35 posts categorized "Canada" Feed

Vancouver, Canada Welcomed The 'Tesla Of The Cruise Industry." Ports In France Consider Bans For Certain Cruise Ships

For drivers concerned about the environment and pollution, the automobile industry has offered hybrids (which run on gasoline, and electric battery power) and completely electric vehicles (solely on electric battery power). The same technology trend is underway within the cruise industry.

On September 26, the Port of Vancouver welcomed the MS Roald Amundsen. Some call this cruise ship the "Tesla of the cruise industry." The International Business Times explained:

"MS Roald Amundsen can be called Tesla of the cruise industry as it is similar to the electrically powered Tesla car that set off a revolution in the auto sector by running on batteries... The state of the art ship was unveiled earlier this year by Scandinavian cruise operator Hurtigruten. The cruise ship is one of the most sustainable cruise vessels with the distinction of being one of the two hybrid-electric cruise ships in the world. MS Roald Amundsen utilizes hybrid technology to save fuel and reduce carbon dioxide emissions by 20 percent."

Hurtigruten logo With 15 cruise ships, Hurtigruten offers sailings to Norway, Iceland, Alaska, Arctic, Antarctica, Europe, South America, and more. Named after the first man to cross Antarctica and reach the South Pole, the MS Roald Amundsen carries about 530 passengers.

View of solar panels on the Celebrity Solstice cruise ship in March, 2019. Click to view larger version While some cruise ships already use onboard solar panels to reduce fuel consumption, this is the first hybrid-electric cruise ship. It is an important step forward to prove that large ships can be powered in this manner.

Several ships in Royal Caribbean Cruise Line's fleet, including the Oasis of the Seas, have been outfitted with solar panels. The image on the right provides a view of  the solar panels on the Celebrity Solstice cruise ship, while it was docked in Auckland, New Zealand in March, 2019. The panels are small and let sunlight through.

The Vancouver Is Awesome site explained why the city gave the MS Roald Amundsen special attention:

"... the Vancouver Fraser Port Authority, the federal agency responsible for the stewardship of the port, has set its vision to be the world’s most sustainable port. As a part of this vision, the port authority works to ensure the highest level of environmental protection is met in and around the Port of Vancouver. This commitment resulted in the port authority being the first in Canada and third in the world to offer shore power, an emissions-reducing initiative, for cruise ships. That said, a shared commitment to sustainability isn’t the only thing Hurtigruten has in common with our awesome city... The hybrid-electric battery used in the MS Roald Amundsen was created by Vancouver company, Corvus Energy."

Port Of Vancouver, Canada logo Reportedly, the MS Roald Amundsen can operate for brief periods of time only on battery power, resulting in zero fuel usage and zero emissions. The Port of Vancouver's website explains its Approach to Sustainability policy:

"We are on a journey to meet our vision to become the world’s most sustainable port. In 2010 we embarked on a two-year scenario planning process with stakeholders called Port 2050, to improve our understanding of what the region may look like in the future... We believe a sustainable port delivers economic prosperity through trade, maintains a healthy environment, and enables thriving communities, through meaningful dialogue, shared aspirations and collective accountability. Our definition of sustainability includes 10 areas of focus and 22 statements of success..."

I encourage everyone to read the Port of Vancouver's 22 statements of success for a healthy environment and sustainable port. Selected statements from that list:

"Healthy ecosystems:
8) Takes a holistic approach to protecting and improving air, land and water quality to promote biodiversity and human health
9) Champions coordinated management programs to protect habitats and species. Climate action
10) Is a leader among ports in energy conservation and alternative energy to minimize greenhouse gas emissions..."

"Responsible practices:
12) Improves the environmental, social and economic performance of infrastructure through design, construction and operational practices
13) Supports responsible practices throughout the global supply chain..."

"Aboriginal relationships:
18) Respects First Nations’ traditional territories and value traditional knowledge
19) Embraces and celebrates Aboriginal culture and history
20) Understands and considers contemporary interests and aspirations..."

In separate but related news, government officials in the French Riviera city of Cannes are considering a ban of cruise ships to curb pollution. The Travel Pulse site reported:

"The ban would apply to passenger vessels that do not meet a 0.1 percent sulfur cap in their fuel emissions. Any cruise ship that attempted to enter the port that did not meet the higher standards would be turned away without allowing passengers to disembark."

During 2018, about 370,000 cruise ship passengers visited Cannes, making it the fourth busiest port in France. Officials are concerned about pollution. Other European ports are considering similar bans:

"Another French city, Saint-Raphael, has also instituted similar rules to curb the pollution of the water and air around the city. Other European ports such as Santorini and Venice have also cited cruise ships as a significant cause of over-tourism across the region."

If you live and/or work in a port city, it seems worthwhile to ask your local government or port authority what it is doing about sustainability and pollution. The video below explains some of the features in this new "expedition ship" with itineraries and activities that focus upon science:

Video courtesy of Hurtigruten

[Editor's note: this post was updated to include a photo of solar panels on the Celebrity Solstice cruise ship.]

Google To EU Regulators: No One Country Should Censor The Web Globally. Poll Finds Canadians Support 'Right To Be Forgotten'

For those watching privacy legislation in Europe, MediaPost reported:

"... Maciej Szpunar, an advisor to the highest court in the EU, sided with Google in the fight, arguing that the right to be forgotten should only be enforceable in Europe -- not the entire world. The opinion is non-binding, but seen as likely to be followed."

For those unfamiliar, in the European Union (EU) the right to be forgotten:

"... was created in 2014, when EU judges ruled that Google (and other search engines) must remove links to embarrassing information about Europeans at their request... The right to be forgotten doesn't exist in the United States... Google interpreted the EU's ruling as requiring removal of links to material in search engines designed for European countries but not from its worldwide search results... In 2015, French regulators rejected Google's position and ordered the company to remove material from all of its results pages. Google then asked Europe's highest court to reject that view. The company argues that no one country should be able to censor the web internationally."

No one corporation should be able to censor the web globally, either. Meanwhile, Radio Canada International reported:

"A new poll shows a slim majority of Canadians agree with the concept known as the “right to be forgotten online.” This means the right to have outdated, inaccurate, or no longer relevant information about yourself removed from search engine results. The poll by the Angus Reid Institute found 51 percent of Canadians agree that people should have the right to be forgotten..."

Consumers should have control over their information. If that control is limited to only the country of their residence, then the global nature of the internet means that control is very limited -- and probably irrelevant. What are your opinions?

Facebook’s Experiment in Ad Transparency Is Like Playing Hide And Seek

[Editor's note: today's guest post, by the reporters at ProPublica, explores a new global program Facebook introduced in Canada. It is reprinted with permission.]

Facebook logo By Jennifer Valentino-DeVries, ProPublica

Shortly before a Toronto City Council vote in December on whether to tighten regulation of short-term rental companies, an entity called Airbnb Citizen ran an ad on the Facebook news feeds of a selected audience, including Toronto residents over the age of 26 who listen to Canadian public radio. The ad featured a photo of a laughing couple from downtown Toronto, with the caption, “Airbnb hosts from the many wards of Toronto raise their voices in support of home sharing. Will you?”

Placed by an interested party to influence a political debate, this is exactly the sort of ad on Facebook that has attracted intense scrutiny. Facebook has acknowledged that a group with ties to the Russian government placed more than 3,000 such ads to influence voters during the 2016 U.S. presidential campaign.

Facebook has also said it plans to avoid a repeat of the Russia fiasco by improving transparency. An approach it’s rolling out in Canada now, and plans to expand to other countries this summer, enables Facebook users outside an advertiser’s targeted audience to see ads. The hope is that enhanced scrutiny will keep advertisers honest and make it easier to detect foreign interference in politics. So we used a remote connection, called a virtual private network, to log into Facebook from Canada and see how this experiment is working.

The answer: It’s an improvement, but nowhere near the openness sought by critics who say online political advertising is a Wild West compared with the tightly regulated worlds of print and broadcast.

The new strategy — which Facebook announced in October, just days before a U.S. Senate hearing on the Russian online manipulation efforts — requires every advertiser to have a Facebook page. Whenever the advertiser is running an ad, the post is automatically placed in a new “Ads” section of the Facebook page, where any users in Canada can view it even if they aren’t part of the intended audience.

Facebook has said that the Canada experiment, which has been running since late October, is the first step toward a more robust setup that will let users know which group or company placed an ad and what other ads it’s running. “Transparency helps everyone, especially political watchdog groups and reporters, keep advertisers accountable for who they say they are and what they say to different groups,” Rob Goldman, Facebook’s vice president of ads, wrote before the launch.

While the new approach makes ads more accessible, they’re only available temporarily, can be hard to find, and can still mislead users about the advertiser’s identity, according to ProPublica’s review. The Airbnb Citizen ad — which we discovered via a ProPublica tool called the Political Ad Collector — is a case in point. Airbnb Citizen professed on its Facebook page to be a “community of hosts, guests and other believers in the power of home sharing to help tackle economic, environmental and social challenges around the world.” Its Facebook page didn’t mention that it is actually a marketing and public policy arm of Airbnb, a for-profit company.

Propublica-airbnb-citizen-adThe ad was part of an effort by the company to drum up support as it fought rental restrictions in Toronto. “These ads were one of the many ways that we engaged in the process before the vote,” Airbnb said. However, anyone who looked on Airbnb’s own Facebook page wouldn’t have found it.

Airbnb told ProPublica that it is clear about its connection to Airbnb Citizen. Airbnb’s webpage links to Airbnb Citizen’s webpage, and Airbnb Citizen’s webpage is copyrighted by Airbnb and uses part of the Airbnb logo. Airbnb said Airbnb Citizen provides information on local home-sharing rules to people who rent out their homes through Airbnb. “Airbnb has always been transparent about our advertising and public engagement efforts,” the statement said.

Political parties in Canada are already benefiting from the test to investigate ads from rival groups, said Nader Mohamed, digital director of Canada’s New Democratic Party, which has the third largest representation in Canada’s Parliament. “You’re going to be more careful with what you put out now, because you could get called on it at any time,” he said. Mohamed said he still expects heavy spending on digital advertising in upcoming campaigns.

After launching the test, Facebook demonstrated its new process to Elections Canada, the independent agency responsible for conducting federal elections there. Elections Canada recommended adding an archive function, so that ads no longer running could still be viewed, said Melanie Wise, the agency’s assistant director for media relations and issues management. The initiative is “helpful” but should go further, Wise said.

Some experts were more critical. Facebook’s new test is “useless,” said Ben Scott, a senior advisor at the think tank New America and a fellow at the Brookfield Institute for Innovation + Entrepreneurship in Toronto who specializes in technology policy. “If an advertiser is inclined to do something unethical, this level of disclosure is not going to stop them. You would have to have an army of people checking pages constantly.”

More effective ways of policing ads, several experts said, might involve making more information about advertisers and their targeting strategies readily available to users from links on ads and in permanent archives. But such tactics could alienate advertisers reluctant to share information with competitors, cutting into Facebook’s revenue. Instead, in Canada, Facebook automatically puts ads up on the advertiser’s Facebook page, and doesn’t indicate the target audience there.

Facebook’s test represents the least the company can do and still avoid stricter regulation on political ads, particularly in the U.S., said Mark Surman, a Toronto resident and executive director of Mozilla, a nonprofit Internet advocacy group that makes the Firefox web browser. “There are lots of people in the company who are trying to do good work. But it’s obvious if you’re Facebook that you’re trying not to get into a long conversation with Congress,” Surman said.

Facebook said it’s listening to its critics. “We’re talking to advertisers, industry folks and watchdog groups and are taking this kind of feedback seriously,” Rob Leathern, Facebook director of product management for ads, said in an email. “We look forward to continue working with lawmakers on the right solution, but we also aren’t waiting for legislation to start getting solutions in place,” he added. The company declined to provide data on how many people in Canada were using the test tools.

Facebook is not the only internet company facing questions about transparency in advertising. Twitter also pledged in October before the Senate hearing that “in the coming weeks” it would build a platform that would “offer everyone visibility into who is advertising on Twitter, details behind those ads, and tools to share your feedback.” So far, nothing has been launched.

Facebook has more than 23 million monthly users in Canada, according to the company. That’s more than 60 percent of Canada’s population but only about 1 percent of Facebook’s user base. The company has said it is launching its new ad-transparency plan in Canada because it already has a program there called the Canadian Election Integrity Initiative. That initiative was in response to a Canadian federal government report, “Cyber Threats to Canada’s Democratic Process,” which warned that “multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election.” The election integrity plan promotes news literacy and offers a guide for politicians and political parties to avoid getting hacked.

Compared to the U.S., Canada’s laws allow for much stricter government regulation of political advertising, said Michael Pal, a law professor at the University of Ottawa. He said Facebook’s transparency initiative was a good first step but that he saw the extension of strong campaign rules into internet advertising as inevitable in Canada. “This is the sort of question that, in Canada, is going to be handled by regulation,” Pal said.

Several Canadian technology policy experts who spoke with ProPublica said Facebook’s new system was too inconvenient for the average user. There’s no central place where people can search the millions of ads on Facebook to see what ads are running about a certain subject, so unless users are part of the target audience, they wouldn’t necessarily know that a group is even running an ad. If users somehow hear about an ad or simply want to check whether a company or group is running one, they must first navigate to the group’s Facebook page and then click a small tab on the side labeled “Ads” that runs alongside other tabs such as “Videos” and “Community.” Once the user clicks the “Ads” tab, a page opens showing every ad that the page owner is running at that time, one after another.

The group’s Facebook page isn’t always linked from the text of the ad. If it isn’t, users can still find the Facebook page by navigating to the “Why am I seeing this?” link in a drop-down menu at the top right of each ad in their news feed.

As soon as a marketing campaign is over, an ad can no longer be found on the “Ads” page at all. When ProPublica checked the Airbnb Citizen Facebook page a week after collecting the ad, it was no longer there.

Because the “Ads” page also doesn’t disclose the demographics of the advertiser’s target audience, people can only see that data on ads that were aimed at them and were on their own Facebook news feed. Without this information, people outside an ad’s selected audience can’t see to whom companies or politicians are tailoring their messages. ProPublica reported last year that dozens of major companies directed recruitment ads on Facebook only to younger people — information that would likely interest older workers, but would still be concealed from them under the new policy. One recent ad by Prime Minister Justin Trudeau was directed at “people who may be similar to” his supporters, according to the Political Ad Collector data. Under the new system, people who don’t support Trudeau could see the ad on his Facebook page, but wouldn’t know why it was excluded from their news feeds.

Facebook has promised new measures to make political ads more accessible. When it expands the initiative to the U.S., it will start building a searchable electronic archive of ads related to U.S. federal elections. This archive will include details on the amount of money spent and demographic information about the people the ads reached. Facebook will initially limit its definition of political ads to those that “refer to or discuss a political figure” in a federal election, the company said.

The company hasn’t said what, if any, archive will be created for ads for state and local contests, or for political ads in other countries. It has said it will eventually require political advertisers in other countries, and in state elections in the U.S., to provide more documentation, but it’s not clear when that will happen.

Ads that aren’t political will be available under the same system being tested in Canada now.

Even an archive of the sort Facebook envisions wouldn’t solve the problems of misleading advertising on Facebook, Surman said. “It would be interesting to journalists and researchers trying to track this issue. But it won’t help users make informed choices about what ads they see,” he said. That’s because users need more information alongside the ads they are seeing on their news feeds, not in a separate location, he said.

The Airbnb Citizen ad wasn’t the only tactic that Airbnb adopted in an apparent attempt to sway the Toronto City Council. It also packed the council galleries with supporters on the morning of the vote, according to The Globe and Mail. Still, its efforts appear to have been unsuccessful.

On Dec. 6, two days after a reader sent us the ad, the City Council voted to keep people from renting a space that wasn’t their primary residence and stop homeowners from listing units such as basement apartments.

Filed under: Technology

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.

Experts Call For Ban of Killer Robotic Weapons

116 robotics and artificial intelligence experts from 26 countries sent a letter to the United Nations (UN) warning against the deployment of lethal autonomous weapons. The Guardian reported:

"The UN recently voted to begin formal discussions on such weapons which include drones, tanks and automated machine guns... In their letter, the [experts] warn the review conference of the convention on conventional weapons that this arms race threatens to usher in the “third revolution in warfare” after gunpowder and nuclear arms... The letter, launching at the opening of the International Joint Conference on Artificial Intelligence (IJCAI) in Melbourne on Monday, has the backing of high-profile figures in the robotics field and strongly stresses the need for urgent action..."

The letter stated in part:

"Once developed, lethal autonomous weapons will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways."

"We do not have long to act. Once this Pandora’s box is opened, it will be hard to close."

This is not science fiction. Autonomous weapons are already deployed:

"Samsung’s SGR-A1 sentry gun, which is reportedly technically capable of firing autonomously but is disputed whether it is deployed as such, is in use along the South Korean border of the 2.5m-wide Korean Demilitarized Zone. The fixed-place sentry gun, developed on behalf of the South Korean government, was the first of its kind with an autonomous system capable of performing surveillance, voice-recognition, tracking and firing with mounted machine gun or grenade launcher... The UK’s Taranis drone, in development by BAE Systems, is intended to be capable of carrying air-to-air and air-to-ground ordnance intercontinentally and incorporating full autonomy..."

Ban, indeed. Your thoughts? Opinions? Reaction?

Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?

Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.

What's New: Cruise Ship Vacations Through The Northwest Passage

Map of Northwest Passage itinerary. Click to view larger image You can now sail to parts of Canada and the Arctic Ocean that were previously inaccessible.

Since the 1500s, explorers have attempted to sail the Arctic Ocean and Northwest Passage, but were unable due to thick sea ice present all year long. With climate change, the sea ice has retreated far enough and long enough during the summer months for cargo and cruise ships to navigate this shorter route between the Atlantic and Pacific Oceans.

Crystal Cruises announced a new itinerary through the Northwest Passage to destination ports in the United States, Canada, and Greenland. Starting in August of 2016, the Crystal Serenity cruise ship will sail from Anchorage, Alaska to New York City, with port destinations at Kodiak (Alaska), Nome (Alaska), Ulukhaktok (Northwest Territories, Canada), Cambridge Bay (Canada), Pond Inlet (Canada), Ilulissat (Greenland), Nuuk (Greenland), Bar Harbor (Maine), and more.

Crystal Cruises is a high-end, luxury cruise line offering a truly all-inclusive cruise experience. Budget or entry-level cruise lines typically offer a low price, but add on a variety of fees. Many consumers prefer a one-price, all-inclusive vacation.

The cruise price includes complimentary fine wines and premium spirits, plus gratuities for housekeeping, bar, dining and Penthouse butler staff. It also includes fine dining at any of eight on-board restaurants, classes at the Computer University@Sea®, foreign language classes, themed cruises focusing upon music, film and entertainment shows, wellness and golf,  lectures featuring speakers, authors, and celebrities, art classes, an on-board fitness center, and concierge services to arrange personalized shore excursions.

The fitness center includes state-of-the-art exercise equipment, yoga classes, cycling classes, golf lessons, Pilates, and tai chi classes. The ship includes deluxe staterooms, staterooms with verandahs, penthouses, and penthouse suites. Staterooms include satellite TV, movie/DVD rentals, housekeeping, complimentary soft drinks and bottled water, complimentary beer, wine and spirits upon request, luxury bathrobes, and fine Egyptian cotton linens. Additional complimentary services are available in the penthouses and penthouse suites.

The Crystal Serenity cruise ship debuted in July, 2003. The cruise line spent $52 million in 2013 to redesign and upgrade the ship, including both staterooms and public areas. Besides the Northwest Passage itinerary, the ship sails to destinations in the Caribbean, South America, Hawaii, Australia, and the Mediterranean.

Prices for the 32-day cruise start at $21,855 per person double occupancy, and include the above onboard services plus transfers between the airport and cruise terminal in Anchorage. Prices exclude air fare and transfers between the cruise ship and airports in New York City.

Whether or not you believe in climate change, or agree that human activity contributes to climate change (a/k/a global warming), the retreating sea ice is an indication of changes in the planet.

Image of Crystal Serenity cruise ship

Safer Internet Day: Do Your Part

Safer Internet Day 2016 logo Today is Safer Internet Day (SID) #SID2016. This event occurs every year in February to promote safer and more responsible use of online technology and mobile phones, especially among children. This year's theme is:

"Play your part for a better Internet"

There are events in 100 countries worldwide. The European Commission’s Safer Internet Programme started the event, which has continued under the Connecting Europe Facility (CEF). This is the 13th annual event. According to its press release:

"Last year’s celebrations saw more than 19,000 schools and 28 million people involved in SID actions across Europe, while over 60 million people were reached worldwide..."

Hans Martens, Digital Citizenship Programme Manager at European Schoolnet and Coordinator of the Insafe Network said:

“The theme of ‘Play your part for a better internet’ truly reflects how stakeholders from across the world can and should work together to build a trusted digital environment for all. This approach is at the core of the Better Internet for Kids agenda, and we look forward to seeing many exciting onitiatives and collaborations, both on the day of SID itself and beyond."

Sophos, a security firm, described six safety tips for families. That includes learning to spot phishing scams to avoid password-stealing computer viruses and ransomware. Children need to learn how to create strong passwords, and never use these weak passwords. Read about several SID events in California, including teens brainstorming ways to fight online bullying and teens helping adults.

To learn more, watch the video below and then visit SaferInternetDay.org for events in your country.

Or, watch the video on Youtube.

Recording Ourselves To Death

Deaths from sharks versus selfies

This is not a joke. Related reading:

Payment Scam Dupes Airbnb Customer. Was There A Data Breach?

Airbnb logo Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.

Costco, CVS, And Wal-Mart Canada Investigate Possible Data Breaches

Walmart logo On Friday, CVS and Wal-mart Canada announced investigations into possible data breaches at their photo centers. On Monday, Costco announced a similar investigation about a possible data breach. Costco has also suspended operations of its photo centers. The number of credit card customers affected is unknown at all three retailers.

The outsourcing vendor involved is PNI Digital Media, with offices in Vancouver, British Columbia (Canada) and England. According to its website, PNI Digital Media operates 19,000 retail locations and 8,000 in-store kiosks. The New York Times reported:

CVS logo

"... the breaches highlighted the importance of more rigorously vetting I.T. vendors at a time when companies outsource more and more of their technology operations. Vendors have often proved to be the weakest link..."

Staples acquired PNI Digital Media in July, 2014. At press time, the vendor's latest tweet was May 20, two months ago. That tweet announced that hiring was underway for several positions, including front and back-end developers.

Until the retailers announce more about their breaches, experts advise customers of the above retail stores to closely monitor their bank and card statements for fraudulent charges.

Report: Researchers Compare High-Speed Internet Services Worldwide. Consumers In The USA Pay More And Get Slower Speeds

Since President Obama will mention competition and high-speed Internet services in his 2015 State of The Union address to the nation Tuesday evening, it seemed appropriate to discuss the state of high-speed Internet services (a/k/a broadband) in the United States. The "Cost of Connectivity 2014" annual report by the Open Technology Institute compared Internet prices and speeds in 24 cities around the world. The overall finding:

"... the data that we have collected in the past three years demonstrates that the majority of U.S. cities surveyed lag behind their international peers, paying more money for slower Internet access."

The researchers investigated both home and mobile high-speed Internet prices and speeds. Data was collected between July and September of 2014. The list of cities:

  • Americas: Bristol (Virginia), Chattanooga (Tennessee), Kansas City (Kansas), Kansas City (Missouri), Lafayette (Louisiana), Los Angeles (California), Mexico City (Mexico), New York (N.Y.), San Francisco (California), Toronto (Canada), Washington (D.C.)
  • Asia: Hong Kong, Seoul (So. Korea), Tokyo (Japan)
  • Europe: Amsterdam (Netherlands), Berlin (Germany), Bucharest (Romania), Copenhagen (Denmark), Dublin Ireland), London (United Kingdom), Paris (France), Prague (Czech Republic), Riga (Latvia), Zurich (Switzerland)

For home usage, the researchers looked at "broadband-only" plans. If a provider didn't offer a broadband-only plan, then they looked for the cheapest bundle (e.g., phone plus Internet, "triple-play bundles of phone, Internet, and television, etc.). Prices in foreign currencies were converted to U.S. Dollars using:

"... the World Bank’s purchasing power parity (PPP) metric."

The researchers used the broadband definition by U.S. Federal Communications Commission (FCC): a minimum of 4 Mbps download and 1 Mbps upload. The researchers collected the following information about each broadband service:

  • Network technology (e.g., DSL, cable, fixed wireless, fiber optic),
  • Download and upload speeds,
  • Monthly subscription costs (excluding promotional prices),
  • Data caps and any penalties (i.e. overage fees or throttled speeds),
  • Activation and installation fees,
  • Modem and equipment rental or purchase fees, and
  • Contract lengths (e.g., number of months, no contract)

Consumers in Asia and Europe get the best value (e.g., highest speeds at the lwest prices):

"Most Asian and European cities provide broadband service in the 25 to 50 megabits per second (Mbps) speed range at a better value on average than North American cities (with a few key exceptions). In addition, when it comes to the estimated speeds a customer could expect to get for $50 in each of the cities we surveyed, the U.S. is middling at best, with many cities falling to the bottom of the pack. Our analysis also finds that, in terms of speed and price, cities with municipal networks are on par with Hong Kong, Seoul, Tokyo, and Zürich and are ahead of the major incumbent ISPs in the U.S."

This merits repeating. The areas in the USA that offer the best value for consumers are municipal broadband networks and not the corporate Internet Service Providers (ISPs). Yet, local laws in 19 states prevent or restrict consumers from building municipal broadband services. Yet politicians in the United States are quick to promote privatization (e.g., corporations are good; government is bad) as a catch-all solution.

And, it is worse for mobile phone and tablet users:

"In the mobile broadband space, USB dongle and wireless hotspot device offerings continue to be expensive substitutes for home broadband connectivity, with consumers in some other countries paying the same price for mobile plans with data caps that are up to as 40 times higher than those offered by U.S. providers."

Providers of home services in cities with the fastest broadband speeds both increased speeds and reduced prices in 2013 compared to 2012, and again in 2014 compared to 2013:

"Virtually every city in this ranking has seen an annual increase in its top speed offering since 2012. In cases where ISPs offer the same speed as last year, those ISPs have tended to lower their prices. For instance, Lafayette, LA charged $999.95 per month for its gigabit service in 2013 and dropped that price to $109.95 per month in 2014. In Mexico City, a 200 Mbps package was available for nearly $100 less than the price offered for that speed by a different provider in 2013. The average download speed of plans in this ranking increased from 233 Mbps in 2012 to around 500 in 2013, and almost 650 Mbps in 2014. Nearly half of all cities in this ranking offer gigabit speeds, and more than two-thirds of all cities offer service over 500 Mbps."

The researchers look at what consumers could get with spending $40 monthly:

"In 2014, five providers offered gigabit service for under $40, up from just one in 2013 and none in 2012. The U.S. cities on this list that are ranked at the middle or higher (Kansas City, KS; Kansas City, MO; and San Francisco, CA) are represented by local, innovative providers who offer competitive alternatives to the services provided by incumbents."

Incumbents are the large, national corporate ISPs (e.g., Verizon, AT&T, etc.). So, the top five best deals under $40 monthly:

Rank - CityMonthly Cost ($ U.S.)ProviderSpeedsNetwork Technology
1. Seoul $30.30 HelloVision 1,000 Mbps download & upload Fiber
2. Hong Kong $37.41 Hong Kong Broadband 1,000 Mbps download & upload Fiber
3. Tokyo $39.15 KDDI 1,000 Mbps download & upload Fiber
4. Paris $38.81 SFR 1,000 Mbps download & 200 Mbps upload Fiber
5. Bucharest $32.35 RCS & RDS 1,000 Mbps download & 30 Mbps upload Fiber

Now, compare the above prices to what you pay and the speed you get. I did. Here in Boston, Comcast charges $66.95 per month for what it calls "Performance Internet." That's the regular price, and not the promotional price. The Comcast website states:

"Restrictions apply. Not available in all areas. Limited to new residential customers. Not available in all areas. Requires subscription to Performance Internet service. Equipment, installation, taxes and fees, and other applicable charges extra, and subject to change during and after the promo. After 12 mos., service charge for Performance Internet increases to $54.99/mo. After promo, or if any service is cancelled or downgraded, regular rates apply. Comcast's service charge for Performance Internet is $66.95/mo. (subject to change). Service limited to a single outlet. May not be combined with other offers. Internet: Wi-Fi claim based on the September 2014 study by Allion Test Labs. Actual speeds vary and are not guaranteed."

So, the site doesn't even disclose what speed consumers get for $66.95 per month. The true price is higher once you add in equipment and taxes. And that is for older cable technology; not fiber. So, it is difficult for consumers to determine the value of Comcast Internet. Yes, Comcast offers a promotion price of $39.99 per month for 12 months, and then the monthly rate increases. I ignored this promotional price since the researchers compared regular rates. You should, too, so you know what the service really costs. And Comcast includes enough caveats that if you change anything in your subscription, regular rates apply.

Verizon FiOS is a fiber Internet service here in Massachusetts. Below are the service's prices:

Verizon FiOS prices in January 2015. Click to view larger image.

The prices are very high, and the speeds are slower than the above leaders mentioned in the "Cost of Connectivity 2014" report. So, it seems appropriate to ask: are you getting good value (e.g., monthly price divided by download speed) for home Internet where you live? Probably not; unless you live in an area with a municipal service provider. Do you have a state-of-the-art fiber connection? Probably not.

The researchers compared high-speed Internet services between Europe and the USA. They found:

"... median prices are higher in the U.S. for speeds equivalent to those in Europe. Except for the lowest speed tier reported in this graph, the median price in every other tier is noticeably higher for the U.S., indicating that customers pay more for the same broadband packages than their European peers."

The researchers analyzed and compared Internet services in several ways. Since consumers often set a household budget for items, the researchers looked at what consumers get with a monthly budget of $50 for Internet services. Providers in the USA didn't fare well:

"Figure 7 demonstrates the estimated speeds a customer could expect to get for $50 in each of the cities we surveyed. Hong Kong and Seoul are far ahead, with around 300 Mbps at $50, while Tokyo and Paris both hover around 200 Mbps. Most of the U.S. cities cluster between 25 and 45 Mbps, with only San Francisco, CA, and Chattanooga, TN, falling out of that range on the high and low end, respectively. Mexico City ranks last with an average of around 8 Mbps."

Sometimes, consumers seek a certain Internet speed to perform certains tasks. So, the researchers looked at which countries provided the best value with a download speed of 25 Mbps or faster. 25 Mbps download is fast enough to download a short video clip in 1.3 seconds, 10 songs in about half a minute, or a 2-hour video in 13 minutes. That speed allows you to do most things you'd want to do, especially since most mobile devices store your files in the cloud. Once again, the USA lagged other countries:

"Figure 8 demonstrates the estimated monthly price for 25 Mbps in each of the cities we surveyed. The results are largely consistent with our other observations, although in this analysis London comes out at the top of the list at around $24 a month, followed closely by Seoul, Bucharest, and Paris. The U.S. cities are still clustered in the bottom half of the pack, with the exceptions of Kansas City, KS and Kansas City, MO. Notably, Hong Kong drops much lower in this analysis, which reflects the fact that some providers offer speeds ranging from 8 to 100 Mbps at very similar or identical prices."

Feeling proud about American exceptionalism? The next time you hear pundits or politicians profess American exceptionalism, ask them what they are doing to lower your monthly high-speed Internet prices, and speed up your connection, so you get the same (or better) value as consumers in other parts of the world. Write to your elected officials and tell them high-speed Internet prices are too high.

What are your opinions of this report? Of the monthly prices you pay? Do you think that ISPs in the U.S.A. are doing a good job?

Sony At The Center Of Several Issues, Not Just A Decision To Cancel A Movie Release

Sony Pictures logo News media and social networking sites are ablaze with discussions about Sony Pictures and its film, "The Interview." Everyone has an opinion, and many seem to want the company to stand up for First Amendment rights of creative artists, and not surrender to threats by politically-motivated hackers.

These are all valid concerns. However, Sony seems to be at the nexus of several important, related issues that shouldn't be confused nor overlooked:

  1. Whether or not Sony Pictures should have made the film, "The Interview."
  2. Sony Pictures decided to cancel the Christmas release of the film. Many people feel this was a bad decision, arguing that the company surrendered to the hacker's threats, and that surrender encourages more attacks by politically-motivated hackers.
  3. Sony Pictures considers how to release the film (e.g., streaming?) given liability and safety concerns. It may use its Crackle video-streaming service.
  4. Several news media outlets published the content of e-mail messages stolen during the hack attack. Despite First Amendment rights in the U.S., Sony threatened legal action against news media outlets that published more e-mail messages. Some people supported Sony's position.
  5. The theft and publication of e-mails with embarrassing and insulting content is a reminder of the fragility of online privacy: nothing you say, type, text, post or do online can be guaranteed to remain private. This is important, especially given the growth in usage of  "erasable" social services (e.g., Snapchat) and cloud services.
  6. The data breach raised concerns that Sony allegedly failed to adequately protect both its networks and servers wtih sensitive information it was entrusted with. The latest data breach affected both current and former employees.
  7. Several lawsuits have been filed against the company by current and former employees regarding #6, and
  8. The U.S. government weighs a "proportional response" given national security concerns of hacking attacks by a foreign country. North Korea denied the cyber-attack, and then proposed a joint investigation with the USA. The USA later rejected that proposal.

Sony Corporation logo Sony Corporation's headquarters is in Tokyo, Japan. Sony Pictures' headquarters is in Culver City, California in the USA. Issues #6 and #7 merit further discussion.

This latest data breach at Sony was not the company's first incident. It experienced several breaches during 2011, notably a massive incident at Sony Playstation Network affecting 77 million customers, and at Sony Entertainment Network. Later that year, Sony executives apologized. Earlier this year, the company agreed to a settlement resolving lawsuits about its Playstation Network breach. However, there's more. Forbes magazine reported:

"An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birth dates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker. On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly."

After the Sony Pictures cyberattack, both current and former employees have already filed lawsuits. TechCrunch described some of the details:

"... Christina Mathis and Michael Corona have filed a federal court complaint against the movie studio, alleging that the company did not take enough precautions to keep employee and employee family data safe... The complaint references tech blog reporting to note that Sony was aware of the insecurity on its network..And it cites several instances of Sony failing to adequately inform former employees of the situation... there were only 11 people on the Sony information security team at the time of the hack..."

The plaintiffs seem to have several valid concerns. Krebs On Security reported:

"According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems."

Krebs on Security also reported:

"Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals... Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data."

So, the sensitive personal data stolen is out in the open where criminals can use and abuse it. And, there may be more. The hackers have threatened to release more stolen information if Sony Pictures releases the film.

On December 15, Sony Pictures published several breach notices, including this general breach notice to its current and former employees (Adobe PDF) worldwide. Accompanying this general notice are several specific notices for residents in the United States, Canada, and Puerto Rico. There are detailed breach notices for residents of Maryland, Massachusetts, North Carolina, and Puerto Rico.

The Sony Pictures breach notice for Massachusetts residents (Adobe PDF) listed the specific data exposed and probably stolen:

"... the following types of personally identifiable information that you provided to SPE may have been subject to unauthorized acquisition: (i) name, (ii) address, (iii) social security number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to SPE outside of SPE health plans..."

If any items had been encrypted, Sony Pictures probably would have mentioned it. Why wasn't this sensitive information encrypted? That's one problem. Next, the data stolen includes the mother-lode of personal, financial, and healthcare information; stuff identity criminals seek for reselling proftiably to other criminals, for impersonating breach victims both online and offline, for taking out fraudulent loans, and for obtaining free health care services.

Sony Pictures has arranged for 12 months of free identity-protection services with AllClearID. As I have written before repeatedly, 12 months is insufficient. the data elements stolen do not magically become obsolete in 12 months. Five or ten years of identity-protection services would be better.

Sony's latest breach, and unencrypted data storage, makes one doubt that its executives have truly learned from prior data breaches; whether the company's executives have truly embraced best practices for data security, or continue to cut corners. As TechCrunch reported:

"Sony Director of Information Security Jason Spaltro even gave an interview in 2007 whose whole point was to revel in Sony’s security loopholes: “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he said at the time. This hack is estimated to cost Sony $100 million after all is said and done. The last one cost the company a cool $171 million..."

What are your opinions about Sony, its data security, or the above list of issues? Are there any additional issues?

Click for larger image. Movie approved by the DPRK

[December 24 update: Sony Pictures reversed its prior decision and will release the film in select theatres on Christmas.]

Banks Pay Huge Fines, Again. This Time For Foreign Exchange Trading Abuses

J.P.Morgan logo There is an interesting article in the Washington Post titled, "You Should Never Underestimate How Far Bankers Will Go To Game The System." Several banks recently paid huge fines:

"This time, it's a $4.2 billion fine. That's how much UBS, HSBC, Citibank, JP Morgan Chase, Bank of America, and the Royal Bank of Scotland are collectively paying to U.S., U.K., and Swiss regulators for rigging the foreign-exchange, or FX, market."

Citibank logo How the banks rigged the trading exchange:

"Traders at supposedly competing firms worked together to rig the benchmark FX rates in their favor. They deliberately triggered clients' stop-loss orders—the price they'd automatically sell at to limit losses—to boost their own profits. Along with revealing what trades their customers were about to make, which would let them all make it first... the bankers set up [online] chatrooms charmingly named things like "the 3 musketeers" where they planned all this out..."

Bank of America logo Kudos to regulators for catching the banks doing illegal activity. Before, it was abuses with residential mortgage-backed securities. The banks have often apologized for the abuses, but those apologies (and fines) are a mild, first step. Consequences must be more extensive.

U.B.S. logo This latest set of fines highlight what is wrong with the banking sector. Basically, the wrongdoing will continue as long as the likelihood of getting caught is low, no bankers go to prison, and the profits from said activities exceed the fines paid:

"... it's important to remember that these penalties are just the price of doing business for big banks—and tax-deductible ones at that.  And that's why the better news is that the Justice Department is still looking into criminal charges against some of these traders. Far too often, as Matt Taibbi has argued, the Justice Department has all too happy to have banks cut them a fat check rather than—and at the expense of—pursuing criminal charges that are hard to prove and even harder to explain to a jury."

The trading abuses went on for years. The Guardian UK reported:

"Two UK and US regulators said they had found a “free for all culture” rife on trading floors which allowed the markets to be rigged for five years, from January 2008 to October 2013.... In the UK, UBS was handed the biggest fine, at £233m, followed by £225m for Citibank, JPMorgan at £222m, RBS at £217m, and £216m for HSBC. Barclays has yet to settle. In the US, the regulator fined Citibank and JP Morgan $310m each, $290m each for RBS and UBS, and $275m for HSBC."

Consumers: when fines are tax deductible, it's a huge gift to banks because you are paying for the wrongdoing and not the banks. If fines continue to be tax-deductible fines, enforcement agencies fail to put bankers in prison, and politicians support the status quo, then the time to gather your torches and pitchforks fast approaches.

Home Depot Discloses More Details About It Data Breach Affecting 53 Million Shoppers

Home Depot logo If you shop at Home Depot, then today's blog post is for you. On November 6, 2014, Home Deport disclosed more details about its data breach investigation. Criminals gained access to the retailer's computer network by using a third-party vendor's credentials (e.g., user name and password), and:

"These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada...  separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information."

The announcement did not explain how the criminals gained "elevated rights" with the stolen credentials. Home Depot did not disclose the name of the third-party vendor.

In a prior September 8, 2014 press release (Adobe PDF, 188.4K), the retailer confirmed the breach affecting shoppers who used credit cards in its stores during April to September of 2014. The retailer began its breach investigation on September 2 after several banks and law enforcement agencies notified it of a possible breach. Also on September 8, the retailer offered affected shoppers free credit monitoring services. To learn more about these services, interested shoppers should visit the Home Depot website or call in the USA 1-800-HOMEDEPOT (800-466-3337). Shoppers in Canada should call 800-668-2266.

In its latest announcement, Home Depot said it is notifying affected shoppers in the United States and Canada. The stolen e-mail data means that affected shoppers should also be on alert for phishing e-mail scams designed to trick consumers to reveal their sensitive personal and financial information.

How should consumers view the Home Depot's breach?

53 million affected shoppers is a massive breach. If your credit card payment information has been stolen, the hackers will likely sell the stolen information to other criminals who will then try to use the stolen information to make purchases and/or take out new loans fraudulently. This is what identity criminals do. So, it's wise to seriously consider the retailer's offer of free credit monitoring services.

As things progress, we will probably hear more details about its breach investigation. In its latest announcement, Home Depot did not disclose how many shoppers experienced both stolen e-mails and stolen credit card payment information. This overlap is important. If the overlap was 100 percent, then that says something very different than an overlap of 5 percent. If the overlap was concentrated in certain stores or states, then that says someting else. To feel comfortable about shopping at Home Depot, shoppers deserve an explanation of both the overlap and how the related security holes are being fixed.

Back in September, Home Depot took the opportunity in its breach announcement to also announce the upcoming availability of its smart loyalty cards with EMV chips embedded. It seems that the retailer hopes that its smart loyalty cards will help make shoppers feel comfortable. So, we'll probably hear more about its smart cards during the coming weeks. However, smart cards alone do not make a secure computer network and purchase transactions.

While consumers may not focus upon the "elevated rights" statement in Home Depot's latest announcement, you can bet that data security experts, banks, and other retailers are watching closely. Why? eWeek provided an interesting analysis:

"That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage... Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers. What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake."

EMV chips won't fix these four failures. Free credit monitoring services won't fix these four failures. The retailer needs to improve its computer systems end-to-end, as the eWeek analysis suggested. What are your opinions of the breach? Of Home Depot's breach investigation? Of the eWeek analysis?

Burger King And Tim Horton's Agree To Merge. The Consequences

Burger King logo This morning, several news sources reported that Burger King, the fast-food chain, and Tim Horton's restaurants have agreed to merge. Horton's is based in Canada. The merger allows Burger King to benefit from a tax inversion, where:

"The combined Canadian coffee chain and U.S. burger chain will have its global headquarters in Canada... In a tax inversion, two international companies merge and move their tax domicile to the lower tax country."

Last month, Bloomberg BusinessWeek published an interesting and informative analysis of the company, its young management, corporate history, and current marketplace challenges. You'll probably want to read the BusinessWeek report titled, "Burger King Is Run By Children."

Professor and former U.S. Labor Secretary Robert Reich posted on Facebook the following about the merger (links added):

"BK’s profits have been flat, mainly because its mostly lower-income customers don’t have enough money to boost sales. So the pending deal is welcome news to investors, who today sent its stock up nearly 20 percent. But it’s a lousy deal for you and me and other Americans because we’ll have to make up for the taxes Burger King stops paying. We’re already subsidizing Burger King because it refuses to raise the pay of its frontline workers, who are now at or near the minimum wage. So we're paying for the food stamps, Medicaid, and wage subsidies its workers need in order to stay out of poverty. That means when BK deserts America to cut its tax bill, we’ll be paying twice. That's a whopper of a slap at America."

A whopper of a slap, indeed. Mr. Reich posted in an update (link added):

"It’s one thing when a company the Pfizer flirts with corporation desertion (technically, a tax “inversion”) to become a foreign company and lower its tax bill. But Burger King, like Walgreen, is highly visible to consumers. Walgreen dropped its plan to desert the United States after a customer backlash and bad publicity. So a boycott of Burger King, accompanied by letters to the local press, picketing for the broadcast media, and a general ruckus, should be helpful."

The phrase "tax inverson" sounds clinical and almost meaningless. I like and prefer the phrase, "corporate desertion" since it better describes what is really happening. And, a boycott seems the appropriate consequence for the burger chain's actions.

What are your opinions of Burger King's tax inversion? Of the "corporate desertion" phrase? Of a boycott?

Traveling Abroad? New T.S.A. Rules For Inbound Flights To The U.S.A.

In response to intelligence reports about possible terrorist attacks Al Qaeda groups in Yemen, the Transportation Security Administration (TSA) issued new rules for flights inbound to the USA. The New York Times reported:

"... the United States has, for the first time, asked officials at more than a dozen foreign airports to confiscate from passengers any electronic devices that cannot be turned on, American officials said on Monday... Passengers will have to turn on the electronic devices while being screened by security personnel to prove that the devices are harmless, the T.S.A. said Sunday. The fear is that unresponsive phones have been hollowed out and filled with explosives..."

The affected airports are in Europe, the Middle East and Africa. The TSA does not screen passengers at foreign airports. The government agencies in each country perform that task, but:

"... foreign airports have to meet a series of requirements from the Department of Homeland Security and the Transportation Security Administration in checking such passengers before they board."

If you will travel abroad, this means you should make sure that all of your electronic devices (e.g., laptops, smartphones, tablets, etc.) are charged because you will be asked to turn them on in order to board your flight to the USA. Otherwise, you may have to leave behind your powerless device.

Read the July 6 announcement by the TSA.

What are your opinions of the new T.S.A. rules?

Highlights From Yesterday's NSA Reform Protest

The Day We Fight Back. Reform the NSA The protest yesterday included both physical and online events. The online activity included both the #Stopthe NSA and #TheDayWeFightBack hashtags. Consumers placed 86,454 phone calls and sent 178,903 e-mail messages to their elected officials in government worldwide. All within 24 hours.

Activity in the United States:

Visit The Day We Fight Back site to learn more about activity in the United States and worldwide. Notable tweets yesterday by elected officials in the United States:

Tweets by Senators Tom Udall and Ron Wyden

Tweet by Senator Ron Wyden

Tweet by Senator Patrick Leahy

Tweet by Senator Bernie Sanders

Meanwhile yesterday, House Speaker John Boehner tweeted about the ACA and the death of Shirley Temple, but did not tweet anything about NSA reform and surveillance. Senate Leader Harry Reid did not tweet anything about NSA reform and privacy, either.

NSA Reform: Take Action Now

The Day We Fight Back. Reform the NSA I hope that you will join me in today's protest to demand that the USA government reform the National Security Agency (NSA) programs that spy on everyone. Why take action? The Center For Internet And Society (CIS) at Stanford law School explained the situation well:

"With unfettered information about everyone, we can be singled out, targeted, marginalized, investigated, discredited, or jailed for pushing for peaceful change... So we join The Day We Fight Back to help end mass surveillance, and we hope you will join us, too... Last summer, the world learned that the United States’ intelligence agencies are conducting mass surveillance of millions of innocent people--Americans and citizens of other nations. We don’t know the whole story. Surveillance practices are secret, targets are secret, and even some of the laws under which the agencies operate are secret. The government has many techniques for masking the full scope of its information collection. Nevertheless, newspapers report that the National Security Agency obtained 70 million French telephone calls and 60 million Spanish ones in a single 30-day period. In a single day, the agency sucked in 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers. The NSA also collects daily contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts. It collects approximately 250 million communications and “communications transactions” a year from inside the United States, a collection that includes Americans’ messages and calls with people overseas, as well as improperly collected purely domestic communications the NSA nevertheless keeps. The agency also obtains hundreds of thousands of peoples’ calling records under a law whose primary sponsor says was never conceived of for bulk collection purposes. Perhaps worse, the United States government actively undermines Internet security by subverting the process for adopting encryption standards and forcing companies to install surveillance back doors."

Action by Congress is long overdue. Unfamiliar with the issues? Read the Surveillance section of this blog, and follow any of the above links. Then, take action. You can contact your elected officials using the banner that overlays all posts on this blog, here, or here.