167 posts categorized "California" Feed

Court Okays 'Data Scraping' By Analytics Firm Of Users' Public LinkedIn Profiles. Lots Of Consequences

LinkedIn logo Earlier this week, a Federal appeals court affirmed an August 2017 injunction which required LinkedIn, a professional networking platform owned by Microsoft Corporation, to allow hiQ Labs, Inc. to access members' profiles. This ruling has implications for everyone.

hiQ Labs logo First, some background. The Naked Security blog by Sophos explained in December, 2017:

"... hiQ is a company that makes its money by “scraping” LinkedIn’s public member profiles to feed two analytical systems, Keeper and Skill Mapper. Keeper can be used by employers to detect staff that might be thinking about leaving while Skill Mapper summarizes the skills and status of current and future employees. For several years, this presented no problems until, in 2016, LinkedIn decided to offer something similar, at which point it sent hiQ and others in the sector cease and desist letters and started blocking the bots reading its pages."

So, hiQ apps use algorithms which determine for its clients (prospective or current employers) which employees will stay or go. Gizmodo explained the law which LinkedIn used in its arguments in court, namely the:

".... practice of scraping publicly available information from their platform violated the 1986 Computer Fraud and Abuse Act (CFAA). The CFAA is infamously vaguely written and makes it illegal to access a “protected computer” without or in excess of “authorization”—opening the door to sweeping interpretations that could be used to criminalize conduct not even close to what would traditionally be understood as hacking.

Second, the latest court ruling basically said two things: a) it is legal (and doesn't violate hacking laws) for companies to scrape information contained in publicly available profiles; and b) LinkedIn must allow hiQ (and potentially other firms) to continue with data-scraping. This has plenty of implications.

This recent ruling may surprise some persons, since the issue of data scraping was supposedly settled law previously. MediaPost reported:

"Monday's ruling appears to effectively overrule a decision issued six years ago in a dispute between Craigslist and the data miner 3Taps, which also scraped publicly available listings. In that matter, 3Taps allegedly scraped real estate listings and made them available to the developers PadMapper and Lively. PadMapper allegedly meshed Craigslist's apartment listings with Google maps... U.S. District Court Judge Charles Breyer in the Northern District of California ruled in 2013 that 3Taps potentially violated the anti-hacking law by scraping listings from Craigslist after the company told it to stop doing so."

So, you can bet that both social media sites and data analytics firms closely watched and read the appeal court's ruling this week.

Third, in theory any company or agency could then legally scrape information from public profiles on the LinkedIn platform. This scraping could be done by industries and/or entities (e.g., spy agencies worldwide) which job seekers didn't intend nor want.

Many consumers simply signed up and use LinkedIn to build professional relationship and/or to find jobs, either fulltime as employees or as contractors. The 2019 social media survey by Pew Research found that 27 percent of adults in the United States use LinkedIn, but higher usage penetration among persons with college degrees (51 percent), persons making more than $75K annually (49 percent), persons ages 25 - 29 (44 percent), persons ages 30 - 49 (37 percent), and urban residents (33 percent).  

I'll bet that many LinkedIn users never imagined that their profiles would be used against them by data analytics firms. Like it or not, that is how consumers' valuable, personal data is used (abused?) by social media sites and their clients.

Fourth, the practice of data scraping has divided tech companies. Again, from the Naked Security blog post in 2017:

"Data scraping, its seems, has become a booming tech sector that increasingly divides the industry ideologically. One side believes LinkedIn is simply trying to shut down a competitor wanting to access public data LinkedIn merely displays rather than owns..."

The Electronic Frontier Foundation (EFF), the DuckDuckGo search engine, and the Internet Archived had filed an amicus brief with the appeals court before its ruling. The EFF explained the group's reasoning and urged the:

"... Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target serious computer break-ins into a tool for enforcing its computer use policies. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information. But using automated scripts to access publicly available data is not "hacking," and neither is violating a website’s terms of use. LinkedIn would have the court believe that all "bots" are bad, but they’re actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016..."

So, bots are here to stay. And, it's up to LinkedIn executives to find a solution to protect their users' information.

Fifth, according to the Reuters report the court judge suggested a solution for LinkedIn by "eliminating the public access option." Hmmmm. Public, or at least broad access, is what many job seekers desire. So, a balance needs to be struck between truly "public" where anyone, anywhere worldwide could access public profiles, versus intended targets (e.g., hiring executives in potential employers in certain industries).

Sixth, what struck me about the court ruling this week was that nobody was in the court room representing the interests of LinkedIn users, of which I am one. MediaPost reported:

"The appellate court discounted LinkedIn's argument that hiQ was harming users' privacy by scraping data even when people used a "do not broadcast" setting. "There is no evidence in the record to suggest that most people who select the 'Do Not Broadcast' option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search," the judges wrote. "As the district court noted, there are other reasons why users may choose that option -- most notably, many users may simply wish to avoid sending their connections annoying notifications each time there is a profile change." "

What? Really?! We LinkedIn users have a natural, vested interest in control over both our profiles and the sensitive, personal information that describes each of us in our profiles. Somebody at LinkedIn failed to adequately represent users' interests of its users, the court didn't really listen closely nor seek out additional evidence, or all of the above.

Maybe the "there is no evidence in the record" regarding the 'Do Not Broadcast' feature will be the basis of another appeal or lawsuit.

With this latest court ruling, we LinkedIn users have totally lost control (except for deleting or suspending our LinkedIn accounts). It makes me wonder how a court could reach its decision without hearing directly from somebody representing LinkedIn users.

Seventh, it seems that LinkedIn needs to modify its platform in three key ways:

  1. Allow its users to specify which uses or applications (e.g., find fulltime work, find contract work, build contacts in my industry or area of expertise, find/screen job candidates, advertise/promote a business, academic research, publish content, read news, dating, etc.) their profiles can only be used for. The 'Do Not Broadcast' feature is clearly not strong enough;
  2. Allow its users to specify or approve individual users -- other actual persons who are LinkedIn users and not bots nor corporate accounts -- who can access their full, detailed profiles; and
  3. Outline in the user agreement the list of applications or uses profiles may be accessed for, so that both prospective and current LinkedIn users can make informed decisions. 

This would give LinkedIn users some control over the sensitive, personal information in their profiles. Without control, the benefits of using LinkedIn quickly diminish. And, that's enough to cause me to rethink my use of LinkedIn, and either deactivate or delete my account.

What are your opinions of this ruling? If you currently use LinkedIn, will you continue using it? If you don't use LinkedIn and were considering it, will you still consider using it?


Cloud Services Security Vendor Disclosed a 'Security Incident'

Imperva logo Imperva, a cloud-services security company, announced on Tuesday a data breach involving its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula. The August 27th announcement stated:

"... this data exposure is limited to our Cloud WAF product. Here is what we know about the situation today: 1) On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017; 2) Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses, hashed and salted passwords; 3) And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates..."

Imperva provides firewall and security services to block cyberattacks by bad actors. These security services protect the information its clients (and clients' customers) store in cloud-storage databases. The home page of Imperva's site promotes the following clients: AARP, General Electric, Siemens, Xoom (A PayPal service), and Zillow. Many consumers use these clients' sites and service to store sensitive personal and payment information.

Imperva has informed the appropriate global regulatory agencies, hired forensic experts to help with the breach investigation, reset affected clients' passwords, and is informing affected clients. Security experts quickly weighed in about the data breach. The Krebs On Security blog reported:

"Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers... an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites. At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings... A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker."

So, this breach and the data elements accessed by hackers were serious. It is another example indicating that hackers are persistent and attack where the money is.

Security experts said the cause of the breach is not yet known. Imperva is based in Redwood Shores, California.


EFF Filed Lawsuit In California Against AT&T To Stop Sales Of Wireless Customers' Realtime Geolocations

The Electronic Frontier Foundation (EFF) announced on July 16th that it had filed:

"... a class action lawsuit on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities—including bounty hunters, car dealerships, landlords, and stalkers—to access wireless customers’ real-time locations without authorization. An investigation by Motherboard earlier this year revealed that any cellphone user’s precise, real-time location could be bought for just $300. The report showed that carriers, including AT&T, were making this data available to hundreds of third parties without first verifying that users had authorized such access. AT&T not only failed to obtain its customers’ express consent, making matters worse, it created an active marketplace that trades on its customers’ real-time location data..."

The lawsuit, Scott, et al. v. AT&T Inc., et al., was filed in the U.S. District Court of the Northern District of California. The suit seeks money damages and an injunction against AT&T and the named location data aggregators: LocationSmart and Zumigo. The suit alleges AT&T violated the Federal Communications Act and engaged in deceptive practices under California’s unfair competition law. It also alleges that AT&T, LocationSmart, and Zumigo have violated California’s constitutional, statutory, and common law rights to privacy. The EFF is represented by Pierce Bainbridge Beck Price & Hecht LLP.


Aggression Detectors: What They Are, Who Uses Them, And Why

Sound Intelligence logo Like most people, you probably have not heard of "aggression detectors." What are these devices? Who makes them? Who uses these devices and why? What consumers are affected?

To answer these questions, ProPublica explained who makes the devices and why:

"In response to mass shootings, some schools and hospitals are installing microphones equipped with algorithms. The devices purport to identify stress and anger before violence erupts... By deploying surveillance technology in public spaces like hallways and cafeterias, device makers and school officials hope to anticipate and prevent everything from mass shootings to underage smoking... Besides Sound Intelligence, South Korea-based Hanwha Techwin, formerly part of Samsung, makes a similar “scream detection” product that’s been installed in American schools. U.K.-based Audio Analytic used to sell its aggression- and gunshot-detection software to customers in Europe and the United States... Sound Intelligence CEO Derek van der Vorst said security cameras made by Sweden-based Axis Communications account for 90% of the detector’s worldwide sales, with privately held Louroe making up the other 10%... Mounted inconspicuously on the ceiling, Louroe’s smoke-detector-sized microphones measure aggression on a scale from zero to one. Users choose threshold settings. Any time they’re exceeded for long enough, the detector alerts the facility’s security apparatus, either through an existing surveillance system or a text message pinpointing the microphone that picked up the sound..."

Louroe Electronics logo The microphone-equipped sensors have been installed in a variety of industries. The Sound Intelligence website listed prisons, schools, public transportation, banks, healthcare institutes, retail stores, public spaces, and more. Louroe Electronics' site included a similar list plus law enforcement.

The ProPublica article also discussed several key issues. First, sensor accuracy and its own tests:

"... ProPublica’s analysis, as well as the experiences of some U.S. schools and hospitals that have used Sound Intelligence’s aggression detector, suggest that it can be less than reliable. At the heart of the device is what the company calls a machine learning algorithm. Our research found that it tends to equate aggression with rough, strained noises in a relatively high pitch, like [a student's] coughing. A 1994 YouTube clip of abrasive-sounding comedian Gilbert Gottfried ("Is it hot in here or am I crazy?") set off the detector, which analyzes sound but doesn’t take words or meaning into account... Sound Intelligence and Louroe said they prefer whenever possible to fine-tune sensors at each new customer’s location over a period of days or weeks..."

Second, accuracy concerns:

"[Sound Intelligence CEO] Van der Vorst acknowledged that the detector is imperfect and confirmed our finding that it registers rougher tones as aggressive. He said he “guarantees 100%” that the system will at times misconstrue innocent behavior. But he’s more concerned about failing to catch indicators of violence, and he said the system gives schools and other facilities a much-needed early warning system..."

This is interesting and troubling. Sound Intelligence's position seems to suggest that it is okay for sensor to miss-identify innocent persons as aggressive in order to avoid failures to identify truly aggressive persons seeking to do harm. That sounds like the old saying: the ends justify the means. Not good. The harms against innocent persons matters, especially when they are young students.

Yesterday's blog post described a far better corporate approach. Based upon current inaccuracies and biases with the technology, a police body camera assembled an ethics board to help guide its decisions regarding the technology; and then followed that board's recommendations not to implement facial recognition in its devices. When the inaccuracies and biases are resolved, then it would implement facial recognition.

What ethics boards have Sound Intelligence, Louroe, and other aggression detector makers utilized?

Third, the use of aggression detectors raises the issue of notice. Are there physical postings on-site at schools, hospitals, healthcare facilities, and other locations? Notice seems appropriate, especially since almost all entities provide notice (e.g., terms of service, privacy policy) for visitors to their websites.

Fourth, privacy concerns:

"Although a Louroe spokesman said the detector doesn’t intrude on student privacy because it only captures sound patterns deemed aggressive, its microphones allow administrators to record, replay and store those snippets of conversation indefinitely..."

I encourage parents of school-age children to read the entire ProPublica article. Concerned parents may demand explanations by school officials about the surveillance activities and devices used within their children's schools. Teachers may also be concerned. Patients at healthcare facilities may also be concerned.

Concerned persons may seek answers to several issues:

  • The vendor selection process, which aggression detector devices were selected, and why
  • Evidence supporting the accuracy of aggression detectors used
  • The school's/hospital's policy, if it has one, covering surveillance devices; plus any posted notices
  • The treatment and rights of wrongly identified persons (e.g., students, patients,, visitors, staff) by aggression detector devices
  • Approaches by the vendor and school to improve device accuracy for both types of errors: a) wrongly identified persons, and b) failures to identify truly aggressive or threatening persons
  • How long the school and/or vendor archive recorded conversations
  • What persons have access to the archived recordings
  • The data security methods used by the school and by the vendor to prevent unauthorized access and abuse of archived recordings
  • All entities, by name, which the school and/or vendor share archived recordings with

What are your opinions of aggression detectors? Of device inaccuracy? Of the privacy concerns?


New Bill In California To Strengthen Its Consumer Privacy Law

Lawmakers in California have proposed legislation to strengthen the state's existing privacy law. California Attorney General Xavier Becerra and and Senator Hannah-Beth Jackson jointly announced Senate Bill 561, to improve the California Consumer Privacy Act (CCPA). According to the announcement:

"SB 561 helps improve the workability of the [CCPA] by clarifying the Attorney General’s advisory role in providing general guidance on the law, ensuring a level playing field for businesses that play by the rules, and giving consumers the ability to enforce their new rights under the CCPA in court... SB 561 removes requirements that the Office of the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel on CCPA compliance; removes language that allows companies a free pass to cure CCPA violations before enforcement can occur; and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act..."

Senator Jackson introduced the proposed legislation into the sate Senate. Enacted in 2018, the CCPA will go into effect on January 1, 2020. The law prohibits businesses from discriminating against consumers for exercising their rights under the CCPA. The law also includes several key requirements businesses must comply with:

  • "Businesses must disclose data collection and sharing practices to consumers;
  • Consumers have a right to request their data be deleted;
  • Consumers have a right to opt out of the sale or sharing of their personal information; and
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent."

State Senator Jackson said in a statement:

"Our constitutional right to privacy continues to face unprecedented assault. Our locations, relationships, and interests are being tracked without our knowledge, bought and sold by corporate interests for their own economic gain and conducted in order to manipulate us... With the passage of the California Consumer Privacy Act last year, California took an important first step in protecting our fundamental right to privacy. SB 561 will ensure that the most significant privacy protections in the nation are effectively and robustly enforced."

Predictably, the pro-business lobby opposes the legislation. The Sacramento Bee reported:

"Punishment may be an incentive to increase compliance, but — especially where a law is new and vague — eliminating a right to cure does not promote compliance," the California Chamber of Commerce released in a statement on February 25. "SB 561 will not only hurt and possibly bankrupt small businesses in the state, it will kill jobs and innovation."

Sounds to me like fearmongering by the Chamber. Senator Jackson has it right. From the same Sacramento Bee article:

"If you don’t violate the law, you won’t get sued... To have very little recourse when these violations occur means that these large companies can continue with their inappropriate, improper behavior without any kind of recourse and sanction. In order to make sure they comply with the law, we need to make sure that people are able to exercise their rights."

Precisely. Two concepts seem to apply:

  • If you can't protect it, don't collect it (e.g.,  consumers' personal information), and
  • If the data collected is so value, compensate consumers for it

Regarding the second item, the National Law Review reported:

"Much has been made of California Governor Gavin Newsom’s recent endorsement of “data dividends”: payments to consumers for the use of their personal data. Common Sense Media, which helped pass the CCPA last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public..."

Laws like the CCPA seem to be the way forward. Kudos to California for moving to better protect consumers. This proposed update puts teeth into existing law. Hopefully, other states will follow soon.


California Seeks To Close Loopholes In Its Data Breach Notification Law

California pursues legislation to close loopholes in its existing data breach notification law. Current state law in California does not require businesses to notify consumers when their passport and biometric data is exposed or stolen during a data breach. The proposed law would close that loophole.

The legislation was prompted by the gigantic data breach at Marriott's Starwood Hotels unit. The sensitive information of more than 327 million guests was accessed by unauthorized persons. The data accessed -- and probably stolen -- included guests' names, addresses, at least 25 million passport numbers, and more. California Attorney General Xavier Becerra announced the proposed legislation:

"Though [Marriott] did notify consumers of the breach, current law does not require companies to report breaches if only consumers’ passport numbers have been improperly accessed... In 2003, California became the first state to pass a data breach notification law requiring companies to disclose breaches of personal information to California consumers whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person... This bill would update that law to include passport numbers as personal information protected under the statute. Passport numbers are unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. AB 1130 would also update the statute to include protection for a person’s unique biometric information, such as a fingerprint, or image of a retina or iris."

Assembly member Marc Levine (D-San Rafael) introduced the proposed legislation to the California House, and said in a statement:

“There is a real danger when our personal information is not protected by those we trust... Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation."

Good. There are too many examples of companies failing to announce data breaches affecting companies. TechCrunch reported that AB 1130:

"... comes less than a year after state lawmakers passed the California Privacy Act into law, greatly expanding privacy rights for consumers — similar to provisions provided to Europeans under the newly instituted General Data Protection Regulation. The state privacy law, passed in June and set to go into effect in 2020, was met with hostility by tech companies headquartered in the state... Several other states, like Alabama, Florida and Oregon, already require data breach notifications in the event of passport number breaches, and also biometric data in the case of Iowa and Nebraska, among others..."

Kudos to California for moving to better protect consumers. Hopefully, other states will also update their breach notification laws.


Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


Technology And Human Rights Organizations Sent Joint Letter Urging House Representatives Not To Fund 'Invasive Surveillance' Tech Instead of A Border Wall

More than two dozen technology and human rights organizations sent a joint letter Tuesday to representatives in the House of Representatives, urging them not to fund "invasive surveillance technologies" in replacement of a physical wall or barrier along the southern border of the United States. The joint letter cited five concerns:

"1. Risk-based targeting: The proposal calls for “an expansion of risk-based targeting of passengers and cargo entering the United States.” We are concerned that this includes the expansion of programs — proven to be ineffective and to exacerbate racial profiling — that use mathematical analytics to make targeting determinations. All too often, these systems replicate the biases of their programmers, burden vulnerable communities, lack democratic transparency, and encourage the collection and analysis of ever-increasing amounts of data... 3. Biometrics: The proposal calls for “new cutting edge technology” at the border. If that includes new face surveillance like that deployed at international airline departures, it should not. Senator Jeff Merkley and the Congressional Black Caucus have expressed serious concern that facial recognition technology would place “disproportionate burdens on communities of color and could stifle Americans’ willingness to exercise their first amendment rights in public.” In addition, use of other biometrics, including iris scans and voice recognition, also raise significant privacy concerns... 5. Biometric and DNA data: We oppose biometric screening at the border and the collection of immigrants’ DNA, and fear this may be another form of “new cutting edge technology” under consideration. We are concerned about the threat that any collected biometric data will be stolen or misused, as well as the potential for such programs to be expanded far beyond their original scope..."

The letter was sent to Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, Minority Leader Steny Hoyer, Minority Whip Steve Scalise, Chair Nita Lowey a Ranking Member of House Appropriations, and Kay Granger of the House Appropriations committee.

27 organizations signed the joint letter, including Fight for the Future, the Electronic Frontier Foundation, the American Civil Liberties Union (ACLU), the American-Arab Anti-Discrimination Committee, the Center for Media Justice, the Project On Government Oversight, and others. Read the entire letter.

Earlier this month, a structural and civil engineer cited several reasons why a physical wall won't work and would be vastly more expensive than the $5.7 billion requested.

Clearly, the are distinct advantages and disadvantages for each and all border-protection solutions the House and President are considering. It is a complex problem. These advantages and disadvantages of all proposals need to be clear, transparent, and understood by taxpayers prior to any final decisions.


Aging Machines, Crowds, Humidity: Problems at the Polls Were Mundane but Widespread

[Editor's Note: today's guest blog post, by Reporters at ProPublica, discusses widespread problems many voters encountered earlier this month. The data below was compiled before the runoffs in Florida, Georgia and other states. It is reprinted with permission.]

By Ian MacDougall, Jessica Huseman, and Isaac Arnsdorf - ProPublica

If the defining risk of Election Day 2016 was a foreign meddling, 2018’s seems to have been a domestic overload. High turnout across the country threw existing problems — aging machines, poorly trained poll workers and a hot political landscape — into sharp relief.

Michael McDonald, a political science professor at the University of Florida who studies turnout, says early numbers indicate Tuesday’s midterm saw the highest percentage turnout since the mid-’60s. “All signs indicate that everyone is now engaged in this country — Republicans and Democrats,” he said, adding that he expects 2020 to also be a year of high turnout. “Election officials need to start planning for that now, and hopefully elected officials who hold the purse strings will be responsive to those needs.”

Aging Technology

Electionland monitored problems across the country on Election Day, supporting the work of 250 local journalists in more than 120 local newsrooms. Thousands of voters reported issues at the polls, and Electionland sought to report on as many as possible. The most striking problem of the night was perhaps the most predictable — aged or ineffective voting equipment caused hours-long lines across the country.

American voting hasn’t had a major technology refresh since the early 2000s, in the aftermath of the Florida recount and the passage of the 2002 Help America Vote Act, which infused billions of dollars into American elections. More recent upgrades, such as poll books that could be accessed via computer, were supposed to reduce bottlenecks at check-ins — but they repeatedly failed on Tuesday, worsening waits in Georgia, South Carolina and Indiana.

While aging infrastructure was already a well-known problem to election administrators, the surge of voters experiencing ordinary glitches led to extraordinarily long waits, sometimes stretching over hours. From Pennsylvania to Georgia to Arizona and Michigan, polling places started the day with broken machines leading to long lines, and never recovered.

“In 2016, we learned the technology has security vulnerabilities. Today was a wake-up call to performance vulnerabilities,” said Trey Grayson, the former president of the National Association of Secretaries of State and a member of the 2013 Presidential Commission on Election Administration. Tuesday, Grayson said, showed “the implications of turnout, stressing the system, revealing planning failures, feel impact of limited resources. If you had more resources, you’d have had more paper ballots, more machines, more polling places.”

The election hotline from the Lawyers’ Committee for Civil Rights Under Law clocked 24,000 calls by 6 p.m., twice the rate in in the 2014 midterm election. “People were not able to vote because of technical issues that are completely avoidable,” Ryan Snow, of the Lawyers’ Committee, said. “People who came to vote — registered to vote, showed up to vote — were not able to vote.”

“We think we can solve all of these voting problems by adding technology, but you have to have a contingency plan for when each of these pieces fail,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology in Washington, D.C. It appears many of the places that saw electronic poll book failures had no viable backup system.

Hall said that problems with machines and computers force election administrators to become technicians on the spot, despite their lack of training. This exacerbates problems: Poll workers aren’t able to accurately or efficiently report issues to their central offices, leading to delays in dispatches of appropriate equipment or staff.

Perhaps the most embarrassing technological faceplant was in New York City, where the machines used to scan ballots proved no match for wet weather. Humidity caused the scanners to malfunction, leading to outages and long lines.

The breakdowns proliferated up and down the East Coast. Humidity also roiled scanners in North Carolina. In Charleston, South Carolina, an interminable delay driven by a downed voting system drove one person to leave for work before she could cast her ballot. “It felt like a type of disenfranchisement,” she told ProPublica. Voting machine outages in some Georgia precincts stranded voters in hours-long lines. In predominantly black sections of St. Petersburg, Florida, wait times ballooned as voting machines froze.

Some of the pressure on the aging technology was relieved by early and mail-in voting, so that everyone didn’t have to vote on the same day, Grayson said. But many states still require people to cast their ballots on Election Day, and others have added time-consuming procedures such as strict ID requirements.

Those sorts of security measures add their own layers of confusion. Many voters reported never receiving their ballots in the mail. Georgia voter Shelley Martin couldn’t vote because her ballot was mailed to the wrong address — even though she filled out her address correctly, the county election office accidentally changed a 9 to a 0. In Ohio, some in-person voters were incorrectly told they had already received an absentee ballot, because of a computer error.

When people show up at the wrong polling place or have problems with their registration, they are usually entitled to cast a provisional ballot that will be counted once it’s verified. But these problems were so common on Tuesday that some locations ran out of provisional ballots and turned people away, according to North Carolina voters’ reports to ProPublica. In Arizona, some voters were told they couldn’t have provisional ballots because of broken printers. In Pennsylvania, some college students encountered glitches with their registration and said poll workers wouldn’t give them provisional ballots.

A newly implemented law in North Dakota left a handful of college students — many of whom had voted in previous elections — confused and unable to vote. “I was so frustrated because I’ve voted in North Dakota before,” said Alissa Maesse, a student at the University of North Dakota who came to the polls with a Minnesota driver’s license and bank statement with a North Dakota address, but needed a North Dakota driver’s license, identification card or tribal ID. “I can’t participate at all and I wanted to.”

Administrative Error

Administrative stumbling blocks and unhelpful election officials left some voters throughout the day scrambling to figure out where or how they were supposed to vote. Across the country, confusion over new laws and poll worker error forced voters to work with attorneys or drive long distances in an attempt to solve problems.

In Missouri, a last-minute court ruling resulted in chaos across the state. Less than a month before, a judge radically altered the state’s voter ID law to allow more valid forms of identification. By then, poll workers had already been trained. Many enforced the incorrect version of the law.

In St. Charles County, northwest of St. Louis, voters across the county reported that poll workers openly argued with voters who showed identification allowed under the new ruling, demanding old forms of ID. By the end of the evening, the county had ignored demand letters from attorneys at Advancement Project, a civil rights group. Denise Lieberman, an attorney with the group, said it is considering legal remedies due to the county’s “flagrant disregard” for the judge’s ruling.

Rich Chrismer, the director of elections for the county, said he never saw the letters — he was at polling places all day. By late morning, he’d been made aware of 12 different polling locations where poll workers were giving incorrect instructions. He utilized the local police to distribute memos to all 121 polling locations, correcting poll worker instructions. They were distributed by the late morning, and complaints dropped off after that, he said.

Chrismer said training had already happened by the time the judge issued his ruling, but that he’d put new instructions in “four different places” in the packet mailed to poll workers ahead of the election. “They were either ignoring me or they didn’t know how to read, which upsets me,” he said.

Dallas County Clerk Stephanie Hendricks expressed similar frustration at the short window of time allowed by the court to retrain poll workers, update signs and ensure voter understanding.

Hendricks said the small county had to “scrape the bottom of the barrel” for poll workers, who only received 90 minutes of training. This, combined with the very short notice for the legal change, made it difficult to help poll workers understand the law. “The last few elections it’s been photo ID, photo ID, photo ID, and now all of a sudden the brakes have been thrown on. It’s confusing for people,” she said.

The frustrations for Chris Sears began on Friday, when he turned up to cast an early ballot at Cinco Ranch Public Library, a brick building abutting a duck pond in the suburbs west of Houston. Sears, a 43-year-old Texan who works in real estate, had voted at the library in the 2016 election, after moving to the area from adjoining Harris County a year earlier. Now, at the library, poll workers couldn’t find him in their rolls. His only recourse, they told him, was to drive the half hour or so to the Fort Bend County election office. Sears, realizing he wouldn’t make it there and back before early voting closed, decided to go first thing Tuesday morning.

After he explained his situation and presented his driver’s license, which had a local address, the clerk at the election office had a terse message for him. She slid a fresh voter registration application across the counter and told him: “Fill this out, and you’ll be eligible to vote in the next election.” Sears told the clerk he hadn’t moved, and that he’d voted in the last election.

The clerk was unmoved. “What you can do,” the clerk repeated, pointing at the registration form, “is fill this out, and vote in the next election.”

Sears wasn’t alone. As he went back and forth with the clerk, three other men who, like Sears, had moved recently from other Texas counties, came in with near-identical complaints. The clerk gave them the same response she had given Sears. County officials told ProPublica they all should have been offered provisional ballots — not sent across town or told to register again.

Ultimately, Sears would cast a provisional ballot, but he didn’t discover this option until he’d done hours of research to try and hunt down the cause of his problems.

“I finally got to vote,” he said. “But that was after driving across two counties and spending five or six hours of my time trying to determine whether there was a way I could do it.”

Some administrative problems were a bit more bizarre — a polling place in Chandler, Arizona, was foreclosed upon overnight. Voter Joann Swain arrived at the Golf Academy of America, which housed the poll, to find TV news crews and a crowd of people in the parking lot of the type of faux Spanish Mission Revival shopping centers that fleck the desert around Phoenix. Voting booths were arrayed along the sidewalk.

A sign affixed to the building’s locked front door indicated that the landlord has foreclosed on the Golf Academy for failing to pay rent. While poll workers had set up the voting booths the night before, that didn’t appear to matter to the landlord. The sign read: “UNAUTHORIZED ENTRY UPON THESE PREMISES OR THE REMOVAL OF PROPERTY HEREFROM MAY RESULT IN CRIMINAL AND/OR CIVIL PROSECUTION.”

The timing struck Swain as suspect. “Were they trying to make it more difficult for people to vote?” she asked Wednesday. Election officials had provided no answers. “It’s just fishy.”

Swain, who is 47, waited in line for two hours as poll workers promised the machines necessary for voters to print and cast their ballot were on their way from Phoenix. She didn’t want to cast a provisional ballot, for fear it wouldn’t be counted. One man in line who took poll workers up on an alternative to waiting — voting at Chandler City Hall — returned not long after he left. With polling site difficulties cropping up throughout the Phoenix area, he hadn’t been able to vote there either.

To the puzzlement of voters waiting in line, Maricopa County Recorder Adrian Fontes tweeted that the Golf Academy polling place was open. “No it’s not. I’m here,” an Arizonan named Gary Taylor shot back.

Other voters reacted to situation more volubly. “I got things to do. I can’t stand around all day waiting because these guys can’t do their job,” a voter named Thomas Wood told reporters. “It’s ridiculous. It’s absolutely ridiculous.”

Swain ultimately left at 8:30 a.m. By the time she returned, later in the day, poll workers had set up the voting machines delivered from Phoenix in another storefront in the shopping center. The original machines remained locked in the Golf Academy, she said.

Electioneering

Back East, reports of potentially improper political messages at polling sites had begun to crop up, and the response from election officials highlighted the at times flimsy nature of electioneering laws. On Tuesday morning, a handwritten sign appeared on the door of a polling station near downtown Pittsburgh, which read “Vote Straight Democrat.” County election officials were alerted to the sign in the early afternoon, but by then the sign had been removed, Amie Downs, an Allegheny County spokeswoman, said in a statement.

An official in the county election office, who declined to give her name, blamed the sign on a member of the local Democratic Party committee. “He said he does that every year but never had problems till this year,” she said. Pennsylvania law prohibits electioneering within 10 feet of a polling place, and Downs said it wasn’t clear whether the sign violated the law.

Down the coast, in New Port Richey — a politically mixed cluster of strip malls northwest of Tampa, Florida — Pastor Al Carlisle triggered upward of 75 complaints to Pasco County election officials after he put up a handwritten sign reading “Don’t Vote for Democrats on Tuesday and Sing ‘Oh How I Love Jesus’ on Sunday” outside his church. That wouldn’t be a problem, except that on Election Day, his church doubles as a polling place. Carlisle remained unrepentant. He continued Wednesday to trumpet the sign on his Facebook page, mixed among posts conflating religious faith with support for President Donald Trump.

Local election officials, however, stopped at mild censure. Pasco County election chief Brian Corley told the Tampa Bay Times the sign was “not appropriate” but legal, since Carlisle had placed it only just more than 100 feet away from where voters were casting their ballot.

Later in the day, some voters complained about large posters opposing abortion — an example: “God Doesn’t Make Mistakes, Choose Life” — plastered on the walls of a church gymnasium in Holts Summit, Missouri, used as a polling place. Despite the political implications, election officials told local radio station KBIA that the posters were legal because there were no abortion-related issues on the ballot.

Behind the scenes, officials nationwide were addressing gaps in website reliability and security. In Kentucky, a handful of county websites that provided information to voters flickered offline for parts of the day. State officials said the issue was likely a technical problem not caused by a malicious attack.

But several states meanwhile alerted U.S. election-security officials to efforts of hackers scanning their computer systems for software vulnerabilities. Days before the election, a county clerk’s office said its email account was compromised and its messages forwarded to a private Gmail address, according to person familiar with the matter who was not authorized to discuss it publicly.

As polls closed Tuesday evening, back in New York, the crowds and ballot scanner failures remained. At one school in Brooklyn that had seen long lines in the morning, the wait to vote at 7 p.m. was no better — still upward of two hours, Emily Chen told ProPublica. By the end of the day, the New York City Council speaker had called for the elections director’s resignation, and the mayor had denounced the technical snags as “absolutely unacceptable.”

Down the coast, in Broward County, Florida, just north of Miami, election officials were struggling with a technical failure of a different sort. Seven precincts were unable to transmit vote tallies electronically. This time, it would force election officials to internalize what voters had suffered throughout much of the day. Around 11 p.m., they walked out into the balmy South Florida night, got into their cars and drove the voter files to the county election office.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


More Consequences From The Phony-Accounts Scandal At Wells Fargo Bank

Wells Fargo logo Consequences continue after the bank's phony-accounts scandal. Last week, Well Fargo announced several changes in senior management:

"Chief Administrative Officer Hope Hardison and Chief Auditor David Julian have begun leaves of absence from Wells Fargo and will no longer be members of the company’s Operating Committee. These leaves relate to previously disclosed ongoing reviews by regulatory agencies in connection with historical retail banking sales practices. These leaves of absence are unrelated to the company’s reported financial results..."

An investigation in 2017 found a new total of 3.5 million phony consumer and small business accounts set up by employees trying to game an internal sales compensation system. The phony accounts, many of which incurred fees and charges, had been set up without customers' knowledge nor approval. In a settlement agreement in 2016 with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with 1.5 million phony accounts known at that time. In 2016, about 5,300 mostly lower-level employees had been fired as a result of the scandal.

The latest announcement listed more executive changes:

"David Galloreese continues as head of Human Resources and will report directly to CEO and President Tim Sloan and join the Operating Committee. Cara Peck, who heads the Culture and Change Management teams, will report directly to Galloreese.

Jim Rowe continues as head of Stakeholder Relations and will report directly to Sloan. Stakeholder Relations will expand to include Corporate Philanthropy and Community Relations, headed by Jon Campbell... Kimberly Bordner, currently executive audit director, will become the company’s acting Chief Auditor..."

The bank is conducting an executive search for a new Chief Auditor.

Executives at the bank have plenty to fix. In April, federal regulators assessed a $1 billion fine against the bank for violations of the Consumer Financial Protection Act (CFPA) in the way it administered mandatory insurance for auto loans. In August, reports surfaced that the bank had accidentally foreclosed on 400 homeowners it shouldn't have due to a software bug.

In June 2017, U.S. Senator Elizabeth Warren (D-Massachusetts) called for the firing of all 12 board members at Wells Fargo bank for failing to adequately protect account holders. Let's hope these latest senior executive changes bring about needed changes.


Uber To Pay $148 Million To Settle Lawsuits And Coverup From Its 2016 Data Breach

Uber logo California-based Uber Technologies, Inc. has agreed to pay $148 million to settle lawsuits by several states' attorneys general regarding the ride-sharing service's massive data breach in 2016 where hackers stole information about 57 million Uber customers and drivers worldwide, including 600,000 U.S. driver's license numbers. The breach problems were compounded by allegations that Uber paid the hackers $100,000 for their silence, and by the company's failure to notify both state agencies and affected consumers about the breach.

Josh Shapiro, the Attorney General (AG) for the State of Pennsylvania, announced on the Wednesday the settlement agreement including a coalition of 51 state AGs:

"In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence... Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017."

13,500 Uber drivers in Pennsylvania were affected by the breach. Pennsylvania's share of the total payment is $5.7 million. Each Uber driver in Pennsylvania will receive $100.

48 states have data breach notification laws requiring various levels of notifications to both state officials and affected consumers, who need notice in order to take action to protect themselves and their sensitive personal and payment information.

Massachusetts' share of the total payment is $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses. Massachusetts AG Maura Healey said:

"Uber failed to immediately report this data breach and tried to pay hush money to hackers. This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised."

California's share of the total payment is $26 million. California AG  Xavier Becerra said:

"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

San Francisco District Attorney George Gascon said:

"We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California."

Terms of the settlement agreement require Uber and its executives to:

"1. Implement and maintain robust data security practices.
2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
5. Report any data security incidents to states on a quarterly basis for two years.
6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training".

Uber and its executives have a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit describing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool.

This breach settlement is another reminder that Uber and its executives deserve close monitoring and supervision.


Fund Meant to Protect Elections May Be Too Little, Too Late

[Editor's note: today's guest post, by reporters at ProPublica, is the latest in a series about the integrity and security of voting systems in the United States. It is reprinted with permission.]

By Blake Paterson and Ally J. Levine, ProPublica

The Election Assistance Commission (EAC), the government agency charged with distributing federal funds to support elections, released a report two weeks ago detailing how each state plans to spend a total of $380 million in grants allocated to improve and secure their election systems.

But even as intelligence officials warn of foreign interference in the midterm election, much of the money is not expected to be spent before Election Day. The EAC expects states to spend their allotted money within two to three years and gives them until 2023 to finish spending it.

Election experts have expressed skepticism that the money will be enough to modernize election equipment and secure it against state-sponsored cyber threats.

“Nationally, $380 million sounds like a huge amount of money, but in the context of what the election officials are needing to defend, replace, oversee and mitigate, it’s really not that much,” said Tammy Patrick, a senior adviser at the Democracy Fund. Federal funds were allocated to states proportionally, based on each one’s voting-age population.

As California Secretary of State Alex Padilla wrote in an opinion piece for The Hill, the $380 million isn’t even new money: “Remember butterfly ballots and hanging chads? The recent federal appropriation was simply the final disbursement of money originally approved in 2003 to address the debacle of the 2000 presidential election in Florida.”

Nearly two-thirds of the funds are expected to go toward new voting equipment and increased cybersecurity protection, with the remainder going toward updating voter registration systems, implementing post-election audits, improving election-related communication efforts and holding the money in reserve.

Two states — Kansas and Montana — received extensions and have yet to submit plans to the federal government.

Here’s how the other states plan to use their portions of federal funds.

The largest portion of the $380 million will be used to improve election cybersecurity, on items such as training local election officials, purchasing new software, and hiring IT personnel and cybersecurity experts.

Thirty-eight states are allocating funds to cybersecurity. Illinois is one of three — Wisconsin and New York are the others — planning to dedicate all of their allotments to this. In 2016, Russian hackers breached Illinois’ voter registration database and stole the names, emails and partial Social Security numbers of nearly half a million voters.

“We needed to send a strong signal that we were doing everything we could to make sure that nothing like that happened again,” said Matt Dietrich, the public information officer at the Illinois State Board of Elections. Illinois is using part of its $13.2 million share to deploy a “cyber navigator” team to perform on-site risk assessments for local election officials.

Thirty states plan to use grant money to purchase new voting equipment, replacing voting machines that are often decades old. Six of those states — Alaska, Arkansas, Delaware, Louisiana, North Dakota and Pennsylvania — are expected to use all of their funds to replace voting equipment. The last time a new voting system was purchased in Alaska, for example, was in 1998.

Replacing voting equipment, however, is a costly endeavor that often takes years, and few states will make widespread improvements to their machinery before the midterms. “These machines are not something you can just go to Best Buy and fire up,” said Thomas Hicks, the chairman of the EAC. “It’s going to take time to build that infrastructure.”

In the lead-up to the 2016 election, hackers targeted election systems in 21 states and in a small number of cases successfully penetrated voter registration databases. Twenty-six states plan to use grant money to improve their voter registration systems.

Nevada, which is the state allocating the highest percentage of its funding — 65.4 percent — to voter registration systems, plans to implement multi-factor authentication and require training modules for local election officials. The state also plans to add a full-time position to work on implementing these goals.

North Carolina, which plans to spend a higher dollar amount than any other state, will be improving its voter registration system, dedicating more than $5 million to modernize its decentralized, decades-old statewide election information system by late 2019.

Twenty-one states plan to use some portion of the federal grant money to perform election audits, accounting for 5.1 percent of the funds. Oregon is spending the highest percentage of its funds — 52 percent — on election audits, according to an estimate from the EAC.

Depending on how elections are run, audits come in a variety of forms.

Connecticut plans to run forensic audits on all of its election vendors. Maryland plans to perform a software audit to validate the election results after the midterm election. Rhode Island plans to deploy a pilot “risk-limiting audit” for the upcoming election.

Election auditing remains an “evolving” field, Patrick said, and many of the states will follow Rhode Island’s lead in piloting audits.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Verizon Throttled Mobile Services Of First Responders Fighting California Wildfires

Verizon logo Fighting fires is difficult, dangerous work. Recently, that was made worse by an internet service provider (ISP). Ars Technica reported:

"Verizon Wireless' throttling of a fire department that uses its data services has been submitted as evidence in a lawsuit that seeks to reinstate federal net neutrality rules. "County Fire has experienced throttling by its ISP, Verizon," Santa Clara County Fire Chief Anthony Bowden wrote in a declaration. "This throttling has had a significant impact on our ability to provide emergency services. Verizon imposed these limitations despite being informed that throttling was actively impeding County Fire's ability to provide crisis-response and essential emergency services." Bowden's declaration was submitted in an addendum to a brief filed by 22 state attorneys general, the District of Columbia, Santa Clara County, Santa Clara County Central Fire Protection District, and the California Public Utilities Commission. The government agencies are seeking to overturn the recent repeal of net neutrality rules in a lawsuit they filed against the Federal Communications Commission in the US Court of Appeals for the District of Columbia Circuit."

Reportedly, Verizon replied with a statement that the throttling, "was a customer service error." Huh? This is how Verizon treats first-responders? This is how an ISP treats first-responders during a major emergency and natural disaster? The wildfires have claimed 12 deaths, destroyed at least 1,200 homes, and wiped out the state's emergency fund. Smoke from the massive wildfires has caused extensive pollution and health warnings in Northwest areas including Portland, Oregon and Seattle, Washington. The thick smoke could be seen from space.

Ars Technica reported in an August 21 update:

"Santa Clara County disputed Verizon's characterization of the problem in a press release last night. "Verizon's throttling has everything to do with net neutrality—it shows that the ISPs will act in their economic interests, even at the expense of public safety," County Counsel James Williams said on behalf of the county and fire department. "That is exactly what the Trump Administration's repeal of net neutrality allows and encourages." "

In 2017, President Trump appointed Ajit Pai, a former Verizon attorney, as Chairman of the U.S. Federal Communications Commission. Under Pai's leadership, the FCC revoked both online privacy and net neutrality protections for consumers. This gave ISPs the freedom to do as they want online while consumers lost two key freedoms: a) the freedom to control the data describing their activities online (which are collected and shared with others by ISPs), and b) freedom to use the internet bandwidth purchased as they choose.

If an ISP will throttle and abuse first-responders, think of what it will do it regular consumers. What are your opinions?


Wells Fargo Accidentally Foreclosed on Homeowners. 400 Customers Lost Their Homes

Wells Fargo logo Earlier this week, Wells Fargo Bank admitted that it accidentally foreclosed on nearly 400 homeowners it shouldn't have due to a "software glitch." The San Francisco Business Times reported:

"Nearly 400 Wells Fargo customers lost their homes when they were accidentally foreclosed on after a software glitch denied them the ability to modify their mortgages as they sought federal aid, the bank disclosed in a regulatory filing... The bank apologized and has set aside $8 million to compensate those affected by the glitch, which occurred from 2010 to 2015... the software mistake miscalculated customers' eligibility for mortgage modifications. The error caused about 625 customers to be denied loan modifications they sought from a federal program to help homeowners avoid foreclosures."

The $8 million set aside is one small step towards rebuilding consumers' trust. It seems that the bank and its executives have a nasty habit of alleged wrongdoing that often results in fines and settlement agreements. Earlier this month, the U.S. Department of Justice announced a $2 billion settlement agreement where:

"... Wells Fargo Bank, N.A. and several of its affiliates (Wells Fargo) will pay a civil penalty of $2.09 billion under the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) based on the bank’s alleged origination and sale of residential mortgage loans that it knew contained misstated income information and did not meet the quality that Wells Fargo represented. Investors, including federally insured financial institutions, suffered billions of dollars in losses from investing in residential mortgage-backed securities (RMBS) containing loans originated by Wells Fargo... The United States alleged that, in 2005, Wells Fargo began an initiative to double its production of subprime and Alt-A loans. As part of that initative, Wells Fargo loosened its requirements for originating stated income loans – loans where a borrower simply states his or her income without providing any supporting income documentation... despite its knowledge that a substantial portion of its stated income loans contained misstated income, Wells Fargo failed to disclose this information, and instead reported to investors false debt-to-income ratios in connection with the loans it sold. Wells Fargo also allegedly heralded its fraud controls while failing to disclose the income discrepancies its controls had identified."

Sadly, there's plenty more. In April, federal regulators at the Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC) assessed a $1 billion fine against the bank for violations of the, "Consumer Financial Protection Act (CFPA) in the way it administered a mandatory insurance program related to its auto loans..."

Since 2016, the bank paid a $185 million fine for alleged unlawful sales practices where its employees created phony accounts to game an internal sales compensation system. While the bank's CEO was let go and 5,300 workers were fired due to that scandal, bad behavior and poor executive decisions seem to continue.

In August of 2017, the results of an internal investigation of auto insurance policies sold from 2012 to 2016 found that thousands of the bank's customers were forced to buy unneeded and unwanted auto insurance.

The latest incident raises more questions:

  • How does a "software glitch" go undetected and unfixed for five years -- or longer?
  • Where was the quality assurance and software testing processes?
  • The post implementation audits failed to detect errors?
  • Were any employees reprimanded, demoted, or fired? And if none, why?
  • What specific changes are being implemented to prevent future software glitches?
  • How will the damaged credit histories of foreclosed homeowners be repaired?

Often, all or a portion of the settlement agreements are tax deductible. This both lessens the fines' impacts and shifts the burden to taxpayers. I hope that as regulators pursue solutions, tax-deductible settlements are not repeated. What are your opinions?


Lawmakers In California Cave To Industry Lobbying, And Backtrack With Weakened Net Neutrality Bill

After the U.S. Federal Communications Commission (FCC) acted last year to repeal net neutrality rules, those protections officially expired on June 11th. Meanwhile, legislators in California have acted to protect their state's residents. In January, State Senator Weiner introduced in January a proposed bill, which was passed by the California Senate three weeks ago.

Since then, some politicians have countered with a modified bill lacking strong protections. C/Net reported:

"The vote on Wednesday in a California Assembly committee hearing advanced a bill that implements some net neutrality protections, but it scaled back all the measures of the bill that had gone beyond the rules outlined in the Federal Communications Commission's 2015 regulation, which was officially taken off the books by the Trump Administration's commission last week. In a surprise move, the vote happened before the hearing officially started,..."

Weiner's original bill was considered the "gold standard" of net neutrality protections for consumers because:

"... it went beyond the FCC's 2015 net neutrality "bright line" rules by including provisions like a ban on zero-rating, a business practice that allows broadband providers like AT&T to exempt their own services from their monthly wireless data caps, while services from competitors are counted against those limits. The result is a market controlled by internet service providers like AT&T, who can shut out the competition by creating an economic disadvantage for those competitors through its wireless service plans."

State Senator Weiner summarized the modified legislation:

"It is, with the amendments, a fake net neutrality bill..."

A key supporter of the modified, weak bill was Assemblyman Miguel Santiago, a Democrat from Los Angeles. Motherboard reported:

"Spearheading the rushed dismantling of the promising law was Committee Chair Miguel Santiago, a routine recipient of AT&T campaign contributions. Santiago’s office failed to respond to numerous requests for comment from Motherboard and numerous other media outlets... Weiner told the San Francisco Chronicle that the AT&T fueled “evisceration” of his proposal was “decidedly unfair.” But that’s historically how AT&T, a company with an almost comical amount of control over state legislatures, tends to operate. The company has so much power in many states, it’s frequently allowed to quite literally write terrible state telecom law..."

Supporters of this weakened bill either forgot or ignored the results from a December 2017 study of 1,077 voters. Most consumers want net neutrality protections:

Do you favor or oppose the proposal to give ISPs the freedom to: a) provide websites the option to give their visitors the ability to download material at a higher speed, for a fee, while providing a slower speed for other websites; b) block access to certain websites; and c) charge their customers an extra fee to gain access to certain websites?
Group Favor Opposed Refused/Don't Know
National 15.5% 82.9% 1.6%
Republicans 21.0% 75.4% 3.6%
Democrats 11.0% 88.5% 0.5%
Independents 14.0% 85.9% 0.1%

Why would politicians pursue weak net neutrality bills with few protections, while constituents want those protections? They are doing the bidding of the corporate internet service providers (ISPs) at the expense of their constituents. Profits before people. These politicians promote the freedom for ISPs to do as they please while restricting consumers' freedoms to use the bandwidth they've purchased however they please.

Broadcasting and Cable reported:

"These California democrats will go down in history as among the worst corporate shills that have ever held elected office," said Evan Greer of net neutrality activist group Fight for the Future. "Californians should rise up and demand that at their Assembly members represent them. The actions of this committee are an attack not just on net neutrality, but on our democracy.” According to Greer, the vote passed 8-0, with Democrats joining Republicans to amend the bill."

According to C/Net, more than 24 states are considering net neutrality legislation to protect their residents:

"... New York, Connecticut, and Maryland, are also considering legislation to reinstate net neutrality rules. Oregon and Washington state have already signed their own net neutrality legislation into law. Governors in several states, including New Jersey and Montana, have signed executive orders requiring ISPs that do business with the state adhere to net neutrality principles."

So, we have AT&T (plus politicians more interested in corporate donors than their constituents, the FCC, President Trump, and probably other telecommunications companies) to thank for this mess. What do you think?


San Diego Police Widely Share Data From License Plate Database

Images of ALPR device mounted on a patrol car. Click to view larger version Many police departments use automated license plate reader (ALPR or LPR) technology to monitor the movements of drivers and their vehicles. The surveillance has several implications beyond the extensive data collection.

The Voice of San Diego reported that the San Diego Police Departments shares its database of ALPR data with many other agencies:

"SDPD shares that database with the San Diego sector of Border Patrol – and with another 600 agencies across the country, including other agencies within the Department of Homeland Security. The nationwide database is enabled by Vigilant Solutions, a private company that provides data management and software services to agencies across the country for ALPR systems... A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data..."

San Diego's ALPR database is fed by a network of cameras which record images plus the date, time and GPS location of the cars that pass by them. So, the associated metadata for each database record probably includes the license plate number, license plate state, vehicle owner, GPS location, travel direction, date and time, road/street/highway name or number, and the LPR device ID number.

Information about San Diego's ALPR activities became public after a data request from the Electronic Frontier Foundation (EFF), a digital privacy organization. ALPRs are a popular tool, and were used in about 38 states in 2014. Typically, the surveillance collects data about both criminals and innocent drivers.

Images of ALPR devices mounted on unmarked patrol cars. Click to view larger version There are several valid applications: find stolen vehicles, find stolen license plates, find wanted vehicles (e.g., abductions), execute search warrants, find parolees, and find wanted parolees. Some ALPR devices are stationary (e.g., mounted on street lights), while others are mounted on (marked and unmarked) patrol cars. Both deployments scan moving vehicles, while the latter also facilitates the scanning of parked vehicles.

Earlier this year, the EFF issued hundreds of similar requests across the country to learn how law enforcement currently uses ALPR technology. The ALPR training manual for the Elk Grove, Illinois PD listed the data archival policies for several states: New Jersey - 5 years, Vermont - 18 months, Utah - 9 months,  Minnesota - 48 hours, Arkansas - 150 days, New Hampshire - not allowed, and California - no set time. The document also stated that more than "50 million captures" are added each month to the Vigilant database. And, the Elk Grove PD seems to broadly share its ALPR data with other police departments and agencies.

The SDPD website includes a "License Plate Recognition: Procedures" document (Adobe PDF), dated May 2015, which describes its ALPR usage and policies:

"The legitimate law enforcement purposes of LPR systems include the following: 1) Locating stolen, wanted, or subject of investigation vehicles; 2) Locating witnesses and victims of a violent crime; 3) Locating missing or abducted children and at risk individuals.

LPR Strategies: 1) LPR equipped vehicles should be deployed as frequently as possible to maximize the utilization of the system; 2) Regular operation of LPR should be considered as a force multiplying extension of an officer’s regular patrol efforts to observe and detect vehicles of interest and specific wanted vehicles; 3) LPR may be legitimately used to collect data that is within public view, but should not be used to gather intelligence of First Amendment activities; 4) Reasonable suspicion or probable cause is not required for the operation of LPR equipment; 5) Use of LPR equipped cars to conduct license plate canvasses and grid searches is encouraged, particularly for major crimes or incidents as well as areas that are experiencing any type of crime series... LPR data will be retained for a period of one year from the time the LPR record was captured by the LPR device..."

The document does not describe its data security methods to protect this sensitive information from breaches, hacks, and unauthorized access. Perhaps most importantly, the 2015 SDPD document describes the data sharing policy:

"Law enforcement officers shall not share LPR data with commercial or private entities or individuals. However, law enforcement officers may disseminate LPR data to government entities with an authorized law enforcement or public safety purpose for access to such data."

However, the Voice of San Diego reported:

"A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data... SDPD’s sharing doesn’t stop at Border Patrol. The list of agencies with near immediate access to the travel habits of San Diegans includes law enforcement partners you might expect, like the Carlsbad Police Department – with which SDPD has for years shared license plate reader data, through a countywide arrangement overseen by SANDAG – but also obscure agencies like the police department in Meigs, Georgia, population 1,038, and a private group that is not itself a police department, the Missouri Police Chiefs Association..."

So, the accuracy of the 2015 document is questionable, it it isn't already obsolete. Moreover, what's really critical are the data retention and sharing policies by Vigilant and other agencies.


Oakland Law Mandates 'Technology Impact Reports' By Local Government Agencies Before Purchasing Surveillance Equipment

Popular tools used by law enforcement include stingrays, fake cellular phone towers, and automated license plate readers (ALPRs) to track the movements of persons. Historically, the technologies have often been deployed without notice to track both the bad guys (e.g., criminals and suspects) and innocent citizens.

To better balance the privacy needs of citizens versus the surveillance needs of law enforcement, some areas are implementing new laws. The East Bay Times reported about a new law in Oakland:

"... introduced at Tuesday’s city council meeting, creates a public approval process for surveillance technologies used by the city. The rules also lay a groundwork for the City Council to decide whether the benefits of using the technology outweigh the cost to people’s privacy. Berkeley and Davis have passed similar ordinances this year.

However, Oakland’s ordinance is unlike any other in the nation in that it requires any city department that wants to purchase or use the surveillance technology to submit a "technology impact report" to the city’s Privacy Advisory Commission, creating a “standardized public format” for technologies to be evaluated and approved... city departments must also submit a “surveillance use policy” to the Privacy Advisory Commission for consideration. The approved policy must be adopted by the City Council before the equipment is to be used..."

Reportedly, the city council will review the ordinance a second time before final passage.

The Northern California chapter of the American Civil Liberties Union (ACLU) discussed the problem, the need for transparency, and legislative actions:

"Public safety in the digital era must include transparency and accountability... the ACLU of California and a diverse coalition of civil rights and civil liberties groups support SB 1186, a bill that helps restores power at the local level and makes sure local voices are heard... the use of surveillance technology harms all Californians and disparately harms people of color, immigrants, and political activists... The Oakland Police Department concentrated their use of license plate readers in low income and minority neighborhoods... Across the state, residents are fighting to take back ownership of their neighborhoods... Earlier this year, Alameda, Culver City, and San Pablo rejected license plate reader proposals after hearing about the Immigration & Customs Enforcement (ICE) data [sharing] deal. Communities are enacting ordinances that require transparency, oversight, and accountability for all surveillance technologies. In 2016, Santa Clara County, California passed a groundbreaking ordinance that has been used to scrutinize multiple surveillance technologies in the past year... SB 1186 helps enhance public safety by safeguarding local power and ensuring transparency, accountability... SB 1186 covers the broad array of surveillance technologies used by police, including drones, social media surveillance software, and automated license plate readers. The bill also anticipates – and covers – AI-powered predictive policing systems on the rise today... Without oversight, the sensitive information collected by local governments about our private lives feeds databases that are ripe for abuse by the federal government. This is not a hypothetical threat – earlier this year, ICE announced it had obtained access to a nationwide database of location information collected using license plate readers – potentially sweeping in the 100+ California communities that use this technology. Many residents may not be aware their localities also share their information with fusion centers, federal-state intelligence warehouses that collect and disseminate surveillance data from all levels of government.

Statewide legislation can build on the nationwide Community Control Over Police Surveillance (CCOPS) movement, a reform effort spearheaded by 17 organizations, including the ACLU, that puts local residents and elected officials in charge of decisions about surveillance technology. If passed in its current form, SB 1186 would help protect Californians from intrusive, discriminatory, and unaccountable deployment of law enforcement surveillance technology."

Is there similar legislation in your state?


Securities & Exchange Commission Charges Former Equifax Executive With Insider Trading

Last week, the U.S. Securities and Exchange Commission (SEC) charged a former Equifax executive with insider trading. While an employee, Jun Ying allegedly used confidential information to dump stock and avoid losses before Equifax announced its massive data breach in September, 2017.

The SEC announced on March 14th that it had:

"... charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about a massive data breach that exposed the social security numbers and other personal information of about 148 million U.S. customers... The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief... According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses... The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying."

The massive data breach affected about 143 million persons. Equifax announced in March, 2018 that even more people were affected, than originally estimated in its September, 2017 announcement.

MarketWatch reported that Ying:

"... found out about the breach on Friday afternoon, August 25, 2017... The SEC complaint says that Ying’s internet browsing history shows he learned that Experian’s stock price had dropped approximately 4% after the public announcement of [a prior 2015] Experian breach. Later Monday morning, Ying exercised all of his available stock options for 6,815 shares of Equifax stock that he immediately sold for over $950,000, and a gain of over $480,000... on Aug. 30, the global CIO for Equifax officially told Ying that it was Equifax that had been breached. One of the company’s attorneys, unaware that Ying had already traded on the information, told Ying that the news about the breach was confidential, should not be shared with anyone, and that Ying should not trade in Equifax securities. According the SEC complaint, Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before. Equifax finally announced the breach on Sept. 7, and Equifax common stock closed at $123.23 the next day, a drop of $19.49 or nearly 14%..."


Report: Little Progress Since 2016 To Replace Old, Vulnerable Voting Machines In United States

We've know for some time that a sizeable portion of voting machines in the United States are vulnerable to hacking and errors. Too many states, cities, and town use antiquated equipment or equipment without paper backups. The latter makes re-counts impossible.

Has any progress been made to fix the vulnerabilities? The Brennan Center For Justice (BCJ) reported:

"... despite manifold warnings about election hacking for the past two years, the country has made remarkably little progress since the 2016 election in replacing antiquated, vulnerable voting machines — and has done even less to ensure that our country can recover from a successful cyberattack against those machines."

It is important to remember this warning in January 2017 from the Director of National Intelligence (DNI):

"Russian effortsto influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations. We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process... Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment. DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying... We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes... "

Detailed findings in the BCJ report about the lack of progress:

  1. "This year, most states will use computerized voting machines that are at least 10 years old, and which election officials say must be replaced before 2020.
    While the lifespan of any electronic voting machine varies, systems over a decade old are far more likely to need to be replaced, for both security and reliability reasons... older machines are more likely to use outdated software like Windows 2000. Using obsolete software poses serious security risks: vendors may no longer write security patches for it; jurisdictions cannot replace critical hardware that is failing because it is incompatible with their new, more secure hardware... In 2016, jurisdictions in 44 states used voting machines that were at least a decade old. Election officials in 31 of those states said they needed to replace that equipment by 2020... This year, 41 states will be using systems that are at least a decade old, and officials in 33 say they must replace their machines by 2020. In most cases, elections officials do not yet have adequate funds to do so..."
  2. "Since 2016, only one state has replaced its paperless electronic voting machines statewide.
    Security experts have long warned about the dangers of continuing to use paperless electronic voting machines. These machines do not produce a paper record that can be reviewed by the voter, and they do not allow election officials and the public to confirm electronic vote totals. Therefore, votes cast on them could be lost or changed without notice... In 2016, 14 states (Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia) used paperless electronic machines as the primary polling place equipment in at least some counties and towns. Five of these states used paperless machines statewide. By 2018 these numbers have barely changed: 13 states will still use paperless voting machines, and 5 will continue to use such systems statewide. Only Virginia decertified and replaced all of its paperless systems..."
  3. "Only three states mandate post-election audits to provide a high-level of confidence in the accuracy of the final vote tally.
    Paper records of votes have limited value against a cyberattack if they are not used to check the accuracy of the software-generated total to confirm that the veracity of election results. In the last few years, statisticians, cybersecurity professionals, and election experts have made substantial advances in developing techniques to use post-election audits of voter verified paper records to identify a computer error or fraud that could change the outcome of a contest... Specifically, “risk limiting audits” — a process that employs statistical models to consistently provide a high level of confidence in the accuracy of the final vote tally – are now considered the “gold standard” of post-election audits by experts... Despite this fact, risk limiting audits are required in only three states: Colorado, New Mexico, and Rhode Island. While 13 state legislatures are currently considering new post-election audit bills, since the 2016 election, only one — Rhode Island — has enacted a new risk limiting audit requirement."
  4. "43 states are using machines that are no longer manufactured.
    The problem of maintaining secure and reliable voting machines is particularly challenging in the many jurisdictions that use machines models that are no longer produced. In 2015... the Brennan Center estimated that 43 states and the District of Columbia were using machines that are no longer manufactured. In 2018, that number has not changed. A primary challenge of using machines no longer manufactured is finding replacement parts and the technicians who can repair them. These difficulties make systems less reliable and secure... In a recent interview with the Brennan Center, Neal Kelley, registrar of voters for Orange County, California, explained that after years of cannibalizing old machines and hoarding spare parts, he is now forced to take systems out of service when they fail..."

That is embarrassing for a country that prides itself on having an effective democracy. According to BCJ, the solution would be for Congress to fund via grants the replacement of paperless and antiquated equipment; plus fund post-election audits.

Rather than protect the integrity of our democracy, the government passed a massive tax cut which will increase federal deficits during the coming years while pursuing both a costly military parade and an unfunded border wall. Seems like questionable priorities to me. What do you think?


Citigroup Promises To Close Pay Gaps For Female And Minority Workers

Logo-citigroupUSA Today reported that Citigroup:

"... will boost job compensation for women and minorities in a bid to close pay gaps in the U.S., United Kingdom, and Germany, becoming the first U.S. bank to respond to shareholder pressure about the inequalities. The New York-based financial company announced the effort Monday, saying it came after a Citigroup compensation assessment in the three countries found that women on average were paid 99% of what men got and minorities on average received 99% of what non-minorities were paid... Citigroup's action prompted investment advisory company Arjuna Capital to withdraw the 2018 gender pay shareholder proposal it had filed in an effort to force an investor vote that would require the bank to address pay inequality."

So, the bank made changes only after a major investor forced it to. The news report cited other banks (text links added):

"No other U.S. bank has taken similar action, Arjuna said. Along with Citigroup, Arjuna said it had filed gender pay shareholder proposals this year with U.S. banks JPMorgan Chase, Wells Fargo, Bank of America and Bank of New York Mellon. The investment adviser said it had filed similar proposals with American Express, Mastercard, Reinsurance Group, and Progressive Insurance. If approved by shareholders, the proposals would require the companies to publish their policies and goals to reduce gender pay gaps."

JP Morgan Chase promised in 2016 to raise the pay of 18,000 tellers and branch workers. It seems that the banking industry, kicking and screaming, has been forced to confront its pay-gap issues for employees. What do you think?