromised by the disclosure of their phone listings and personal information. These customers include law enforcement personnel and domestic violence victims.

Additional terms of the settlement:

"As part of the stipulated judgment filed today in Alameda Superior Court, Comcast has agreed to a permanent injunction that requires the company to improve how it handles customer complaints and to strengthen the restrictions it places on its vendors’ use of personal information about customers.  The injunction will require Comcast to provide a simple and easy-to-read disclosure form to all customers that explains the ways in which it uses unlisted phone numbers and other personal information."

Kudos to the California Attorney General and her staff for this settlement. Comcast's actions makes one doubt the company can keep private information it should keep private. It also makes one wonder where else in the country it has listed consumers phone numbers that should have remained unlisted.

Earlier this year, there was talk that Comcast's cable TV unit was improving its customer service. Well, the company's latest blunder undoes any goodwill created from that, and reinforces negative perceptions.


Apple Removes Apps Infected During Malware Attack

Mashable reported on Monday:

"Dozens of iOS apps in Apple's App Store were infected with malware in recent days, including hugely popular Chinese social networking apps, in what appears to be the first major case of hackers breaching Apple's highly controlled mobile software ecosystem."

Some of the popular apps affected:

"WeChat, which has more than 500 million users in all, said its app was affected by the issue but that it had already fixed the problem earlier this month. It said its version 6.2.5, released on Sept. 10, was infected, but version 6.2.6, released Sept. 12, was not..."

How the breach happened:

"Both the app developers and Apple were apparently unaware that the apps had been infected. Hackers succeeded by tricking the app developers into downloading a modified version of Xcode, the software that developers use to create iOS apps. This fake version of Xcode included the malware, which then made its way into the apps, which were then uploaded to the App Store."


Online Ads: To Block Or Not To Block. And, Who Should Be In Control?

The New York Rimes reported on Friday about the fast adoption by consumers of ad blocking apps for their mobile devices:

"Just two days after Apple enabled ad-blocking apps through its new mobile operating system, iOS 9, users are embracing the new technology... In less than 48 hours, several ad-blocking apps with names like Peace, Purify and Crystal soared to the top of Apple’s App Store chart... About 16 percent of those who use the Internet in the United States, or 45 million people, have already installed an ad blocker, up 48 percent over the last 12 months, said Sean Blanchfield, who runs PageFair, an Irish start-up that tracks ad blocking. In a report last month, Adobe and PageFair calculated that blockers would cost publishers nearly $22 billion in revenue in 2015."

That's not surprising. The frequency of continual auto-play video ads at many websites has become a huge annoyance. At the same time, one app developer removed his ad-blocking app from sales, stating:

"Peace required that all ads be treated the same — all-or-nothing enforcement for decisions that aren’t black and white. This approach is too blunt, and Ghostery and I have both decided that it doesn’t serve our goals or beliefs well enough. If we’re going to effect positive change overall, a more nuanced, complex approach is required than what I can bring in a simple iOS app."

I agree. The ad-blocking apps should be robust and keep consumers in control. If a consumer wants to block everything, she should be able to. If a consumer wants to block all ads from a specific advertising network and/or ads at a specific website, then he should be able to. Keep consumers in control.

And, the ad blocking should be simpler. Blocking apps should cover a consumer's multiple devices: phone, tablet, laptop, desktop, automobile, and household appliances (e.g., refrigerators, etc.) in a "smart home."Otherwise, the burden on consumers becomes massive.

And, make it opt-in not opt-out. Opt-out puts a perpetual burden on consumers to constantly monitor advertising activities and techniques. Simplicity is always better.

A worse-case scenario wold be apps that block ads, but still allow the tracking and data collection by advertisers. Keep consumers in control. I use the EFF's Privacy Badger add-on for my Firefox web browser, to stop both the ads and the tracking technologies embedded in website pages by publishers and ad networks. Privacy Badger explained how it is different:

"Although we like Disconnect, Adblock Plus, Ghostery and similar products (in fact Privacy Badger is based on the ABP code!), none of them are exactly what we were looking for. In our testing, all of them required some custom configuration to block non-consensual trackers. Several of these extensions have business models that we weren't entirely comfortable with. And EFF hopes that by developing rigorous algorithmic and policy methods for detecting and preventing non-consensual tracking, we'll produce a codebase that could in fact be adopted by those other extensions, or by mainstream browsers, to give users maximal control over who does and doesn't get to know what they do online."

Whatever tools consumers use to block ads and tracking, it needs to be robust to account for newer techniques, like canvas fingerprinting. One blogger equated ad-blocking software with the deadly pesticide DDT. While it is tempting to equate the intrusive online ads with unwanted insects, I wouldn't go that far. DDT was banned, and ad-blocking software should be encouraged, not banned. Like any other software, there are well-designed products and poorly designed ones.

Sure, publishers and website operators should be able to make to make money via advertising. The issue is one of balance: balancing consumers' needs versus advertisers' needs. If consumers user ad-blocking apps and browser add-ons, then advertisers have only themselves to blame. They've largely brought this on themselves with ad networks tracking across websites.

what are your opinions of ad blocking software? Which apps and browser add-ons do you use?


The Internet Of Numerous Needless Things

If you aren't familiar with American culture, a key feature is: more is better. Bigger is better. Got one car? You'd be twice as happy with two cars. Got a $10,000 car? You'd be four times happier with a $40,000 luxury car. Got a 1,000 square-foot home? You'd be five times happier with a 5,000 square-foot mansion. Got a handgun at home? You'd be five times safer with five handguns. This is how we roll in the USA.

And, that cultural attitude applies to mobile devices. An Internet-connected device must be better than one that isn't, right? After all, it's better to live in a "smart home" than a dumb home, right?

A recent New York Times article highlighted several questionable mobile devices. These new Internet-connected gadgets seem fine at first glance, but upon closer inspection don't seem to solve consumer needs; or provide inefficient, clumsy, and costly solutions. Allison Arieff wrote:

"... I was introduced to Leeo, a new product that I initially understood to be a reboot of something really in need of a redesign: the smoke detector. As the designer explained his process, I quickly came to understand that Leeo was nothing of the sort. It was a gadget, a night light that “listens” for your smoke detector to go off and then calls your smartphone to let you know your house might be on fire. So, to “improve” a $20 smoke alarm, the designer opted to add a $99 night light and a several-hundred-dollar smartphone. This is not good design."

I agree. Ms. Arieff proceeds to list several more questionable mobile devices. You can read the descriptions yourself. One of my favorites:

"... Mimo, a smart baby monitor built into a onesie ($199) that takes helicopter parenting to new heights (or lows). Mimo notifies you when your baby wakes up or changes her breathing pattern, body position or skin temperature... When Mimo is connected to other devices in your home and discerns that your baby is stirring, the lights turn on, coffee begins brewing and some Baby Mozart starts playing on the stereo. Given the erratic wake-up times of my child when she was an infant, I can only imagine the delight all this activity might bring to new parents at midnight, 3 and 5:30 a.m."

Anyone who has raised a child knows that an infant's screams efficiently wake up everyone in the home. That's efficient, effective design by Mother Nature. With a mobile onesie, who is in control: the parents or the infant? Geez.

You don't have to look far for more questionable devices. One device that comes to mind is the privacy-busting Hello Barbie doll by Mattel. One person shared his experience attempting to upgrade his apartment to "smart home" status: programmable lighting, sensors, and adjustable shades. He never got the mobile app to work, and found the process far from simple and affordable.

The Internet of Things is here as companies race to connect all of the mobile devices in your home. A 2014 survey found that 69 percent of consumers said privacy was their biggest concern with smart homes. The smart home will include a variety of Internet-connected appliances: televisions, home security systems, refrigerators, washing machines, smart thermostats, trash or recycle bins, and more.

What badly designed mobile devices have you encountered? Please share below.


U.S. Senator Calls For Geo-Fencing To Keep Drones Away From High Value Targets

Image of a drone or unmanned aircraft Most people like to travel. That includes airplane trips for business or for pleasure. And, everyone wants to travel safely. Newsday reported:

"The FAA reported 52 instances of pilots spotting drones in June and July 2014, but the rate of such sightings has risen to 275 in June and July 2015, the senator said. Schumer said he fears a drone may eventually be sucked into the engine of a plane or otherwise collide with aircraft."

This blog reported in August about two near misses in New York. For safety, U.S. Senator Chuck Schumer (Democrat-New York) proposed an amendment to Federal Aviation Administration Re-authorization bill to require all remote-controlled aircraft sold in the United States to have tracking mechanisms installed. The mechanisms would use geo-fencing technology to keep drones away from high-value targets, such as airports, major parades, the Pentagon, major sporting events, and sports stadiums.

The Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies in the United States. The incident highlights the need for continued and stronger enforcement of aviation safety laws by drone operators:

"Unmanned aircraft systems are neither supposed to fly within five miles of an airport without notifying the airport operator and control tower nor are they supposed to go above 400 feet."

There will likely be a fight in Washington about the FAA Re-authorization bill. General Aviation News reported in July 2015:

"The House Transportation and Infrastructure Committee has delayed plans to release its proposed FAA reauthorization legislation. That occurred after the House majority leader informed the committee that consideration of the FAA reauthorization bill has been moved to September. The current FAA authorization expires Sept. 30. It was put into place after an agonizing 23 short-term extensions that stretched from September 2007 to February 2012. While some lawmakers had promised that wouldn’t happen with this reauthorization, a short-term extension of the authorization may be needed while lawmakers pound out the final bill."

About his bill amendment, the Senator said in a statement:

"There needs to be a clear strategy to address the public safety dilemma of reckless drone use because a future drone crash could spell real trouble. That’s why I am unveiling brand new federal language in Congress that would virtually eliminate any chance of drones crashing into planes and causing serious danger... If geo-fencing technology were mandated in every drone sold in America, it would go a long way toward preventing the kinds of near-misses that have occurred over the past few months, and still allow hobbyists to fly drones in safe places.”

I agree. What are your opinions?


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


OPM And DOD Hire ID Experts For Credit Monitoring And Post-Breach Services

Office of Personnel Management logo Just before the long holiday weekend, the Office of Personnel Management (OPM) and the Department of Defense (DOD) announced a contract with Identity Theft Guard Solutions LLc (a/k/a ID Experts) to assist the 21.5 persons affected by the massive breach first reported in June. The contract provide three years of free services for persons with sensitive information stolen, such as Social Security numbers.

Breach victims will be notified during September. The contract includes coverage for breach victims and their dependent children under the age of 18. ID Experts will provide credit monitoring, identity monitoring, identity theft insurance, and identity restoration services. Beth Cobert, the Acting Director at OPM, said:

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.. Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

To learn more, the OPM suggested that breach victims sign up for email alerts and visit https://www.opm.gov/cybersecurity. The OPM announcement included advice for all breach victims to protect themselves and their sensitive information, plus additional information for residents of California, Kentucky, Maryland, and North Carolina.

Read the OPM announcement about its contract with ID Experts.


ESPN Report Links Spygate To Deflategate. Chronicles Decisions By NFL

National Football League logo If you haven't read it, there is a very interesting article at ESPN about the National Football League (NFL) and the New England Patriots team. After reading this ESPN article, it seems that the NFL has a gigantic mess on its hands. If the article is accurate, and it's accuracy is questionable given ESPN's erroneous reporting previously of the number of deflated footballs, then the punishment by NFL Commissioner Roger Goodell for deflategate was linked to spygate.

A better-written ESPN would have included embedded text links, for fans to read more and verify certain statements. Also, the article reads like a hit job on the Patriots... to tarnish the team’s brand and its value, thereby hurting Kraft in the wallet since QB Tom Brady won in court the first round against the league. At the same time, Goodell’s decision to destroy spygate evidence tarnishes the league’s credibility. Hence, huge mess. Some gems from the article:

“To many owners and coaches, the expediency of the NFL's [2008 spygate] investigation -- and the Patriots' and Goodell's insistence that no games were tilted by the spying -- seemed dubious. It reminded them of something they had seen before from the league and Patriots: At least two teams had caught New England videotaping their coaches' signals in 2006, yet the league did nothing. Further, NFL competition committee members had, over the years, fielded numerous allegations about New England breaking an array of rules. Still nothing. Now the stakes had gotten much higher: Spygate's unanswered questions and destroyed evidence had managed to seize the attention of a hard-charging U.S. senator, Arlen Specter of Pennsylvania, who was threatening a congressional investigation. This would put everyone -- players, coaches, owners and the commissioner -- under oath, a prospect that some in that room at The Breakers believed could threaten the foundation of the NFL.”

The supposed linkages between spygate and deflategate:

“Interviews by ESPN The Magazine and Outside the Lines with more than 90 league officials, owners, team executives and coaches, current and former Patriots coaches, staffers and players, and reviews of previously undisclosed private notes from key meetings, show that Spygate is the centerpiece of a long, secret history between Goodell's NFL, which declined comment for this story, and Kraft's Patriots. The diametrically opposed way the inquiries were managed by Goodell -- and, more importantly, perceived by his bosses -- reveals much about how and why NFL punishment is often dispensed. The widespread perception that Goodell gave the Patriots a break on Spygate, followed by the NFL's stonewalling of a potential congressional investigation into the matter, shaped owners' expectations of what needed to be done by 345 Park Ave. on Deflategate.”

And:

“... many former New England coaches and employees insist that the taping of signals wasn't even the most effective cheating method the Patriots deployed in that era. Several of them acknowledge that during pregame warm-ups, a low-level Patriots employee would sneak into the visiting locker room and steal the play sheet, listing the first 20 or so scripted calls for the opposing team's offense.”

A Patriots employee was caught filming in the Jets stadium during a 2007 game, and his camera confiscated. Goodell’s decision to destroy this video evidence in 2008:

“During the first half, Jets security monitored Estrella, who held a camera and wore a polo shirt with a taped-over Patriots logo under a red media vest that said: NFL PHOTOGRAPHER 138. With the backing of Jets owner Woody Johnson and Tannenbaum, Jets security alerted NFL security, a step Mangini acknowledged publicly later that he never wanted. Shortly before halftime, security encircled and then confronted Estrella. He said he was with "Kraft Productions." They took him into a small room off the stadium's tunnel, confiscated his camera and tape, and made him wait... On Monday morning, Estrella's camera and the spy tape were at NFL headquarters on Park Avenue... Belichick explained that he had misinterpreted a rule, which the commissioner did not believe to be true, sources say, and that he had been engaged in the practice of taping signals for "some time." The coach explained that "at the most, he might gain a little intelligence," Goodell would later recall, according to notes. Belichick didn't volunteer the total number of games at which the Patriots had recorded signals, sources say, and the commissioner didn't ask... The next day, the league announced its historic punishment against the Patriots, including an NFL maximum fine for Belichick. Goodell and league executives hoped Spygate would be over... When Estrella's confiscated tape was leaked to Fox's Jay Glazer a week after Estrella was caught, the blowback was so great that the league dispatched three of its executives -- general counsel Jeff Pash, Anderson and VP of football operations Ron Hill -- to Foxborough on Sept. 18. What happened next has never been made public: The league officials interviewed Belichick, Adams and Dee, says Glaser, the Patriots' club counsel. Once again, nobody asked how many games had been recorded or attempted to determine whether a game was ever swayed by the spying, sources say. The Patriots staffers insisted that the spying had a limited impact on games. Then the Patriots told the league officials they possessed eight tapes containing game footage along with a half-inch-thick stack of notes of signals and other scouting information belonging to Adams, Glaser says. The league officials watched portions of the tapes. Goodell was contacted, and he ordered the tapes and notes to be destroyed, but the Patriots didn't want any of it to leave the building, arguing that some of it was obtained legally and thus was proprietary. So in a stadium conference room, Pash and the other NFL executives stomped the videotapes into small pieces and fed Adams' notes into a shredder...”

The articled is filled with interviews with people who claimed this or that. No hard evidence. I guess this is how an oligopoly approaches investigations and “justice.” Lots of allegations, rumors, no proof, destruction of what little evidence existed, lots of fines (like big banks), and never true honesty with fans by telling fans everything.

Does your favorite NFL team cheat? Yes, according to the Your Team Cheats site.

Like I said, it’s a big mess. I'm glad I stopped watching the NFL back in 2013.


New Justice Department Policy Requires Warrants For Some Stingray Uses

Department of Justice logo Just before the holiday weekend, the U.S. Department of Justice (DOJ) announced a new policy where probable-cause warrants are required for federal agencies to use cellular-tower simulators or "stingrays." The new policy went into effect immediately. The DOJ announced on September 3 that the new policy:

"... will enhance transparency and accountability, improve training and supervision, establish a higher and more consistent legal standard and increase privacy protections in relation to law enforcement’s use of this critical technology... To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators. This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy."

The new policy and stingray usage:

"... cell-site simulators may not be used to collect the contents of any communication in the course of criminal investigations. This means data contained on the phone itself, such as emails, texts, contact lists and images, may not be collected using this technology. While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator. There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. Department components will be required to track and report the number of times the technology is deployed under these exceptions."

The Electronic Frontier Foundation (EFF) discussed the new DOJ policy:

"Most importantly, starting today all federal law enforcement agencies—and all state and local agencies working with the federal government—will be required to obtain a search warrant supported by probable cause before they are allowed to use cell-site simulators. EFF welcomes these policy changes as long overdue... Until recently, law enforcement’s use of Stingrays has been shrouded in an inexplicable and indefensible level of secrecy. At the behest of the FBI, state law enforcement agencies have been bound by non-disclosure agreements intended to shield from public scrutiny all details... Law enforcement has gone to extreme lengths to protect even the most basic information about them, even dropping charges rather than answering judges’ questions about them."

The EFF article discussed how stingrays work and what they collect:

"... cell-site simulators masquerade as legitimate cell phone towers, tricking phones nearby into connecting to them. This allows agents to learn the unique identifying number for each phone in the area of the device and to track a phone’s location in real time... all mobile traffic (voice, data, and text) from every phone in the area could be routed through the Stingray, giving the operator the option to do anything from recording entire calls and texts, to selectively denying service to particular phones."

Powerful technology. The new DOJ has limitations. According to the EFF:

"The new policy isn’t law and doesn’t provide any remedy to people whose data is swept up by Stingrays operated without a warrant. Indeed, it won’t even act to keep evidence collected in violation of the policy out of court (this is known as suppression). The policy doesn’t apply to the use of Stingrays outside of the criminal investigation context. For instance, when federal agents use cell-site simulators for “national security” purposes, they won’t be required to obtain a warrant by the terms of this policy..."

And, most importantly:

"... without a statute or court decision giving this voluntary policy the force of law, there will be no consequences if law enforcement agents flout its terms and continue using Stingrays as they have—without warrants. With only this policy shielding us, there’s nothing keeping warrantless Stingray evidence out of court, and therefore nothing to deter agents from behaving badly."

U.S. Senator Patrick Leahy (D-Vermont) issued this statement on September 4 (link added):

"The Department of Justice’s new policies are finally starting to catch up with the rapid advancement of this tracking technology. For more than a year, Chairman Grassley and I have pressed the administration about the use of cell-site simulators, which sweep up cell phone signals from innocent Americans who are not targets of an investigation. Today’s announcement is a welcome step forward, and has the potential to bring transparency and consistency to the Department’s use of these tracking devices. However, I have serious questions about the exceptions to the warrant requirement that are set forth in this new policy, and I will press the Department to justify them.”

Reportedly, earlier this year the Baltimore Police Department acknowledged that it had already used the stingray technology more than 4,300 times. The technology is used by many other police departments.

What are your opinions of the Justice Department's new policy? Just right, too little too late, or too much? Do your elected officials adequately represent your views on stingray usage?


Hacked Emails Indicate Sony Softened Its Upcoming Film To Avoid Irritating the NFL

Sony Pictures logo The New York Times reported on Tuesday:

"When Sony Pictures Entertainment decided to make a movie focusing on the death and dementia professional football players have endured from repeated hits to the head — and the N.F.L.’s efforts toward a cover-up — it signed Will Smith to star as one of the first scientists to disclose the problem... even Sony, which unlike most other major studios in Hollywood has no significant business ties to the N.F.L., found itself softening some points it might have made against the multibillion-dollar sports enterprise that controls the nation’s most-watched game. In dozens of studio emails unearthed by hackers, Sony executives; the director, Peter Landesman; and representatives of Mr. Smith discussed how to avoid antagonizing the N.F.L. by altering the script and marketing the film more as a whistle-blower story, rather than a condemnation of football or the league."

It its upcoming film "Concussion," Will Smith starts as doctor Bennet Omalu, a real forensic pathologist who first discovered a neurodegenerative disease called chronic traumatic encephalopathy (CTE) in the brains of football players. If you have watched the 2013 PBS Frontline documentary, “League of Denial: The NFL’s Concussion Crisis,” then you have a good idea what will happen in the film, assuming it sticks close to the facts. If you haven’t see the documentary, you can learn more online.

Many people feel the league dragged its feet while investigating the disease, its impacts, and solutions. You can read my views about the league, its efforts, and its settlement agreement with former players. I stopped watching games during the 2013 season.

National Football League logo Of course, Sony is free to make the film it wants to make, and the upcoming film seems more entertainment than documentary. If you want a documentary, watch the Frontline episode. Sony's "Concussion" will debut in December 2015. I see two takeaways from the report in the New York Times:

  1. Sony "blinked" fearing pressure from the N.F.L.
  2. Hacked e-mails have a long shelf life and relevancy: a consequence of Sony's 2014 data breach

What are your opinions? The official trailer for the upcoming film is below.


Location Privacy. Does Your State Allow Warrantless Searches Of Cellphones?

Does your state's laws allow law enforcement to perform warrantless searches for cellphone location data? The American Civil Liberties Union (ACLU) released a report where it researched each state's current laws to determine whether residents' location privacy is protected or not:

"... 18 states now require law enforcement to get a probable cause warrant before obtaining people’s cell phone location information. Six of those states protect both historical and real-time location information from warrantless search... This year alone, legislation was introduced in 17 states. Instead of waiting for Congress or the courts to act, state legislatures are leading the way..."

Metadata about your phone calls reveals who you called, who called you, when the call happened, and how long you talked. Geo-location data reveals your travel patterns: where you went, when you left, when you returned, how long you stayed, places you passed by and didn't enter, and travel patterns (e.g., places you visit frequently and/or at certain times or on certain days).

The report included what's known (so far) about stingrays, the technology using fake cellular phone towers to spy and collect your phone usage and geo-location data:

"... New Hampshire has joined the ranks of states offering full probable-cause warrant protection to both historical and real-time cell phone location information. The Washington legislature unanimously passed a law requiring a warrant for use of “StingRay” cell phone tracking equipment, and Virginia enacted a similar law."

You can browse the report to read detail about the laws (or lack thereof) in the state where you live. For example, the state where I live:

ACLU report on warrantless search laws by state. Massachusetts. Click to view larger version

Besides stingrays, the use of other technologies threaten consumers' location privacy. The ACLU of Southern California and the Electronic Frontier Foundation (EFF) asked the California Supreme Court to review their lawsuit seeking access to automated license plate-reader (ALPR) data collected by the Los Angeles Police and Sheriff’s Departments. The EFF said in July:

"This case has significant precedential impact, setting a troubling standard allowing police to keep these records and details of its surveillance of ordinary, law-abiding citizens from ever being scrutinized. The appeals court ruling may apply not only to records collected with license plate cameras, but to data collected using other forms of automatic and indiscriminate surveillance systems, from body cameras and dash cameras to public surveillance cameras and drones. Without access to these records, we can’t ensure police accountability."

The case started in 2012 when local law enforcement refused to disclose ALPR data after the EFF filed a public records request:

"... cameras mounted on patrol cars and at fixed locations around the city and county of Los Angeles. ALPRs automatically take a picture of all license plates that come into view and record the time, date, and location where the vehicle was photographed. Because the agencies store the data for two to five years, they have been able to collect a massive amount of sensitive location-based information on mostly innocent Los Angeles residents..."

Reportedly, the reasons given by local law enforcement agencies:

"The agencies refused to turn over the records, claiming they could withhold the millions of license plate data points as “records of law enforcement investigations,” which are exempt from public review under the California Public Records Act. Incredibly, they argued that all drivers in Los Angeles are under criminal investigation at all times—whether or not the police suspect them of being involved in any criminal activity. The ACLU has estimated that as many as 99.8% of the vehicles photographed by ALPR cameras are never linked to any ongoing criminal investigation..."

Sadly, both the trial and appeal courts sided with the law enforcement agencies. So, the threat to consumers is two-fold: a) collection of law-abiding citizens without notice nor consent, and b) lack of accountability of government surveillance programs that could extend into more technologies such as body cameras.

Last, all of this does not minimize nor condone surveillance by corporations, which is arguably more extensive than government surveillance. Terms such as behavioral advertising, geo-fencing, and targeted advertising are often used to describe private-sector surveillance, with vague promises of relevant advertising benefits. At the end of the day, surveillance is surveillance; tracking is tracking. Many law enforcement and spy executives have probably looked at the extensive private-sector surveillance with weak consumer protections and concluded, "if they can do it, so should we."

View the ACLU report and status of warrantless search laws in your state.