Previous month:
July 2016
Next month:
September 2016

14 posts from August 2016

Comcast And The Wireless Industry Defend 'Pay For Privacy' Schemes

Logo of CTIA, The Wireless Association Some big Internet service providers (ISPs) want consumers to pay for privacy. Earlier this month, both Comcast and the CTIA-The Wireless Association (formerly known as the Cellular Communications Industry Association) submitted comments about the broadband privacy rules proposed by the U.S. Federal Communications Commission (FCC) in April.

Portions of August 18, 2016 comments submitted by the CTIA to the FCC:

"Finally, we briefly noted that allowing consumers a variety of options regarding whether to receive a discount on broadband service in exchange for personalized advertising should be preserved. Hybrid payment models have been in commerce for centuries, including advertising supported magazines, grocery store loyalty programs, and app-based discount programs for retail establishments. Many internet companies rely on use of consumer data as their sole source of income, like search engines and social networks. Such offerings can lead to significant cost savings for all consumers, enable more valuable services for consumers, and mirror much of the economic activity that consumers expect. On this point, we provided a copy of a recent report by the Information Technology & Innovation Foundation, titled “Why Broadband Discounts for Data are Pro-Consumer,” which is attached to this filing."

Let's unpack this. It says that ISPs should be able to charge their customers for privacy, since many ISPs rely upon using (and reselling) their customers' information to make money. This would be an opt-out for customers, since the default is customers' information is used and resold. There are several problems with this approach:

  1. The pay-for-privacy business model is camouflaged in a seemingly harmless term: "hybrid payment models"
  2. The CTIA's argument falsely assumes ISPs are equivalent to search engines or social networking sites. They aren't. When a consumer uses the Internet, he/she has a choice of which search engine or social networking site to use; or none. Not so with ISPs. A consumer must use the Internet to do anything. Plus, there is a lack of ISP competition in key markets, which provides consumers with fewer choices. Is the industry suggesting more competition? Doubtful. In fact, the industry lobbied for and obtained local laws in about 20 states that deny residents the rights and benefits from competition by community-run ISPs; laws which a federal court recently (and mistakenly) upheld. And, proposed legislation to encourage ISP competition to gain lower prices and more choices for consumers has been blocked by the industry, by politicians, by attorneys general in some states.
  3. The CTIA's position is harmful. It essentially says this: the default is no privacy. Customers get privacy only when they pay for it. Huh? I find this at odds with traditional property rights laws. Information about consumers is owned by consumers until and unless they share it.
  4. Most customers already pay a monthly fee for Internet access. So, paying for privacy amounts to a price increase... a premium price, for something that should be baked into the service at the start. Plus, consumers in the United States already pay more for broadband and get slower speeds compared to other countries.
  5. The pay-for-privacy model does not address under- and un-served broadband segments: rural and low-income consumers. One could argue that paying for privacy is a greater burden on low-income consumers, when everyone has property rights and Fourth Amendment rights.
  6. Consumers need simplicity and clarity. For example, should a service offer a pay-for-privacy, it should mention optional components (e.g., web browsing, scan email contents, scan text message content, etc.) with standardized labels and language. Otherwise, consumers have more difficulty comparing services, and privacy policies that are already too long, complicated and difficult to read become even more so.

Comcast logo The CTIA's position seems to have followed Comcast's position. Portions of August 1, 2016 comments submitted by Comcast to the FCC:

"We also urged that the Commission allow business models offering discounts or other
value to consumers in exchange for allowing ISPs to use their data. As Comcast and others have argued, the FCC has no authority to prohibit or limit these types of programs. Moreover, such a prohibition would harm consumers by, among other things, depriving them of lower-priced offerings... A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy.

Finally, we discussed how Comcast has partnered with vendors who have helped to
enhance consumer data privacy, and that the Commission should be clear that any rules it adopts do not prevent ISPs from providing CPNI to a vendor based on implied consent, provided the ISP has an agreement with the vendor requiring it to safeguard the CPNI and to use it solely on behalf of and as directed by the ISP..."

The same problems I listed above also apply to Comcast's comments. This is not theory. MotherBoard reported:

"Telecom giant AT&T already offers such a [pay for privacy] plan, called “Internet Preferences,” which tempts consumers with “best pricing” if they are willing to let the company “use your individual web browsing information, like the search terms you enter and the web pages you visit, to tailor ads and offers to your interests.” Users who opt-out of "Internet Preferences," which DSLReports calls a “deep packet inspection program that tracks your browsing behavior around the internet—down to the second,” face a $30 premium on their monthly bill."

Last year, Gigaom reported that price premium by AT&T for privacy is really far more:

"But $29 isn’t actually the price that AT&T charges per month for privacy. As I discussed back in May last year after I tried to sign up for AT&T’s GigaPower service to find out more about the pricing and the disclosures associated with the plan, the actual costs were closer to $44 or even $62 per month. This time around the price differentials are $44 for gigabit internet and $66 for HD TV and HBO Go plus gigabit internet."

Like anything else, the devil is in the details. $44 and $62 monthly both sound excessive. Apparently, the more services a consumer has, the more privacy costs. Regular readers of this blog already know about CPNI notices from AT&T.

The problems I see with both Comcast's and the wireless industry's pay-for-privacy positions are rooted in a lack of trust and transparency. The ISP industry has a long history of abuses, customer service failures, and a lack of transparency. Both the Gigaom and MotherBoard articles mentioned above highlight problems and failures, plus:

Consumers are rightfully wary and skeptical of pay-for-privacy schemes. Plus, consumers have no way to confirm that in a pay-for-privacy scheme their information is not being reused and resold anyway.

A solution based upon transparency that promotes trust would help: regular privacy audits by an independent third-party to ensure that the information of consumers who paid a privacy price premium are getting what they paid for.

Also available in this blog are the CTIA letter to the FCC (Adobe PDF; 247.2K bytes), and Comcast's letter to the FCC (Adobe PDF; 176.3K bytes).

To me, the whole thing smells like another excuse for ISPs to increase prices on services that are already too expensive and too slow. What do you think?

Royal Caribbean's Allure Of The Seas: Built For Families

Recently, my family and I sailed on Royal Caribbean cruise line's Allure of the Seas mega-ship from Fort Lauderdale, Florida to destinations in the Caribbean: St, Kitts, St. Thomas (USVI), and Nassau, Bahamas. This was our 26th cruise, so my wife and I have sailed on a variety of cruise lines and ships to many places around the planet. For this 7-night sailing, our daughter, son-in-law, grandchildren (ages 10 and 8), and in-laws joined us.

Our travel agent had arranged TSA Pre-Check boarding for our JetBlue flights, which made travel stress-free and easier. If you travel frequently, the fees for TSA Pre-Check are a no-brainer. We arrived in Fort Lauderdale three days before the ship's departure. We usually arrive early so any flight delays (due to weather or equipment) don't cause us to miss the cruise ship's departure. Experienced travelers know that if you miss the ship's departure, it is the passenger's responsibility (and cost) to catch up with the ship in the next port.

Early arrival in Florida also provided plenty of time to relax poolside at the hotel, explore the departure city, and sample several nearby restaurants. The Crowne Plaza Fort lauderdale Airport/Cruise featured comfortable beds, spacious rooms, and a large, relaxing pool. The main draw for us was the shuttles provided by the hotel both from the airport and to the cruise port.

The boarding process at Port Everglades, the cruise terminal in Fort Lauderdale, was well-organized and easy. We checked our luggage with the porters, and waited for our daughter and her family. When they arrived, we all entered the check-in line, passed through security, and boarded the ship. Our stateroom was ready, so we left our carry-on bags there and explored the ship. We booked an inside stateroom for this sailing, since we expected to spend very little time thee. On prior sailings we've booked outside staterooms (with a larger window) or staterooms with balconies.

The Allure OTS is a mega-ship in the truest definition. At 222,282 tons, it was the largest cruise ship for six years until Royal Caribbean's Harmony of the Seas debuted in May, 2016. Our sailing on July 24 included 6,464 passengers, of which about 1,700 were children under the age of 16. It offers 25 different dining options with a crew of 2,384. Besides the standard dining rooms, the ship offers the Chops Grille American steakhouse, Sabor Taqueria and Tequila Bar, Izumi Hibachi and Sushi, Giovanni's Table Italian restaurant, Starbucks, and a Johnny Rockets hamburger shop.

Royal Promenade. Allure of the Seas. Click to view larger version The ship includes seven "neighborhoods" or areas. Situated indoors and length-wise the cruise ship, the Royal Promenade (Deck 5) features several retail stores, art gallery, a Champagne bar, restaurants, nightclubs with live music, duty-free stores, comedy club, karaoke bar, and the customer service desk. You'll often see children posing for photos with characters from "Shrek," "Madagascar," and other animation films produced by DreamWorks Animation.

View of Carousel. Allure of the Seas. July 2016. Click to view larger version The outdoor Boardwalk (Deck 6), modeled after Coney Island amusement area in New York City, features several retail shops, ice cream and pizza, casual-dining options, a merry-go-round, and the AquaTheatre. I've never seen a merry-go-round on a cruise ship before, and I doubt you have either.

The Pool & Sports Zone (Deck 15) features the H20 Zone water park, several swimming pools, several hot-tubs that easily seat 14 persons each, plenty of deck space with umbrellas to enjoy the sun, several bars for adult refreshments, and guest services to get beach towels. Beach towels are free, but the cruise line will charge you if you don't return it. Also on Deck 15 is the full-size basketball court, miniature golf course, two Flow-Rider surf simulators, and an 82-foot long Zip Line. Lessons are available for the surf simulators.

View of Central Park. Allure of the Seas. July 2016. Click to view larger version Outfitted with 60 trees and about 12,000 plants, the Central Park (Deck 8) is an outdoor park with recorded birds chirping, upscale dining options, shady spots to relax at, and access to the Rising Tide bar. Like an elevator, this bar for adults moves between decks 5 and 8 on a daily schedule. I've never seen a park before on a cruise ship. It is definitely a must-see neighborhood. Since I practice Tai Chi, I asked if there were classes on board. A crew member replied that a group practiced in Central Park at 6:00 am. I thanked her for the tip, and didn't join that group. I was on vacation and rising early was not a priority.

The Vitality Sea Spa & Fitness Center (Deck 6); far larger than fitness centers on other cruise ships, covered two decks and featured plenty of treadmills and exercise equipment. Like other cruise ships, passengers can get their hair done in the salon for formal dinner nights, or experience a a relaxing massage (e.g., full-body,, detox, hot stone, bamboo, etc.) in the spa. There is easy access from the fitness center to the Jogging Track (2.4 laps = 1 mile). You can run, jog, or walk comfortably out of the wind and in the shade.

Flow Rider. Allure of the Seas. Click to view larger version A large portion of the ship is dedicated to children and families. This includes activities in the Adventure Ocean day-camp program, the H2O Zone water park, two 43-foot high rock-climbing walls, two Flow-Rider surf simulators, an 82-foot long Zip Line, the merry-go-round, a 3-D movie theater, a miniature golf course, a full-sized basketball court, an ice-skating rink with shows and open skating, and video arcade. The day camp program provides parents with plenty of opportunities for "couple's time."

For adults, there are several nightclubs with adult entertainment, the Solarium and Solarium Bar (decks 15 and 16), the Casino Royale (Deck 4), and numerous upscale dining options. The Allure Of the Seas truly offers plenty of activities for everyone. If you try to do it all, then you'll probably need a vacation to recover from your cruise vacation.

Rock Climbing Wall. Allure of the Seas. Click to view larger version The Allure of the Seas was refurbished in May, 2015. Several shops, public areas, and the WiFI were upgraded. Royal Caribbean's investment showed. My Internet connection was consistently very fast throughout the entire voyage; unlike other ships. If you seek quiet places on the ship (without music, noise or recorded birds chirping), there are several, including the Card Room (Deck 14), Library (Deck 11), and the Solarium (Decks 15 and 16). If you seek a place away from children, the Solarium is a good choice.

Like other Royal Caribbean cruise ships, the next day's activities are listed in the daily Cruise Compass newsletter, delivered each evening to your stateroom. This newsletter is a handy tool. It also lists discounts and sales in the on-board retail stores, hours of operation of the restaurants and dining options, movies in the cinemas, and the live entertainment daily in the theaters and nightclubs.

Royal Caribbean encourages passengers to make your reservations for dining, shows, and nightclub music performances before you sail. This is one of several new trends in cruise vacations. Many people like it. I don't. It used to be that you could arrive early for any show and walk right in. Now, walk-ins must wait until all guests with reservations are seated first. For me, this mandatory reservations system removes the spontaneity and freedom of deciding what to do based upon how you feel at that moment.

H2O Zone water park. Allure of the Seas. Click to view larger version Overall, I give the Allure of the Seas excellent marks. The ride was very smooth, and most of the time you didn't know you were at sea on a cruise ship. The ship's layout and venues are well organized, and the crew is very professional. Most of the time, I did not realize I was on a ship with 6,464 passengers. About the only time the ship felt crowded was in the Promenade. When the Promenade was crowded, it looked and felt like any land-based shopping mall between Thanksgiving and Christmas holidays. I like to go on cruises to get away from land-based attractions, not replicate them.

If you have sailed on the Allure of the Seas, what was your experience? Which neighborhood on the ship was your favorite?

Climate Change Denier Feels the Burn

Below is a recent exchange of tweets on Twitter. The blog post continues after the image:

Twitter conversation between astrophysicist and climate change denier

You can read more about the incident here and here. Follow Dr. Katherine J. Mack (@AstroKatie) on Twitter. Can a troll be so stupid as to not know who he is insulting? Like it or not, the realities and consequences of climate change are already happening. Yet, some people seem to insist upon denial... learning the hard way.

I've met climate-change skeptics who, in an attempt to appear informed and reasonable, claimed, "I believe in climate change, but I'm not convinced it is caused by humans." The Union of Concerned Scientists explained how and why we know that today's climate change is primarily caused by humans. That explanation should be mandatory reading by everyone.


Also this month, a conservative radio talk-show host criticized Neil deGrasse Tyson, the Frederick P. Rose Director at the Hayden Planetarium in New York City. Dr. Tyson thoroughly debunked the fact-free criticism. Is it insult-an-astrophysicist month?


Honolulu Newspaper Studies Police Officer Misconduct

On Tuesday, the Honolulu Star-Advertiser reported the results of its survey:

"Nearly 1 of every 6 current Honolulu Police Department officers have been taken to court over criminal or civil allegations of wrongdoing, ranging from excessive force to domestic abuse, according to a first-of-its-kind analysis by the Honolulu Star-Advertiser. Just since 2010, an officer has been arrested or prosecuted at the rate of one every 5.7 weeks... more than 330 officers, or nearly 16 percent of the 2,100-member squad, have been named as defendants in criminal cases, temporary restraining orders and wrongful-conduct lawsuits since joining the force. Most of the lawsuits alleged on-duty civil rights violations, while most of the TROs involved off-duty conduct... about 5 percent of officers account for a disproportionate share of complaints against police..."

Some convictions have resulted:

"Of the 55 criminal cases from the past six years that the newspaper examined, more than half resulted in convictions or deferred pleas of guilty or no contest. The deferrals give the defendants the opportunity to keep their records clean if they stay out of trouble for a certain length of time. Most of the 18 officers whose pleas were deferred remain on the job. Only one of the 14 who were convicted is still an HPD officer."

How this compares to other cities in the United States:

"Although the department has not been hit by the racial strife over high-profile fatalities that has rocked some mainland police forces, it has had a steady dose of controversial cases, including ones that have cost taxpayers millions of dollars in lawsuit settlements... Although the Star-Advertiser was unable to compare HPD’s 1-in-6 ratio with rates at other comparable departments, it was able to crunch numbers from a recent national study that Stinson and several of his Bowling Green colleagues published on officer arrests. HPD did not fare well. Using Google-based searches of news articles, the researchers compiled data on arrests from 2005 to 2011 involving officers at hundreds of law enforcement agencies across the country. Based on those data, HPD had the 10th-worst rate per 100,000 population among the more than 80 police departments with at least 1,000 full-time officers. It was 11th worst on a per-1,000 officers basis."

Kudos to the Star-Advertiser for an informative report. Transparency matters. Accountability matters.

Read the Bowling Green State University (BGSU) announcement about the April, 2016 study by Philip Matthew Stinson, Sr., J.D, Ph.D. and associates titled, "Police Integrity Lost: A Study of Law Enforcement Officers Arrested" (Adobe PDF).

The Star-Advertiser's report seems to highlight an opportunity for newspapers across the United States. I am sure that readers are curious about how their local police department rates. Ideally, follow-up studies will also include data about convictions. What do you think?

Pokemon Go: The Good, The Bad, And The Ugly

Pokemon Go mobile game image. Click to view larger version The game's popularity proliferated after a July 6 launch in Australia, New Zealand, and the United States: 7.5 million downloads during its first week; 50 million downloads from Google Play during its first month; and it was WikiPedia's most visited article by mid-July. (View the game's Wikipedia pageviews.) Everyone noticed. Early in July, a former advertising coworker joked on Facebook:

" 'How about we partner with Pokemon Go?' -- Said in every office at every agency for every client this morning."

Probably. The augmented-reality (AR) mobile game requires players to travel real-life streets to find and capture digital characters superimposed on locations and displayed on the screens of players' phones. The game's screens also display PokeStops and gyms, locations superimposed on real-life landmarks. The CNN video at the end of this blog post provides a good summary. The Apple iTunes site explains important game details:

"Search far and wide for Pokémon and items: Certain Pokémon appear near their native environment—look for Water-type Pokémon by lakes and oceans. Visit PokéStops, found at interesting places like museums, art installations, historical markers, and monuments, to stock up on Poké Balls and helpful items... As you level up, you’ll be able to catch more-powerful Pokémon to complete your Pokédex. You can add to your collection by hatching Pokémon Eggs based on the distances you walk... Take on Gym battles and defend your Gym: As your Charmander evolves to Charmeleon and then Charizard, you can battle together to defeat a Gym and assign your Pokémon to defend it against all comers."

Pokemon Go mobile game image with character. Click to view larger version For many players, Pokemon Go has been a nostalgic return to their youth when Pokemon existed in cartoons, video games, and board-games. Some experts have speculated that the game's popularity, as measured by daily active users, may have peaked in the United States.

What do we know so far about the AR game? What has happened since the game's launch? What happens when a mobile fantasy game combines real-life locations? Are non-players affected? What might be the implications for future AR games? I looked for answers, found plenty, and organized my findings into good, bad, and ugly categories -- with apologies to Mr. Leone and Mr. Eastwood.

The Good

Niantic Labs developed the game for Apple iOS and Android devices. Earlier this month, the game debuted in Latin America. Reviewers have cited the game's addictive qualities:

"... Pokemon Go’s game designers have perfectly executed on the “Hook Model” — a framework for gamification and getting users to come back again and again and again."

Advocates have said that the game has gotten gamers off of their couches (e.g., butts) and out into the real world to get exercise, meet people, and explore locations they probably wouldn't have visited otherwise. Sounds good.

Within the game, PokeStops and gyms are located in publicly-accessible locations, such as theme parks, gardens, and museums. This has increased the sales at some nearby, small businesses. IGN reported on July 21:

"Bok Tower Gardens, a “contemplative garden” and National Historic Landmark located in Lake Wales, Fl, is saturated with PokeStops. The non-profit recorded a 10 to 15 percent increase in ticket sales during the first week of Pokemon Go’s release... So far, the only way to become a PokeStop or gym is to send in a request to Niantic Labs, but it isn't likely to be accepted unless the location is one of cultural significance or in a Pokemon Go deadzone."

The Twitter account Pokemon Archaeology catalogs Pokemon sightings in historic locations. The National Park Service (NPS) has welcomed gamers in many of its parks, but not at memorial sites. Some National Parks have featured programs with the game. Earlier this month, the Sleeping Bear Dunes National Lakeshore offered a new program called "Pokemon Hunt:"

"... to connect “Pokemon Go!” with real-world flora and fauna... This interactive, ranger-guided walk will allow visitors to uncover the creatures, both physical and virtual, that can be found within the National Lakeshore. They will learn how these creatures do or do not fit in with the rest of the environment, and what can be done to help them thrive. At the end of the program, visitors will be able to design their own Pokemon. “Trainers” of all ages are welcome."

This summer, the NPS celebrates 100 years of operations. Gamers should check the NPS site to learn about any discounts and programs before visiting a park.

Some local businesses near colleges and universities experienced increased sales from gamers. Minnesota Daily reported:

"Many local Minneapolis businesses have considered, or implemented, special promotions to attract more mobile-gamers. Last week, Sencha Tea Bar in Stadium Village released three special shakes in correspondence with the three color teams of the game — red, yellow and blue — said store manager Josh Suwaratana. Suwaratana said the store does special shakes for other occasions, so the Pokemon shakes weren’t anything out of the ordinary... Sencha is also located next to a Pokestop — a real-life location where players can obtain items in the game. Suwaratana said the proximity to the Pokestop has helped business attract players."

The BBC News reported that the game helped an autistic teenager. Autism Speaks published this perspective by a psychologist:

"... I would encourage parents to seize the opportunity for their children to capitalize on this gaming experience while at the park or when running errands. My advice is not to judge this new gaming experience as all bad and in need of limits. Rather let’s embrace a step toward video games and virtual reality that may one day be tailored to inspiring those we love with autism spectrum disorder (ASD) to leave the house and receive points/rewards/tokens for gathering information from other people they encounter in the store, at work, or at a place of leisure. To me that sounds an awful lot like what I have been trying to get them to do by learning social skills in my office each week..."

To focus the world's attention upon the impacts to citizens and children, activists have added Pokemon characters to images from war zones. C/Net reported on July 26 that Khaled Akil, a Syrian artist:

"... has taken Pokemon Go creatures and Photoshopped them into pictures of his war-torn homeland, presenting a stark contrast between the whimsy of the augmented-reality game and the sobering day-to-day realities of war... In one image, a young boy walks his bike through a street lined by bombed-out buildings, a Vaporeon by his side. In another, a Pikachu rests on a block of rubble next to a burning car... the activist group Revolutionary Forces of Syria Media Office has been tweeting poignant photos of kids holding up printouts of popular Pokemon creatures, along with their locations, which are identified as being near areas of heavy fighting, and the words 'save me'..."

To view photos, follow the links in the C/Net article to Akil's website and Instagram account.

The Niantic Terms of Service policy clearly encourages safe game play and describes players' responsibilities:

"During game play, please be aware of your surroundings and play safely. You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services. You also agree not to use the App to violate any applicable law, rule, or regulation (including but not limited to the laws of trespass) or the Trainer Guidelines, and you agree not to encourage or enable any other individual to violate any applicable law, rule, or regulation or the Trainer Guidelines. Without limiting the foregoing, you agree that in conjunction with your use of the App you will not inflict emotional distress on other people, will not humiliate other people (publicly or otherwise), will not assault or threaten other people, will not enter onto private property without permission, will not impersonate any other person or misrepresent your affiliation, title, or authority, and will not otherwise engage in any activity that may result in injury, death, property damage, and/or liability of any kind."

The "Conduct, General Prohibitions, and Niantic’s Enforcement Rights" section of the policy also lists the responsibilities of players, including players will not:

"... trespass, or in any manner attempt to gain or gain access to any property or location where you do not have a right or permission to be..."

So, it is important for players to know their responsibilities. Do they? Keep reading.

The Bad

Foot traffic by gamers in public parks hasn't been all good. Some gamers have ignored local laws and ordinances. WPRI in Providence, Rhode Island reported:

"Members of the East Providence Police Department said “Pokemon Go” has drawn huge crowds of people to local parks after hours... Officers say they have responded to several calls about the crowds. “They are very peaceful, they’re not causing problems, but it is in a public area – in public parks – and people who live in those areas do deserve to have their rest at night,” said Maj. William Nebus of the East Providence Police Department. “Our parks do close at 9 p.m. and just to have 200 people lurking in overnight hours is not peaceful to the residents.”

Law enforcement in Michigan ticketed players with misdemeanors after late-night, 12:30 a.m. game play. Nearby property owners have found players intrusive. There are two implications. First, it's important for players to understand and comply with local town ordinances and hour restrictions. Second, taxpayers will likely absorb the additional costs of park maintenance, clean-up, and law enforcement patrols to address the increased foot traffic in local parks.

It's critical for players to remain alert. In somewhat weird news, a gamer kept playing after being stabbed by a mugger. And a North-Texas teenager was bitten by a venomous snake while playing. In Missouri, criminals staked out known PokeStops and robbed players. A gamer in Riverton, Wyoming found a dead body.

While some gamers play on foot, others drive their vehicles. As you've probably guessed, there have been auto accidents. The Atlanta Journal-Constitution reported:

"A driver, distracted by a Squirtle or a Zubat, caught a tree, instead of a Pokemon. That collision occurred last month in Auburn, N.Y., near Syracuse. A few days later, a 28-year-old driver on a highway near Seattle told officials he was focused on the hunt for Pikachu when he ran into the rear end of a Chevrolet. Another distracted driver in Baltimore smashed into a police car. A parked police car."

Like any game, some gamers play by the rules while others don't. An entertaining video listing the ways players cheat has more than 6.7 million views. Niantic highlighted its policy toward cheaters:

"Your account was permanently terminated for violations of the Pokémon GO Terms of Service. This includes, but is not limited to: falsifying your location, using emulators, modified or unofficial software and/or accessing Pokémon GO clients or backends in an unauthorized manner including through the use of third party software."

Soon after the game's debut, privacy risks were discovered:

"Security researcher Adam Reeve noted that when some users sign into Pokemon Go through Google on Apple devices, they effectively give the game and its developer full access to their Google account; this means, that at least in theory, Niantic... can access players' Gmail-based email, Google Drive based files, photos and videos stored in Google Photos, and any other content within their Google accounts. From a technical perspective, Niantic could potentially send emails on your behalf, or copy and distribute your photos. This is obviously concerning. Perhaps even scarier - and more eye-opening - is that users are accepting such permissions en masse without regard for the risks."

Since then, Niantic and the Pokemon Company notified Engadget that it fixed the bug in a subsequent update. Regardless, the Offensive Privacy blog warned players who have signed up using their Google credentials:

"... to review Google's guide on controlling and revoking app access to your account and check your account to see what permissions the game has. If it still has full access to your Google account, you can simply revoke access, then sign-in to the game again using your Google account. Your data will be safe and you can ensure your Google account is safe as well."

The Offensive Privacy blog offered privacy tips given the game's usage of smartphone cameras:

"While it's a bit outlandish to think that Niantic collects the video streams from every device, it is always a possibility that cannot be completely ruled out. This means anything your camera sees could, in theory, be stored by Niantic... I suggest some common sense tactics that apply to all cameras and video streams when using the AR mode of the game: 1) Never allow the camera to see personal ID such as your license, passport, or other sensitive document; 2) Never let the camera see a license plate or government building. This is especially true for those working in high-security environments; and 3) Avoid letting the camera see street signs, your house, house numbers, etc. It's also possible that metadata could be embedded in the image and made available if the image is shared publicly..."

Regular readers of this blog are already familiar with the privacy issues associated with metadata collection. Some players may be surprised that tips to maintain privacy while playing requires effort.

Yes, security researchers have already found malware embedded in a rogue version of the Pokemon Go app. So, shop wisely at reputable sites and follow these tips to avoid the malware.

One measure of popularity are parodies. There is a porn parody of the game titled, "Poke-mon Ho!" Depending upon your lifestyle, you might categorize this as "good." Yes, the parody reportedly is NSFW. No, I haven't seen it.

The Ugly

Some property owners view the game as inappropriate for their locations. CNN Reported in July:

"The United States Holocaust Memorial Museum and Arlington National Cemetery, both in Washington, DC area, have both issued appeals for players to avoid hunting Pokemon on their sites. "Playing Pokemon Go in a memorial dedicated to the victims of Nazism is extremely inappropriate," said Andy Hollinger, director of communications at the United States Holocaust Memorial Museum in Washington, D.C., in a statement sent to CNNMoney. "We are attempting to have the Museum removed from the game," the statement said... Pokemon Go has a link set up for people to report sensitive locations and contact on its website... According to a statement from The Pokemon Company International and Niantic -- the creators of Pokemon Go -- Pokestops and gyms in the app are found at publicly accessible places. That includes historical markers, public art installations, museums, monuments -- and apparently churches."

I see two problems with the approach the game's developers used. First, the approach seems to have treated all public spaces the same, without considering the unique needs of cemeteries, memorials, and similar places. Game-play isn't appropriate everywhere. Second, Niantic's approach automatically included real-life locations as PokeStops and gyms without first obtaining the property owners' permissions. This approach places the burden on property owners (who aren't players nor participants) to opt-out of the game. Not good. Maybe this was a slick attempt to force property owners to participate. Not good.

Some players have wandered onto nearby private properties. ComputerWorld reported on August 2:

"Jeffrey Marder, a resident of West Orange, N.J., found in the days after the release of the successful augmented reality game Pokémon Go, that strangers, phone in hand, had begun lingering outside his home. At least five of them knocked on Marder’s door and asked for access to his backyard to catch and add to their virtual collections of the Pokémon images, superimposed over the real world, that the game developer had placed at the residence without his permission."

Marder is part of a lawsuit alleging that the game included locations on private properties, without the owners' permissions. The Click on Detroit site reported on August 15:

"Scott Dodich and Jayme Gotts-Dodich, of St. Clair Shores, filed a class action lawsuit against Niantic, The Pokemon Company and Nintendo... The couple lives on a private cul-de-sac and alleges that over several weeks, Pokemon Go players parked their vehicles on their street and blocked driveways. The couple also alleges that players trespassed on lawns, trampled landscaping and peered into windows. The complaint also alleges that when Jayme Gotts-Dodich asked a Pokemon Go player to leave her property, the player told her to “shut up b****, or else... The suit alleges that the intentional, unauthorized placement of Pokestops and Pokemon gyms on or near private property constitutes a continuing invasion of use and enjoyment. Due to the ignored repeated requests for removal, the couple believes that Niantic is liable for nuisance and that all defendants have been unjustly enriched.”

If a disagreement arises between Niantic and a player, that may not be resolved in court in front of a jury of the gamer's peers. The Niantic Terms of Service policy strips gamers of that right:


To opt out of binding arbitration, players must do so within 30 days of sign up. This BoingBong explained how to opt out, and the associated issues. Of course, players should read all game policies in their entirety before sign up. (You did, right?) Regular readers of this blog are familiar with the issues with binding arbitration.

The Future

Given the success so far of Pokemon Go, it seems wise to expect copycats. The Motely Fool speculated:

"Pokemon Go has added a new layer of excitement to a day at Disney World for those who seek that variety of enchantment. Disney is benefiting from the craze, even as non-players shake their heads while swerving around distracted gamers. This also could and should be just the beginning. It's only a matter of time before it rolls out its own augmented-reality app... A Disney app likely also wouldn't include a Pokemon-like battle element, at least not in terms of pitting Pluto against Yoda in combat. However, the Disney gym equivalent could be mini-game stations offering everything from speed Disney trivia matches to Virtual Magic Kingdom-type competitions... There are more than 200 Disney Store locations scattered across North America, and more than 120 overseas. These stores can also serve as character-collecting hubs, giving players a local connection for special events. It would also keep interest active outside of theme park visits..."

You can bet we'll see many more AR games with fantasy or fictional characters; probably with co-marketing agreements between AR games, movies, fast-food restaurants, toy stores, and the few remaining shopping malls. Experts estimate the global AR market to be $117.4 billion by 2022.

It's not just fantasy characters. Experts have estimated the augmented reality and virtual reality market within healthcare to be $2.54 billion by 2020. Hopefully, more games (and other services) will offer in their policies opt-out mechanisms from restrictive binding arbitration clauses.

What are your opinions of Pokemon Go? Of AR games? What advantages and disadvantages have you found? Does the good outweigh the bad?

Data Breaches At HEI Hotels & Resorts Affects 20 Properties In At Least 10 States

HEI Hotels and Resorts logo On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

State City & Property
California La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
Colorado Snowmass Village: The Westin Snowmass Resort
District of Columbia Washington: The Westin Washington DC City Center
Florida Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
Illinois Chicago: Hotel Chicago Downtown
Minnesota Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
Pennsylvania Philadelphia: The Westin Philadelphia
Tennessee Nashville: Sheraton Music City Hotel
Texas Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club
Vermont Manchester Village; Equinox Resort Golf Resort & Spa
Virginia Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?

Federal Court Upholds State Laws To Restrict And Prevent City-Run Broadband Services

Last week, a federal appeals court overturned a Federal Communications Commission (FCC) ruling allowing community (a/k/a "city-run" or municipal) high-speed Internet service providers (ISPs) to expand into areas not served by commercial providers. The court decision immediately affects the expansion plans of community ISPs in Tennessee and North Carolina.

Community high-speed or broadband ISPs typically provide faster speeds (e.g., upload, download) and lower prices compared to commercial ISPs. Both states had passed laws preventing community ISPs from expanding, or making it onerous to expand. he FCC sought to stop such laws to encourage more competition, more choices, and lower prices for consumers.

The initial Reuters news report did not explain the rationale the court used. ABC News reported:

"The appeals court said that the FCC's order pre-empted the state laws and "the allocation of power between a state and its subdivisions." The court said the FCC's action requires a "clear statement" of authority in federal law, but the law does not contain a clear statement authorizing pre-emption of Tennessee's and North Carolina's laws... The appeals court said its ruling was a limited one, and it does not address other issues debated in the case, including whether the FCC has any pre-emptive power at all under the Telecommunications Act of 1996."

Chattanooga, Tennessee advertises itself as "Gig City," and is proud of its fiber broadband network:

"Only in Chattanooga, Tennessee is 1 Gigabit-per-second Internet speed available to every home and business - over 150,000 of them - throughout the entire community. Urban or rural, business or residence, Internet speeds that are unsurpassed in the Western Hemisphere – from 50 Megabits-per-second all the way up to one gigabit-per-second are accessible here. Today... Chattanooga's Fiber Optic network enables upload and download speeds 200 times faster than the current national average, and 10 times faster than the FCC's National Broadband Plan (a decade ahead of schedule)."

How fast is that? You can download a full-length movie in about 2 minutes. Is that faster than the broadband speed you get in your town or city? Probably. Is it cheaper than what you're paying? Probably.

The Attorneys Generals in several states have worked to prevent their residents from forming city-run ISPs. Tennessee Attorney General Herbert H. Slattery III released a statement:

"We are pleased with the 6th Circuit decision reversing the FCC’s Order. As we have stated from the outset, this case was not about access to broadband. Instead, it was about preventing the federal government from exercising power over the state of Tennessee that it does not have. Current state law allows a municipal Power Board to provide internet service only within its electric service area. Today’s decision preserves Tennessee’s right to determine the authority and market area of a political subdivision organized under Tennessee law."

The trade associations that represents corporate ISPs, US Telecom released a statement:

"Today’s decision is a victory for the rule of law. The FCC’s authority is not unbridled, it is limited to powers specifically delegated by the Congress, and it does not extend to preemption of state legislatures’ exercise of jurisdiction over their own political subdivisions. As an industry that shares the commission’s interest in accelerating broadband deployment, we would suggest that the best way for the FCC to accomplish its goals is to concentrate on eliminating federal regulatory impediments to innovation and investment – where there remains to be much that can and should be done."

Of course, the trade group is happy with the court decision. State laws that restrict or prevent city-run ISPs mean less competition, which makes it easier for corporate ISPs to maintain higher prices and slower speeds (which equals greater profits).

Community ISPs provide benefits for small businesses, and not only consumers. The benefits include more jobs, better services, and the ability of local towns to attract new businesses and start-ups. These benefits apply to rural areas, too; especially rural areas not served by corporate ISPs.

The Community Broadband Networks site described the benefits for small businesses of community broadband in North Carolina:

"... Speed is important, but so is Internet choice, reliable service, and respectful customer service... Before Greenlight began serving Pinetops, the best community members could get was sluggish Centurylink DSL - or Internet access offered over the phone lines... Suzanne Coker Craig, owner of CuriosiTees, described the situation... Her business, a custom screen printing shop, uses an “on-time” inventory system, so speed and reliability is critical for last-minute or late orders... She also subscribes to Greenlight from home and her fiber connection is able to manage data intense uploads required for sending artwork, sales reports, and other large document transfers... Brent Wooten is a sales agent and Manager for Mercer Transportation, a freight management business... moving freight across the country via trucks, requires being on time; he’s an information worker in a knowledge economy... Before Greenlight came to town, Brent’s business paid Centurylink $425 per month for a few phone lines, long distance, an 800 number, and Internet access at 10 Megabits per second (Mbps) download and 1.5 Mbps upload. He was also wasting hours and even days each month trying to get his Internet fixed... When Greenlight came to the community, Centurylink changed their tune. Within hours of his business phone being ported to Greenlight, a Centurylink representative called him. “He offered to cut my current prices in half and double my Internet speed, from 10 to 20 Mbps…My Centurylink 10 Mbps speed never tested at more than 6 Mbps.” Brent chose to keep his Centurylink phone service, but he kept his 25 Mbps symmetrical Greenlight Internet service because upload speed is critical to his business..."

Will these rural consumers and small businesses lose their community broadband services? Given the court decision, that is possible. Will the court decision negatively affect jobs? Probably, since many small businesses depend upon the faster community ISPs. FCC Chairman Wheeler stated:

"While we continue to review the decision, it appears to halt the promise of jobs, investment and opportunity that community broadband has provided in Tennessee and North Carolina. In the end, I believe the Commission’s decision to champion municipal efforts highlighted the benefits of competition and the need of communities to take their broadband futures in their own hands.

In the past 18 months, over 50 communities have taken steps to build their own bridges across the digital divide. The efforts of communities wanting better broadband should not be thwarted by the political power of those who, by protecting their monopoly, have failed to deliver acceptable service at an acceptable price. The FCC’s mandate is to make sure that Americans have access to the best possible broadband. We will consider all our legal and policy options to remove barriers to broadband deployment wherever they exist so that all Americans can have access to 21st Century communications. Should states seek to repeal their anti-competitive broadband statutes, I will be happy to testify on behalf of better broadband and consumer choice. Should states seek to limit the right of people to act for better broadband, I will be happy to testify on behalf of consumer choice...”

In January 2015, several U.S. Senators introduced the Community Broadband Act legislation in to block these restrictive laws in 20 states and to encourage more competition and lower prices for more consumers by allowing residents the right to operate city-run ISPs offering faster speeds and lower prices. Last week, Senator Ron Wyden (Oregon - Democrat) tweeted about the federal court decision:

Tweet by Senator Ron Wyden about Community Broadband Act

The legislation has stalled in the Republican-led Congress. Once again, you will hear politicians shout about the importance of defending state's rights against the FCC, while ignoring the rights of rural and small town residents to form community ISPs. Hypocritical politicians do this to protect their corporate ISPs donors from competition, which basically screws over residents by keeping prices high and speeds slow.

Residents in rural areas, small towns, and cities can claim, "we've been mugged" by state' legislatures that enacted laws preventing competition (and lower prices) from community ISPs.

Researchers compared high-speed Internet services worldwide, and found that consumers in the USA pay more and get slower speedsAnd Get Slower Speeds. That's great for corporate ISP profits and bad for consumers. The Community Broadband Act is an attempt to solve this problem.

Read the court decision: State of Tennessee, and the State of North Carolina; versus the U.S. Federal Communications Commission - (Adobe PDF). The FCC is reviewing the court's decision, and has not decided whether to appeal it.

The court decision is definitely pro-state law and anti-consumer. The court decision basically allows states to continue with laws that deny residents in local cities and towns the right to form, operate, and expand their own municipal broadband services to get lower prices and better services. That means less competition and higher prices for consumers living in states with these laws. Consider that when you vote in November.

The U.S. Copyright Office Commented on The FCC's Set-top Box Proposal

Federal communications Commission logo After the U.S. Federal Communications Commission proposed in February new set-top box rules for cable TV providers to encourage innovation, choices, and lower prices for consumer, the pay TV industry countered with its own proposal in June. Earlier this month, the U.S. Copyright Office shared its views about the matter.

Maria A. Pallante, a United States register of Copyrights and Director, provided the agency's views in a detailed 18-page letter to the FCC. The FCC used "Multi-Channel Video Programming Distributors" (MBPD) in its proposal to refer to the variety of companies (e.g., cable TV, wireless, Internet distributors, etc.) that distribute TV,, film, and video content. Pallante's letter is available at the Electronic Frontier Foundation (EFF) website:

"As requested, our comments pertain to the potential copyright implications of the Proposed Rule, as well as the general copyright principles at issue. Please note that although the Copyright Office did not file public comments in the FCC proceeding, the FCC did request our advice on the copyright issues raised by its proposal... we have no doubt that a number of the third-party products facilitated by the FCCs rule would enable fair and other nonfringing consumer uses of MVPD programming. The Copyright Office is therefore focused on whether these goals can be accomplished without overriding other concerns of copyright law and policy. The Office's principal reservation is that, as currently proposed, the rule could interfere with copyright owners' rights to license their works as provided by copyright law, and restrict their ability to impose reasonable conditions on the use of those works through the private negotiations that are the hallmark of the vibrant and dynamic MVPD marketplace..."

In short, the TV landscape today consists of many, secret, complicated licensing agreements between content producers and distributors. A Forbes Magazine article by Larry Downes described the landscape:

"Hollywood, for better and for worse, is built on a complicated legal regime of content licensing. That licensing limits when, where, and how programs are broadcast, and to whom. It includes limitations of the number and types of commercials that can be inserted into the programming, and even where in the channel line-up the programs will appear to consumers. Licensing agreements between producers and distributors are long, complicated, and mostly secret.

Opening the information flows for undefined new forms of access through new set-top boxes will almost certainly undermine those agreements. Third party boxes may change the channel line-up, replace the commercials, or offer programs on-demand that aren’t licensed for that use. Existing security and consumer privacy protections, mandated by law for pay TV providers, can’t be enforced by the FCC against new unregulated providers."

What we consumers see on TV, when we see it, how often we wee it, the number of commercials we see during shows, whether the show can be recorded (e.g., time shifted), whether the show can be device shifted (e.g., from television to a phone, tablet), and whether we see the show on pay-per-view, on-demand, on an Internet site, and/or on our phones are all governed by those private contracts.

Pallante's letter described the landscape similarly, but in greater detail. It also analyzed the FCC's proposed set-top box rule:

"In its most basic form, the rule contemplated by the FCC would seem to take a valuable good -- bundled video programming created through private effort and agreement under the protections of the Copyright Act -- and deliver it to third parties who are not in privity with the copyright owners, but who may nonetheless exploit the content for profit. Under the Proposed Rule, this would be accomplished without compensation to the creators or licensors of the copyrighted programming, and without requiring the third party to adhere to agreed-upon license terms. Indeed, a third party would have no way of knowing all of the requirements and liitations imposed under that license. As a result, it appears inevitable that many negotiated conditions upon which copyright owners license their works to MVPDs would not be honored under the Proposed Rule..."

"The FCC has stated that the Proposed Rule is not intended to negate these private contractual arrangements. However, it is not clear how the FCC wold prevent such an outcome under the Proposed Rule, for it appears to obligate MVPDs to deliver licensed works to third parties that could then unfairly exploit the works in ways that would be contrary to the essential conditions upon which the works were originally licensed... Thus, rather than being passive conduits for licensed programming, it seems that a broad array of the third-party devices and services would be enabled by the Proposed Rule would essentially be given access to a valuable bundle of copyrighted works, and could repackage and re-transmit those works for a profit, without having to comply with agreed contractual terms. And even though such activities -- for instance, competing or incompatible advertising -- could easily lessen the value of the rights licensed by program producers to the MVPDs, no offsetting compensation would flow back to the copyright holders or their actual licensees. THe Proposed Rule would thus appear to inappropriately restrict copyright owners' exclusive right to authorize parties of their choosing to publicly perform, display, reproduce and distribute their works according to agreed conditions, and to seek remuneration for additional uses of their works."

The Copyright Office's letter also discussed enforcement issues:

"... there already exists today a variety of third-party set-top box devices, mainly produced overseas, that are used to view pirated content delivered over the Internet. A reasonable concern is that, in response to the Proposed Rule, this market might expand to encompass devices designed to exploit the more readily available MVPD programming streams without adhering to the prescribed security measures. In addition, some commenters have suggested that limiting options for content security in this manner could jeopardize robust content security regimes -- including innovations to those systems -- thereby opening doors for third parties to acquire content illegally..."

Pallante and the Copyright Office concluded:

"We note that at the July 12th Congressional oversight hearing, FCC Commissioners acknowledged that they might choose to follow a different approach to achieve the FCC's objectives than that outlined in the NPRM, and that emerging alternative proposals showed promise. The Copyright Office is therefore hopeful that the FCC will refine its approach as necessary to avoid conflicts with copyright law and authors' interests under that law... it seems critical that any revised proposal respect the authority of creators to manage the exploitation of their copyrighted works through private licensing arrangements, because regulatory actions that undermine such arrangements would be inconsistent with the rights granted under the Copyright Act..."

So, the FCC's set-top box rule as initially proposed is too disruptive, and is effectively dead, since it would interfere with copyright owners' rights to license their content. Hopefully, the FCC won't give up and will refine its set-top box approach.

Pallante's letter to the FCC is also available here (Adobe PDF; 278.1K).

FBI Director Calls For A National Discussion About Encryption Versus Safety. What Next

During a speech recently in San Francisco at the American Bar Association's annual conference, Federal Bureau of Investigation (FBI) Director James Comey suggested a national discussion about encryption versus safety. Comey said that during the past 10 months, the FBI was able to access only 650 of 5,000 electronic devices. And, the agency's inability to access devices will get worse as more people use encryption. So, United States citizens should discuss and decide what balance is desired between privacy and law enforcement's ability to access devices.

I agree. That is a valuable conversation that needs to happen. It should happen. So far, the discussion has been sporadic; promptly largely by disclosures in 2013 about a secret court order allowing NSA spy programs on U.S. citizens by former National Security Agency (NSA) contractor Edward Snowden. In June, the Electronic Frontier Foundation (EFF) concluded:

"The Snowden leaks caused a sea change in the policy landscape related to surveillance. EFF worked with dozens of coalition partners across the political spectrum to pass the USA Freedom Act, the first piece of legislation to rein in NSA spying in over thirty years—a bill that would have been unthinkable without the Snowden leaks. They also set the stage for a major showdown in Congress over Section 702 of the FISA Amendments Act, the controversial section of law set to expire in 2017 that the government claims authorizes much of the NSA’s Internet surveillance... Perhaps most importantly, the Snowden leaks published over the last three years have helped to realign a broken relationship between the intelligence community and the public. Whistleblowers often serve as a last-resort failsafe when there are no other methods of bringing accountability to secretive processes. The Snowden leaks have helped illuminate how the NSA was operating outside the law with near impunity, and this in turn drove an international conversation about the dangers of near-omniscient surveillance of our digital communications."

However, the situation is far from resolved. Many surveillance programs still operate.

Moreover, who will participate in the discussion -- lawyers or the general population? Director Comey's suggestion was to a room full of lawyers. Plenty of non-lawyers are interested in this discussion.

After the initial Snowden disclosures, a mentor reminded me: "you just can't run away from the Fourth Amendment." Persons and companies need to be able to protect their personal and intellectual property. So, an expectation of privacy is reasonable and necessary. There are plenty of benefits to privacy, so the erosion of these rights by surveillance programs is not a good thing.

You may be surprised to know that the encryption-versus-safety conversation has already begun. An essay in April in the Yale law Journal by Robert S. Litt, the General Counsel for the Office of the Director of National Intelligence, stated:

"First, I am not proposing a comprehensive theory of Fourth Amendment law. Rather, I want to offer some tentative observations that might be explored in shaping a productive response to the challenges that modern technology creates for existing legal doctrine. In particular, I would like to suggest that the concept of “reasonable expectation of privacy” as a kind of gatekeeper for Fourth Amendment analysis should be revisited.

Second, these thoughts are not informed by deep research into the intent of the Framers, or close analysis of case law or academic scholarship. Rather, they derive from almost forty years of experience in law enforcement and intelligence... I find it hard to understand the alchemy by which information that you choose to disclose to a third party develops an expectation of privacy because you have chosen to disclose a lot of that information. That seems counter-intuitive to say the least..."

"... I suggest that—at least in the context of government acquisition of digital data—we should think about eliminating the separate inquiry into whether there was a “reasonable expectation of privacy” as a gatekeeper for Fourth Amendment analysis. In an era in which huge amounts of data are flowing across the Internet; in which people expose previously unimagined quantities and kinds of information through social media; in which private companies monetize information derived from search requests and GPS location; and in which our cars, dishwashers, and even light bulbs are connected to the Internet, trying to parse out the information in which we do and do not have a reasonable expectation of privacy strikes me as a difficult and sterile task of line-drawing. Rather, we should simply accept that any acquisition of digital information by the Government implicates Fourth Amendment interests...."

"... I agree with those who criticize the broad proposition that any information that is disclosed to third parties is outside the protection of the Fourth Amendment. Courts can appropriately take into account whether information is content or non-content information, whether it is publicly disclosed through social media or is stored in the equivalent of the cloud, or whether its exposure is “voluntary” only in the most technical sense because of the demands of modern technology. But we should not be viewing this analysis of privacy interests as an on/off switch to determine whether or not the Fourth Amendment applies, as today’s third-party doctrine does, but as more of a rheostat to identify the degree of protection that would ensure that the collection and use of that data is reasonable. So the flip-side of my argument is that even where there is a substantial privacy interest in digital data, we should not default immediately to the rule that a warrant is required unless we can fit the collection of such data into one of the twentieth-century exceptions to the warrant requirement..."

I have attempted to highlight relevant sections, but you should read Litt's entire analysis. Cindy Cohn, the Executive Director of the EFF, wrote a rebuttal in July:

"... Mr. Litt makes two initial statements with which I agree. First, he notes that the “reasonable expectation of privacy” test currently employed in Fourth Amendment jurisprudence is a poor test for the digital age. Second, he states that the “third-party doctrine”—under which an individual who voluntarily provides information to a third party loses any reasonable expectation of privacy in that information—should not be an on-off switch for the Fourth Amendment... From there, however, our paths diverge quite sharply.

Mr. Litt argues that since the “reasonable expectation of privacy” formulation is not well suited to digital surveillance, it should simply be eliminated. This would leave a “reasonableness” balancing test to carry the entire weight of the Fourth Amendment’s protection against governmental intrusions. He says that a court in each case should balance the “actual harm” suffered by the individual affected by the surveillance with the governmental interests in conducting the surveillance. This argument throws the baby out with the bathwater. By abandoning the “reasonable expectation of privacy” standard without a suitable replacement, Mr. Litt also implicitly suggests abandoning the foundational constitutional protection against general warrants, as well as the rule that a warrantless search of someone with a reasonable expectation of privacy is per se unconstitutional unless an exception applies..."

"Under current doctrine, since Americans have a reasonable expectation of privacy in the content of their communications, full-content searching is per se unconstitutional unless an exception to the warrant requirement applies. None does. In order to prevail, therefore, the government must convince the Supreme Court to read a broad national security “special needs” exception into the Fourth Amendment authorizing mass, suspicionless seizure and full-content searches of millions of nonsuspect Americans’ most private international and domestic communications. That is a tall order... Such a large implied exception does not readily align with history: the Fourth Amendment contains no national security exception, even though it was adopted in the shadow of the Revolutionary War. Further, the Fourth Amendment was expressly intended to prevent general warrants. The FISA Court of Review—where the government alone presents its case and the arguments and decisions are kept secret—has recognized some form of a national security exception..."

"Moreover, Mr. Litt’s balancing test is unbalanced at its inception. According to his argument, courts can only evaluate the “actual harm” to a single person from mass surveillance because his reformulation retains the caselaw holding that Fourth Amendment rights are personal and cannot be asserted vicariously.20 Meanwhile, Mr. Litt’s formulation would allow the government to present its interest broadly without also showing “actual” increased safety of Americans as a result of the surveillance, much less the individual safety of the plaintiff."

"More importantly, Mr. Litt’s central claim is that there can be no actual harm when a person’s communications are seized by the government and searched, even with content searching, as long as computers but not humans conduct the search. He says that communications are “unseen and unknown” until they turn up in search results that are shown to a human... This argument—what I call the “human-eyes” theory of the Fourth Amendment—is where we most seriously disagree. Mr. Litt’s “human-eyes” theory would effectively authorize a surveillance state in which a person’s every action and interaction could be technologically monitored and algorithmically analyzed without violating the Fourth Amendment..."

Again, I have tried to highlight relevant section, but you should read all of Cohn's rebuttal and her summary. This is important stuff. People are thinking about how to modify the FOurth Amendment of the U.S. Constitution.

Both essays are a good start with the encryption-versus-safety discussion, but the discussion seems focused upon attorneys. Both essays appeared in a legal journal and Director Comey's speech was to a room full of attorneys. One should not have to be an attorney to understand things. Any legislation resulting from the discussions would affect all citizens. So, the discussion needs to be more inclusive. It needs to happen in a way that engages the broader population.

Major newspapers have a role in making this happen. Politicians have a responsibility, too. Senator Ron Wyden (Democrat- Oregon) has been one of too few lone voices warning citizens. More politicians need to step up their game, or get out of the way for ones willing to do so.

What are your opinions of the encryption versus safety discussion? Of the essays by Litt and Cohn?

Security Flaws Place 900 Million Android Phones And Tablets At Risk

Researchers have found a security flaws that could place as many as 900 million Android operating system (OS) phones and tablets at risk. The four vulnerabilities, called "Quadrooter," allows attackers to take complete control of phones which use the Qualcomm chip. Which phones are affected? C/Net reported:

"Google's own branded Nexus 5X, Nexus 6, and Nexus 6P devices are affected, as are Samsung's Galaxy S7 and S7 Edge, to name just a few of the models in question. The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws."

Researchers at Check Point discovered the security flaws. The Check Point blog explained:

"QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device... Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm..."

The Check Point blog listed affected phones and tablets. It also emphasized:

"This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data."

Wow! There it is in writing for all to read. And we know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones.

Reportedly, Google said the security patch will be available in September.

We've been here before. Google needs to fix its Android security model. If it doesn't (or can't), that may make consumers doubt the reliability and trustworthiness of Google driverless cars.

Hulu Updated Its Terms of Use And Privacy Policies, the popular TV streaming service, updated its terms of service and privacy policies. An August 5, 2016 e-mail to subscribers stated:

"... we are continually focused on improving our services and the viewer experience. To address some of the changes in our services, we've updated our Terms of Use and Privacy Policy. We want to ensure that we keep you informed about our practices, so we've summarized some of the key updates below. This summary is not exhaustive, so we encourage you to review the full, updated versions of our Terms of Use and Privacy Policy Privacy Policy..."

The streaming TV service announced in May 2016 that is subscriber base of about 12 million had grown about 30 percent over 2015. Besides its $8 and $12 monthly subscription options, reportedly the service plans to introduce a third, cable-like bundle of channels for about $40 monthly.

The service's email message summarized the changes in its policies:

"Terms of Use updates
Given our constant desire to innovate our service, we clarify that we may experiment with certain features and that the content and services may change from time to time. We provide additional details about our billing practices, including in connection with promotional offers.
We include updated instructions around cancellation and explain that if you sign up and pay for Hulu through a third party (e.g., Apple iTunes) you may need to cancel your subscription or manage your billing through such third party.
We remind you that your interactions with third-party advertisements on our services, including any information you may provide through interactive advertisements, are between you and the advertiser. We encourage you to review any such advertiser's terms of use and privacy policy.
We clarify that we may communicate with you electronically and encourage you to keep copies of our electronic communications for your records.

Privacy Policy updates
We include an updated list of the types of technologies we or third parties may use to collect data from or about you. This data helps improve the content and advertisements provided to you.
We've likewise updated the section describing how we share information with business partners, service providers and other third parties.
We describe that you can choose to share information through sharing features we may offer, for example, through email, text message or social networks.
We provide instructions on how California residents can obtain more information about our data sharing practices in the event we were to share personal data about our users with third parties for their direct marketing purposes.
You have choices with respect to your use of our services and we include an updated and consolidated list of the various options available to you in a new section called "Your Choices, Including Opt-Out Options" (Section 6) which includes instructions about your opt-out choices related to your use of Hulu on websites, mobile devices and living room devices.
We explain that we may work with third parties who help us to establish connections across your related browsers and devices and how your opt-out choices apply."

What is a consumer to make of this? Hulu is clearly both providing notice to and obtaining consent from its subscribers to perform online experiments. Previously, social sites like OKCupid were heavily criticized for performing online experiments without notice nor consent. So, it is good that Hulu provides this advance notice.

Current or prospective subscribers may or may not be comfortable participating in online experiments that affect their usage of the service. To learn more, I read Hulu's Terms Of Use policy. This section seemed key:

"3.10 Modification/Suspension/Discontinuation. We regularly make changes to the Services. The availability of the Content as well as Access Points through which the Services are available will change from time to time. Hulu reserves the right to replace or remove any Content and Access Points available to you through the Services, including specific titles, and to otherwise make changes in how we operate the Services... In our continued assessment of the Services, we may from time to time, with respect to any or all of our users, experiment with or otherwise offer certain features or other elements of the Services, including promotional features, user interfaces, plans, pricing, and advertisements. You acknowledge that Hulu may do so in Hulu's sole discretion at any time without notice. You also agree that Hulu will not be liable to you for any modification, suspension, or discontinuance of the Services, although if you are a Hulu subscriber and Hulu suspends or discontinues your subscription to the Services, Hulu may, in its sole discretion, provide you with a credit, refund, discount or other form of consideration (for example, we may credit additional days of service to your account) in accordance with Section 4 below. However, if Hulu terminates your account or suspends or discontinues your access to Services due to your violation of these Terms, then you will not be eligible for any such credit, refund, discount or other consideration."

So, this revised Terms of Use policy may be the only notice subscribers receive about online experiments. And, there doesn't appear to be an option to decline (e.g., opt out of) online experiments, except to cancel their subscription. Some subscribers may not like that, and/or may want compensation for participating in online experiments.

Another section current and prospective subscribers may want to read closely is the "13. Arbitration of Claims" section. While this clause is not new, it is important since it describes how disagreements are resolved between subscribers and Hulu. Basically, most disagreements would be resolved through binding arbitration Individually, and not in court nor through a group action:

"... If we do not reach an agreed upon solution after our discussions for at least 30 days, you and Hulu agree that any claim that either of us may have arising out of or relating to these Terms (including formation, performance, or breach of them), our relationship with each other, or use of the Services must be resolved through binding arbitration before the American Arbitration Association using its Consumer Arbitration Rules, available here. As an exception to this arbitration agreement, Hulu is happy to give you the right to pursue in small claims court any claim that is within that court's jurisdiction as long as you proceed only on an individual basis... you and Hulu agree to begin any arbitration within one year after a claim arises; otherwise, the claim is waived. You and Hulu also agree to arbitrate in each of our individual capacities only, not as a representative or member of a class, and each of us expressly waives any right to file a class action or seek relief on a class basis..."

Regular readers of this blog are familiar with the issues about binding arbitration. Companies in several industries have inserted "binding arbitration" clauses into their terms of service policies with consumers. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that use these clauses.

Bankrate reported on March 11, 2015:

"This week, the CFPB released new research showing that banks' practice of forcing customers into binding arbitration has a wide range of downsides for consumers... The exhaustive 700+ page CFPB report shows that arbitration clauses have a broad range of negative consequences for consumers. They discourage individual consumers from pursuing claims. The CFPB found that the number of arbitrations filed by individual consumers was much lower than one would expect given the number federal lawsuits filed by those who still have that option... They squelch legitimate class-action lawsuits. Arbitration clauses generally prevent customers from joining together in class-action lawsuits... They reduce consumer protections. The way that many consumer protection laws are enforced is through civil litigation. By blocking civil suits brought by customers, financial institutions effectively give themselves an end-around against these protections... They confuse consumers. In surveys conducted by the CFPB for the report, relatively few customers understood what arbitration was, whether they were subject to it and how it works in practice... They don't lead to lower prices. The big selling point for arbitration has always been that reducing legal costs by blocking customer lawsuits would result in lower prices for consumers. But that hasn't been the case, according to the report..."

Current and prospective subscribers may or may not be comfortable giving up these rights.

The Hulu Privacy Policy is important for several reasons. It lists the technologies the service uses. The service obtains information about its subscribers from several sources: data subscribers submit into their profiles, third-party affiliates, data brokers, and the technologies used. These technologies may conflict with the privacy settings consumers use in their Web browsers. Some technologies apply specifically to phones/tablets versus laptops/desktops:

"... One technology we use is called a cookie. A cookie is a small data file that is transferred to your computer’s hard disk. We may use both session cookies and persistent cookies to better understand how you interact with the Hulu Services or Hulu advertising published outside of the Hulu Services, to monitor aggregate usage by our users and web traffic routing on the Hulu Services, and to customize Content and advertising... We may collect information through other kinds of local storage (also referred to as "Flash cookies") and HTML5 local storage, including in connection with features such as volume/mute settings for the Video Player. Because these technologies are similar to browser cookies, they are sometimes called "browser cookies," even though they may be stored in different parts of your computer... Please note that disabling cookies or deleting information contained in cookies or Flash cookies may interfere with the performance and features of the Hulu Services, including the Video Player... we may use other technologies such as web beacons or pixel tags, which can be embedded in web pages, videos, or emails, to collect certain types of information from your browser or device, check whether you have viewed a particular web page, ad, or email message, and determine, among other things, the time and date on which you viewed the Content, the IP address of your computer, and the URL of the web page... Mobile Device Identifiers and Software Development Kits ("SDKs"). We may use or work with third parties including our business partners and service providers who use mobile SDKs to collect information, such as mobile identifiers (e.g., "ad-ID" or "IDFA") and information related to how mobile devices interact with the Hulu Services. An SDK is computer code that app developers can include in their apps to enable ads to be shown, data to be collected and related services and functionality to be implemented. A mobile SDK is in effect the mobile app version of a pixel tag or beacon..."

This blog has discussed several technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, etc.) which companies have used to track consumers online. This makes it important to read any service's online privacy policy. Consumers may or may not be comfortable with the tracking technologies used.

Hulu's privacy policy also lists the types of companies and entities it shares subscribers' information with, but (besides and Nielsen) it doesn't disclose the names of specific companies and entities (bold added):

"We work with a number of business partners who help us offer the Hulu Services, including for example our content licensors, distributors, and corporate owners. We may share information collected from or about you with such business partners... When you choose to share information with social networking services about your activities on the Hulu Services, including shows you watch or like on Hulu, information about you and your activities will be shared with that social network... We may share the information collected from or about you with companies that provide services to us and our business partners, including companies that assist with payment processing, analytics, data processing and management, account management, hosting, customer and technical support, marketing (e.g., email, online or direct mail communications) and other services... We may share the information collected from or about you in encrypted, aggregated, or de-identified forms with advertisers and service providers that perform advertising-related services for us and our business partners in order to tailor advertisements, measure, and improve advertising effectiveness, and enable other enhancements. This information includes your use of the Hulu Services, websites you visited, advertisements you viewed, and your other activities online... Our business partners, such as content licensors, as well as our advertisers, seek to measure the performance of their creative material across many platforms, including the Hulu Services. Accordingly, Hulu may permit the use of third-party measurement software that enables third parties (such as Nielsen) to include your viewing on the Hulu Services in calculating measurement statistics such as TV Ratings... If we sell all or part of our business, make a transfer of assets, or otherwise might be involved in a change of control transaction, or in the unlikely event of bankruptcy, we may transfer information from or about you to one or more third parties as part of the transaction, including the due diligence process... Third Parties When Required By Law or When Necessary to Protect Your or Our Rights. In some instances, we may disclose information from or about you without providing you with a choice. For example, we may disclose your information in the following ways: to protect the legal rights of Hulu and our affiliates or partners... and to comply with or respond to the law or legal process or a request for cooperation by a government entity, whether or not legally required..."

It is reasonable to assume that the last group includes law enforcement agencies (e.g., federal, state, local) in the United States, but the policy seems vague about whether those agencies are from other countries, too. Again, (current or prospective) subscribers may want to know the specific names of companies and entities data is shared with.

New at reading online polices? Unsure what to look for? I compiled what I've learned into this blog post: "10 Tips About How To Read Terms Of Use And Privacy Policies." You might find it helpful.

What are your opinions of Hulu's revised policies?

[Editor's note: this blog post is not legal advice. Consumers wanting legal advice should consult an attorney to help them fully evaluate any contracts or legal agreements.]

FDA Releases Guidelines For Apps And Wearables For Fitness And Health

The U.S. Food and Drug Administration (FDA) released guidelines about mobile apps and wearable devices for health and fitness (Adobe PDF). The guidelines document stated that it is for clarity for industry and FDA staff, and include "nonbinding recommendations." The federal agency will not regulate mobile apps and wearables that promote general wellness or a healthy lifestyle, and are classified as "low risk." The guidelines do not apply to products (e.g., drugs, biologics, dietary supplements, foods, or cosmetics) regulated by other FDA Centers or to combination products.

The FDA's Center For Devices and Radiological Health (CDRH) defines general wellness products as:

"... products that meet the following two factors: (1) are intended for only general wellness use, as defined in this guidance, and (2) present a low risk to the safety of users and other persons. General wellness products may include exercise equipment, audio recordings, video games, software programs4 and other products that are commonly, though not exclusively, available from retail establishments (including online retailers and distributors that offer software to be directly downloaded), when consistent with the two factors above."

The guidelines provide further definitions:

"A general wellness product, for the purposes of this guidance, has (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or (2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition. If the product’s intended uses are not limited to the above general wellness intended uses, this guidance does not apply."

The guidelines provide a list of general wellness health outcomes: weight management, physical fitness (including recreational uses), relaxation or stress management, mental acuity, self-esteem, sleep management, and sexual function.

Typically, regulation is used to ensure that products actually do what their manufacturers and developers claim to do. The guidelines specified which claims are general wellness (e.g., the FDA will not regulate) and which claims are not (e.g., the FDA will continue to regulate). General wellness claims include claims to:

  1. Promote or maintain a healthy weight, encourage healthy eating, or assist
    with weight loss goals;
  2. Promote relaxation or manage stress;
  3. Increase, improve, or enhance the flow of qi “energy;”
  4. Improve mental acuity, instruction following, concentration, problem solving, multitasking, resource management, decision-making, pattern recognition or eye-hand coordination;
  5. Enhance learning capacity;
  6. Promote physical fitness (e.g., log, track, or trend exercise activity, measure aerobic fitness, develop or improve endurance, strength or coordination;
  7. Promote sleep management (e.g., track sleep trends);
  8. Promote self-esteem
  9. Address a specific body structure or function (e.g., increase or improve muscle size or body tone, enhance or improve sexual performance);
  10. Improve general mobility; and
  11. Enhance participation in recreational activities by monitoring the consequences (e.g., heart rate).

Some claims are categorized as "disease related." The new FDA guidelines list disease-related general wellness claims and how companies should reference those claims in product packaging and advertisements:

"A claim that a product will treat or diagnose obesity; a claim that a product will treat an eating disorder, such as anorexia; a claim that a product helps treat an anxiety disorder; a claim that a computer game will diagnose or treat autism; a claim that a product will treat muscle atrophy or erectile dysfunction; a claim to restore a structure or function impaired due to a disease or condition, e.g., a claim that a prosthetic device enables amputees to walk... disease-related general wellness claims should only be based on references where it is well understood that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition..."

Since the new FDA guidelines apply only to products categorized as "low risk," it is important to understand that definition:

"If the answer to any of the following questions is YES, the product is not low risk and is not covered by this guidance: 1) Is the product invasive? 2) Is the product implanted? 3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure? In assessing whether a product is low risk for purposes of this guidance, FDA recommends that you also consider whether CDRH actively regulates products of the same type as the product in question. For example, CDRH actively regulates external penile rigidity devices, which are devices intended to create or maintain sufficient penile rigidity for sexual intercourse, under 21 CFR 876.5020 as class II devices exempt from premarket notification with special controls..."

The guidelines listed examples of products that are low risk and those which are not. Products that are not low risk:

"Sunlamp products promoted for tanning purposes, due to risks to a user’s safety from the ultraviolet radiation, including, without limitation, an increased risk of skin cancer.

Implants promoted for improved self-image or enhanced sexual function. Implants pose risks to users such as rupture or adverse reaction to implant materials and risks associated with the implantation procedure.

A laser product that claims to improve confidence in user’s appearance by rejuvenating the skin. Although the claims of rejuvenating the skin and improving confidence in user’s appearance are general wellness claims, laser technology presents risks of skin and eye burns.

A neuro-stimulation product that claims to improve memory, due to the risks to a user’s safety from electrical stimulation.

A product that claims to enhance a user’s athletic performance by providing suggestions based on the results of relative lactic acid testing, when the product uses venipuncture to obtain the blood samples needed for testing. Such a product is not low risk because it is invasive (e.g., obtains blood samples by piercing the skin) and also because the product involves an intervention that may pose a risk to the safety of the user and other persons if specific regulatory controls are not applied (e.g., venipuncture may pose a risk of infection transmission)."

Companies and individuals can submit feedback to the FDA about these guidelines. See the guidelines document for instructions for submitting feedback. Fierce Healthcare reported:

"Epstein Becker Green health attorney Brad Thompson, who had previously commented to FierceHealthIT on the draft guidance, said in an email the final version "strikes the right balance between regulation and innovation... Over the intervening year and a half, I have talked to a lot of developers of wearable technologies and associated mobile apps and have used the draft guidance as a roadmap for how to assess FDA jurisdiction. I have found it to be extremely practical..."

A copy of the guidance document is also available here (Adobe PDF). What guidance or clarity does it provide for consumers? I guess not much regarding low risk apps and wearables. Consumers are on their own, so shop wisely and carefully. Whenever I read a document that describes itself as "nonbinding recommendations," that is worrisome.

Released Prisoners And Arrestees Forced To Accept And Use Prepaid Cards

Numi Financial logo Banks have found an effective, profitable method to force their prepaid cards upon consumers. Yes... literally force people to use their prepaid cards. When people arrested are released from prison, any cash in their possession at the time of arrest is returned to them in the form of prepaid cards by corrections staff. The Nation reported about the rise in "get-out-of-jail broke cards" and the banks that issue them:

"Numi Financial is one of many for-profit players in an increasingly privatized prison industry... Numi is now in more than 400 jails across the country, including large facilities that house up to 8,500 inmates, and the company issues more than 600,000 cards a year. That’s enough to make Numi one of the top 10 providers nationwide of prepaid cards of all kinds... Richard E. Deloney Jr., vice president of business development at Numi, said Numi’s model is based on “turnover.” “We market to the 3,300 jails in the country,” he said... According to a 2015 Dun & Bradstreet report on Stored Value Cards, Numi’s parent company, its revenue is $3 million a year."

The industry calls these prepaid cards given to prisoners "prison release cards." Arrestees are given the contractual terms and fee schedule when they receive their release cards:

"The terms for the card used in Multnomah County lists 11 possible fees—the $5.95 monthly fee, a $2.95 fee for ATM withdrawals, $0.95 for a declined transaction, $1 to check the balance, and $9.95 to have the balance refunded by check. Some cards have as many as 19 fees, a maintenance fee as high as $15 a month, and higher fees for international transactions."

So, the release cards contain the same multitude of fees found on other prepaid cards. Previously, arrestees were given a mix of cash and checks. Other banks offering prison release cards:

"At least 10 companies now offer release cards or inmate banking services to correctional systems. JPMorgan Chase does not give a card to each and every prisoner, but according to the Center for Public Integrity, it has a “lock” on the Federal Bureau of Prisons population, which currently stands at just under 200,000. At the state level, CPI found that JPay, a company founded in 2002, dominates, generating “well over $50 million in revenue” in 2013. It was acquired for $250 million in 2015 by Securus Technologies..."

There are plenty of issues with prison release cards. First, arrestees are a vulnerable population. They are forced to accept and use release cards since their cash has been confiscated. There is no opt-out, unlike other consumers who can choose other bank services instead. This can create hardship, as the Nation's article highlighted an arrestee released at 2:00 am with no way to get home. Not all taxi-cabs accept prepaid cards.

Second, the cards contain the same multitude of high fees as other prepaid cards. People released from prison may not have jobs to return to, making the high fees a huge burden. Third, claims by Numi executives in 2014 that one-third of cardholders pay no fees and that about one percent of cards aren't used have been debunked. Fourth, the banks offering prison release cards were given no-bid contracts:

"The banks’ exclusive deals came not from the Bureau of Prisons, but from the U.S. Treasury. The agency awarded the contracts using a 150-year-old authority that allows it to sidestep the oversight, transparency and competition typically required for federal contracting. That means that for 14 years, Bank of America has never been required to compete with other vendors who might do the work better or for less money, according to Treasury documents obtained under the Freedom of Information Act. JPMorgan’s no-bid deal to issue debit cards for various federal agencies began in 1998, was extended in 2008 and eventually expanded to include cards for federal prisons. Fees from former inmates make up most of the bank’s compensation for these cards..."

This is absolutely lousy, poor management by government officials with no attempt to lower costs for taxpayers. Competition matters. Competition forces companies to provide better services, lower costs, and ideally both.

Fifth, prison release cards are given to all arrestees when released. That includes both people arrested for just causes wh have served their prison time, and people where law enforcement has dropped all charges. You'd think that people released with charges dropped would simply have their cash returned to them, but they too are forced to use prison release cards.

Many people view this situation as unacceptable. In November 2015, several U.S. Senators including Mark R. Warner (D-Va.) and VP-candidateTim Kaine (D-VA) sent a letter to the Consumer Financial Protection Bureau (CFPB) urging it to re-examine prison release cards:

"Prison release cards are a critical tool for people leaving prisons to transfer their earned wages and/or commissary account balances to a prepaid card. Any reductions to the wages and account balances of formerly incarcerated people could harm their ability to successfully reenter society. Today, some firms charge high fees on prison prepaid cards that create significant barriers to reentry for formerly incarcerated people. Most corrections agencies that report using prepaid cards also report that fees are imposed on cardholders, including unusual fees such as weekly maintenance fees. These cards often also include forced arbitration provisions. As your recent study on arbitration showed, the rights of consumers nationwide are limited by forced arbitration in the financial services industry. As another example, states receive revenue from certain vendors chosen to provide prison release cards. Correctional facilities may also structure their contracts with prepaid card vendors in such a way that costs are entirely passed on to formerly incarcerated people."

The letter listing all 18 U.S. Senators is also here. Sixth, the forced arbitration clauses are typically one-sided, expensive for consumers, and heavily favor the company, as readers of this blog already know.

Some consumers aren't waiting and have filed a class-action lawsuit: Brown versus Numi Financial, No. 3:15-cv-01370-MO (Adobe PDF). The court rejected Numi Financial's motion for arbitration. Good! Other affected consumers may want to join this suit.

What are your opinions of prison release cards?

Update: Tesla Engineers Say Crash Due To Brakes, Not Autopilot Feature

About the fatal crash in May of a Tesla Model S car operating beta-version software for its Autopilot feature, the company's engineering executives told the U.S. Senate during committee hearings that the vehicle's brakes were at fault. The New York Times reported:

"... Tesla told members of the Senate Commerce Committee staff on Thursday that the problem involved the car’s automatic braking system, said the staff member, who spoke on condition of anonymity. It was not clear how or why Tesla considers the automatic braking system to be separate from Autopilot, which combines automated steering, adaptive cruise control and other features meant to avoid accidents. Tesla declined to comment... The company told the committee staff that it considered the braking systems as “separate and distinct” from Autopilot, which manages the car’s steering, and can change lanes and adjust travel speed..."

Auto experts say that the Autopilot feature and brakes should work together. So, either the car didn't recognize that it had to stop, or it failed to stop when it should have. The Autopilot feature requires the driver to be ready to assist, if needed. The National Highway Traffic Safety Administration (NHTSA) is investigating the crash.

Consumer Reports, which has tested vehicles for decades, has called for automakers to not use people as "guinea pigs for vehicle safety beta programs."

While the fatal Tesla crash was tragic, it is also a reminder for consumers to:

  • Know the differences between full autonomous automation and features that assist drivers,
  • Know the limitations of automation features including road conditions that require driver intervention,
  • Know which features use beta-version software (which means they are unfinished and still being tested), and
  • Read all applicable polices (e.g., terms of service, privacy) before and after purchasing a vehicle to understand your responsibilities and liability. Certain features and road conditions require driver intervention.