1,174 posts categorized "Corporate Responsibility" Feed

'Software Pirates' Stole Apple Tech To Distribute Hacked Mobile Apps To Consumers

Prior news reports highlighted the abuse of Apple's corporate digital certificates. Now, we learn that this abuse is more widespread than first thought. CNet reported:

"Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps... The altered versions of Spotify, Angry Birds, Pokemon Go and Minecraft make paid features available for free and remove in-app ads... The pirates appear to have figured out how to use digital certs to get around Apple's carefully policed App Store by saying the apps will be used only by their employees, when they're actually being distributed to everyone."

So, bad actors abuse technology intended for a company's employees to distribute apps directly to consumers. Software pirates, indeed.

To avoid paying for hacked apps, consumers need to shop wisely from trusted sites. A fix is underway. According to CNet:

"Apple will reportedly take steps to fight back by requiring all app makers to use its two-factor authentication protocol from the end of February, so logging into an Apple ID will require a password and code sent to a trusted Apple device."

Let's hope that fix is sufficient.


Ex-IBM Executive Says She Was Told Not to Disclose Names of Employees Over Age 50 Who’d Been Laid Off

[Editor's note: today's guest blog post, by reporters at ProPublica, explores employment and hiring practices within the workplace. Part of a series, it is reprinted with permission.]

IBM logo By Peter Gosselin, ProPublica

In sworn testimony filed recently as part of a class-action lawsuit against IBM, a former executive says she was ordered not to comply with a federal agency’s request that the company disclose the names of employees over 50 who’d been laid off from her business unit.

Catherine A. Rodgers, a vice president who was then IBM’s senior executive in Nevada, cited the order among several practices she said prompted her to warn IBM superiors the company was leaving itself open to allegations of age discrimination. She claims she was fired in 2017 because of her warnings.

Company spokesman Edward Barbini labeled Rodgers’ claims related to potential age discrimination “false,” adding that the reasons for her firing were “wholly unrelated to her allegations.”

Rodgers’ affidavit was filed Jan. 17 as part of a lawsuit in federal district court in New York. The suit cites a March 2018 ProPublica story that IBM engaged in a strategy designed to, in the words of one internal company document, “correct seniority mix” by flouting or outflanking U.S. anti-age discrimination laws to force out tens of thousands of older workers in the five years through 2017 alone.

Rodgers said in an interview Sunday that IBM “appears to be engaged in a concerted and disproportionate targeting of older workers.” She said that if the company releases the ages of those laid off, something required by federal law and that IBM did until 2014, “the facts will speak for themselves.”

“IBM is a data company. Release the data,” she said.

Rodgers is not a plaintiff in the New York case but intends to become one, said Shannon Liss-Riordan, the attorney for the employees.

IBM has not yet responded to Rodgers’ affidavit in the class-action suit. But in a filing in a separate age-bias lawsuit in federal district court in Austin, Texas, where a laid-off IBM sales executive introduced the document to bolster his case, lawyers for the company termed the order for Rodgers not to disclose the layoffs of older workers from her business unit “unremarkable.”

They said that the U.S. Department of Labor sought the names of the workers so it could determine whether they qualified for federal Trade Adjustment Assistance, or TAA, which provides jobless benefits and re-training to those who lose their jobs because of foreign competition. They said that company executives concluded that only one of about 10 workers whose names Rodgers had sought to provide qualified.

In its reporting, ProPublica found that IBM has gone to considerable lengths to avoid reporting its layoff numbers by, among other things, limiting its involvement in government programs that might require disclosure. Although the company has laid off tens of thousands of U.S. workers in recent years and shipped many jobs overseas, it sought and won TAA aid for just three during the past decade, government records show.

Company lawyers in the Texas case said that Rodgers, 62 at the time of her firing and a 39-year veteran of IBM, was let go in July 2017 because of "gross misconduct."

Rodgers said that she received “excellent” job performance reviews for decades before questioning IBM’s practices toward older workers. She rejected the misconduct charge as unfounded.

Legal action against IBM over its treatment of older workers appears to be growing. In addition to the suits in New York and Texas, cases are also underway in California, New Jersey and North Carolina.

Liss-Riordan, who has represented workers against a series of tech giants including Amazon, Google and Uber, has added 41 plaintiffs to the original three in the New York case and is asking the judge to require that IBM notify all U.S. workers whom it has laid off since July 2017 of the suit and of their option to challenge the company.

One complicating factor is that IBM requires departing employees who want to receive severance pay to sign a document waiving their right to take the company to court and limiting them to private, individual arbitration. Studies show this process rarely results in decisions that favor workers. To date, neither plaintiffs’ lawyers nor the government has challenged the legality of IBM’s waiver document.

Many ex-employees also don’t act within the 300-day federal statute of limitations for bringing a case. Of about 500 ex-employees who Liss-Riordan said contacted her since she filed the New York case last September, only 100 had timely claims and, of these, only about 40 had not signed the waivers and so were eligible to join the lawsuit. She said she’s filed arbitration cases for the other 60.

At key points, Rodgers’ account of IBM’s practices is similar to those reported by ProPublica. Among the parallels:

  • Rodgers said that all layoffs in her business unit were of older workers and that younger workers were unaffected. (ProPublica estimated that about 60 percent of the company’s U.S. layoffs from 2014 through 2017 were workers age 40 and above.)
  • She said that she and other managers were told to encourage workers flagged for layoff to use IBM’s internal hiring system to find other jobs in the company even as upper management erected insurmountable barriers to their being hired for these jobs.
  • Rodgers said the company reversed a decades long practice of encouraging employees to work from home and ordered many to begin reporting to a few “hub” offices around the country, a change she said appeared designed to prompt people to quit. She said that in one case an employee agreed to relocate to Connecticut only to be told to relocate again to North Carolina.

Barbini, the IBM spokesman, didn’t comment on individual elements of Rodgers’ allegations. Last year, he did not address a 10-page summary of ProPublica’s findings, but issued a statement that read in part, “We are proud of our company and our employees’ ability to reinvent themselves era after era, while always complying with the law.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Popular iOS Apps Record All In-App Activity Causing Privacy, Data Security, And Other Issues

As the internet has evolved, the user testing and market research practices have also evolved. This may surprise consumers. TechCrunch reported that many popular Apple mobile apps record everything customers do with the apps:

"Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers."

So, customers' entire app sessions and activities have been recorded. Of course, marketers need to understand their customers' needs, and how users interact with their mobile apps, to build better products, services, and apps. However, in doing so some apps have security vulnerabilities:

"The App Analyst... recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles."

Not good for a couple reasons. First, sensitive data like payment information (e.g., credit/debit card numbers, passport numbers, bank account numbers, etc.) should be masked. Second, when sensitive information isn't masked, more data security problems arise. How long is this app usage data archived? What employees, contractors, and business partners have access to the archive? What security methods are used to protect the archive from abuse?

In short, unauthorized persons may have access to the archives and the sensitive information contained. For example, market researchers probably have little or no need to specific customers' payment information. Sensitive information in these archives should be encrypted, to provide the best protection from abuse and from data breaches.

Sadly, there is more bad news:

"Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen... Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either."

So, the app session recordings were done covertly... without explicit language to provide meaningful and clear notice to consumers. I encourage everyone to read the entire TechCrunch article, which also includes responses by some of the companies mentioned. In my opinion, most of the responses fell far short with lame, boilerplate statements.

All of this is very troubling. And, there is more.

The TechCrunch article didn't discuss it, but historically companies hired testing firms to recruit user test participants -- usually current and prospective customers. Test participants were paid for their time. (I know because as a former user experience professional I conducted such in-person test sessions where clients paid test participants.) Things have changed. Not only has user testing and research migrated online, but companies use automated tools to perform perpetual, unannounced user testing -- all without compensating test participants.

While change is inevitable, not all change is good. Plus, things can be done in better ways. If the test information is that valuable, then pay test participants. Otherwise, this seems like another example of corporate greed at consumers' expense. And, it's especially egregious if data transmissions of the recorded app sessions to developers' servers use up cellular data plan capacity consumers paid for. Some consumers (e.g., elders, children, the poor) cannot afford the costs of unlimited cellular data plans.

After this TechCrunch report, Apple notified developers to either stop or disclose screen recording:

"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity... We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary..."

Good. That's a start. Still, user testing and market research is not a free pass for developers to ignore or skip data security best practices. Given these covert recorded app sessions, mobile apps must be continually tested. Otherwise, some ethically-challenged companies may re-introduce covert screen recording features. What are your opinions?


Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


Senators Demand Answers From Facebook And Google About Project Atlas And Screenwise Meter Programs

After news reports surfaced about Facebook's Project Atlas, a secret program where Facebook paid teenagers (and other users) for a research app installed on their phones to track and collect information about their mobile usage, several United States Senators have demanded explanations. Three Senators sent a join letter on February 7, 2019 to Mark Zuckerberg, Facebook's chief executive officer.

The joint letter to Facebook (Adobe PDF format) stated, in part:

"We write concerned about reports that Facebook is collecting highly-sensitive data on teenagers, including their web browsing, phone use, communications, and locations -- all to profile their behavior without adequate disclosure, consent, or oversight. These reports fit with Longstanding concerns that Facebook has used its products to deeply intrude into personal privacy... According to a journalist who attempted to register as a teen, the linked registration page failed to impose meaningful checks on parental consent. Facebook has more rigorous mechanism to obtain and verify parental consent, such as when it is required to sign up for Messenger Kids... Facebook's monitoring under Project Atlas is particularly concerning because the data data collection performed by the research app was deeply invasive. Facebook's registration process encouraged participants to "set it and forget it," warning that if a participant disconnected from the monitoring for more than ten minutes for a few days, that they could be disqualified. Behind the scenes, the app watched everything on the phone."

The letter included another example highlighting the alleged lack of meaningful disclosures:

"... the app added a VPN connection that would automatically route all of a participant's traffic through Facebook's servers. The app installed a SSL root certificate on the participant's phone, which would allow Facebook to intercept or modify data sent to encrypted websites. As a result, Facebook would have limitless access to monitor normally secure web traffic, even allowing Facebook to watch an individual log into their bank account or exchange pictures with their family. None of the disclosures provided at registration offer a meaningful explanation about how the sensitive data is used, how long it is kept, or who within Facebook has access to it..."

The letter was signed by Senators Richard Blumenthal (Democrat, Connecticut), Edward J. Markey (Democrat, Massachusetts), and Josh Hawley (Republican, Mississippi). Based upon news reports about how Facebook's Research App operated with similar functionality to the Onavo VPN app which was banned last year by Apple, the Senators concluded:

"Faced with that ban, Facebook appears to have circumvented Apple's attempts to protect consumers."

The joint letter also listed twelve questions the Senators want detailed answers about. Below are selected questions from that list:

"1. When did Project Atlas begin and how many individuals participated? How many participants were under age 18?"

"3. Why did Facebook use a less strict mechanism for verifying parental consent than is Required for Messenger Kids or Global Data Protection Requlation (GDPR) compliance?"

"4.What specific types of data was collected (e.g., device identifieers, usage of specific applications, content of messages, friends lists, locations, et al.)?"

"5. Did Facebook use the root certificate installed on a participant's device by the Project Atlas app to decrypt and inspect encrypted web traffic? Did this monitoring include analysis or retention of application-layer content?"

"7. Were app usage data or communications content collected by Project Atlas ever reviewed by or available to Facebook personnel or employees of Facebook partners?"

8." Given that Project Atlas acknowledged the collection of "data about [users'] activities and content within those apps," did Facebook ever collect or retain the private messages, photos, or other communications sent or received over non-Facebook products?"

"11. Why did Facebook bypass Apple's app review? Has Facebook bypassed the App Store aproval processing using enterprise certificates for any other app that was used for non-internal purposes? If so, please list and describe those apps."

Read the entire letter to Facebook (Adobe PDF format). Also on February 7th, the Senators sent a similar letter to Google (Adobe PDF format), addressed to Hiroshi Lockheimer, the Senior Vice President of Platforms & Ecosystems. It stated in part:

"TechCrunch has subsequently reported that Google maintained its own measurement program called "Screenwise Meter," which raises similar concerns as Project Atlas. The Screenwise Meter app also bypassed the App Store using an enterprise certificate and installed a VPN service in order to monitor phones... While Google has since removed the app, questions remain about why it had gone outside Apple's review process to run the monitoring program. Platforms must maintain and consistently enforce clear policies on the monitoring of teens and what constitutes meaningful parental consent..."

The letter to Google includes a similar list of eight questions the Senators seek detailed answers about. Some notable questions:

"5. Why did Google bypass App Store approval for Screenwise Meter app using enterprise certificates? Has Google bypassed the App Store approval processing using enterprise certificates for any other non-internal app? If so, please list and describe those apps."

"6. What measures did Google have in place to ensure that teenage participants in Screenwise Meter had authentic parental consent?"

"7. Given that Apple removed Onavoo protect from the App Store for violating its terms of service regarding privacy, why has Google continued to allow the Onavo Protect app to be available on the Play Store?"

The lawmakers have asked for responses by March 1st. Thanks to all three Senators for protecting consumers' -- and children's -- privacy... and for enforcing transparency and accountability.


Facebook Paid Teens To Install Unauthorized Spyware On Their Phones. Plenty Of Questions Remain

Facebook logoWhile today is the 15th anniversary of Facebook,  more important news rules. Last week featured plenty of news about Facebook. TechCrunch reported on Tuesday:

"Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe... Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits."

So, teenagers installed surveillance software on their phones and tablets, to spy for Facebook on themselves, Facebook's competitors,, and others. This is huge news for several reasons. First, the "Facebook Research" app is VPN (Virtual Private Network) software which:

"... lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy..."

Reportedly, the Research app collected massive amounts of information: private messages in social media apps, chats from in instant messaging apps, photos/videos sent to others, emails, web searches, web browsing activity, and geo-location data. So, a very intrusive app. And, after being forced to remove oneintrusive app from Apple's store, Facebook continued anyway -- with another app that performed the same function. Not good.

Second, there is the moral issue of using the youngest users as spies... persons who arguably have the lease experience and skills at reading complex documents: corporate terms-of-use and privacy policies. I wonder how many teenagers notified their friends of the spying and data collection. How many teenagers fully understood what they were doing? How many parents were aware of the activity and payments? How many parents notified the parents of their children's friends? How many teens installed the spyware on both their iPhones and iPads? Lots of unanswered questions.

Third, Apple responded quickly. TechCrunch reported Wednesday morning:

"... Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down... Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store."

Facebook's usage of the Enterprise Certificate is significant. TechCrunch also published a statement by Apple:

"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization... Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked..."

So, the Research app violated Apple's policy. Not good. The app also performs similar functions as the banned Onavo VPN app. Worse. This sounds like an end-run to me. So as punishment for its end-run actions, Apple temporarily disable the certificates for internal corporate apps.

Axios described very well Facebook's behavior:

"Facebook took a program designed to let businesses internally test their own app and used it to monitor most, if not everything, a user did on their phone — a degree of surveillance barred in the official App Store."

And the animated Facebook image in the Axios article sure looks like a liar-liar-logo-on-fire image. LOL! Pure gold! Seriously, Facebook's behavior indicates questionable ethics, and/or an expectation of not getting caught. Reportedly, the internal apps which were shut down included shuttle schedules, campus maps, and company calendars. After that, some Facebook employees discussed quitting.

And, it raises more questions. Which Facebook executives approved Project Atlas? What advice did Facebook's legal staff provide prior to approval? Was that advice followed or ignored?

Google logo Fourth, TechCrunch also reported:

"Facebook’s Research program will continue to run on Android."

What? So, Google devices were involved, too. Is this spy program okay with Google executives? A follow-up report on Wednesday by TechCrunch:

"Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple... Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate. That’s the same type of policy violation that led Apple to shut down Facebook’s similar Research VPN iOS app..."

Oy! So, Google operates like Facebook. Also reported by TechCrunch:

"The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices..."

So, Google will terminate its spy program on Apple devices, but continue its own program with Facebook. Hmmmmm. Well, that answers some questions. I guess Google executives are okay with this spy program. More questions remain.

Fifth, Facebook tried to defend the Research app and its actions in an internal memo to employees. On Thursday, TechCrunch tore apart the claims in an internal Facebook memo from vice president Pedro Canahuati. Chiefly:

"Facebook claims it didn’t hide the program, but it was never formally announced like every other Facebook product. There were no Facebook Help pages, blog posts, or support info from the company. It used intermediaries Applause and CentreCode to run the program under names like Project Atlas and Project Kodiak. Users only found out Facebook was involved once they started the sign-up process and signed a non-disclosure agreement prohibiting them from discussing it publicly... Facebook claims it wasn’t “spying,” yet it never fully laid out the specific kinds of information it would collect. In some cases, descriptions of the app’s data collection power were included in merely a footnote. The program did not specify data types gathered, only saying it would scoop up “which apps are on your phone, how and when you use them” and “information about your internet browsing activity.” The parental consent form from Facebook and Applause lists none of the specific types of data collected...

So, Research app participants (e.g., teenagers, parents) couldn't discuss nor warn their friends (and their friends' parents) about the data collection. I strongly encourage everyone to read the entire TechCrunch analysis. It is eye-opening.

Sixth, a reader shared concerns about whether Facebook's actions violated federal laws. Did Project Atlas violate the Digital Millennium Copyright Act (DMCA); specifically the "anti-circumvention" provision, which prohibits avoiding the security protections in software? Did it violate the Computer Fraud and Abuse Act? What about breach-of-contract and fraud laws? What about states' laws? So, one could ask similar questions about Google's actions, too.

I am not an attorney. Hopefully, some attorneys will weigh in on these questions. Probably, some skilled attorneys will investigate various legal options.

All of this is very disturbing. Is this what consumers can expect of Silicon Valley firms? Is this the best tech firms can do? Is this the low level the United States has sunk to? Kudos to the TechCrunch staff for some excellent reporting.

What are your opinions of Project Atlas? Of Facebook's behavior? Of Google's?


Google Fined 50 Million Euros For Violations Of New European Privacy Law

Google logo Google has been find 50 million Euros (about U.S. $57 million) under the new European privacy law for failing to properly disclose to users how their data is collected and used for targeted advertising. The European Union's General Data Protection Regulations, which went into effect in May 2018, give EU residents more control over their information and how companies use it.

After receiving two complaints last year from privacy-rights groups, France's National Data Protection Commission (CNL) announced earlier this month:

"... CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android. On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR."

The first violation involved transparency failures:

"... information provided by GOOGLE is not easily accessible for users. Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions... some information is not always clear nor comprehensive. Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner..."

So, important information is buried and scattered across several documents making it difficult for users to access and to understand. The second violation involved the legal basis for personalized ads processing:

"... GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons. First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Playstore, Google pictures, etc.) and therefore of the amount of data processed and combined."

"[Second], the restricted committee observes that the collected consent is neither “specific” nor “unambiguous.” When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads. That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose."

So, not only is important information buried and scattered across multiple documents (again), but also critical boxes for users to give consent are pre-checked when they shouldn't be.

CNIL explained its reasons for the massive fine:

"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations... Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement..."

This is the largest fine, so far, under GDPR laws. Reportedly, Google will appeal the fine:

"We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing... We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond... For all these reasons, we've now decided to appeal."

This is not the first EU fine for Google. CNet reported:

"Google is no stranger to fines under EU laws. It's currently awaiting the outcome of yet another antitrust investigation -- after already being slapped with a $5 billion fine last year for anticompetitive Android practices and a $2.7 billion fine in 2017 over Google Shopping."


Companies Want Your Location Data. Recent Examples: The Weather Channel And Burger King

Weather Channel logo It is easy to find examples where companies use mobile apps to collect consumers' real-time GPS location data, so they can archive and resell that information later for additional profits. First, ExpressVPN reported:

"The city of Los Angeles is suing the Weather Company, a subsidiary of IBM, for secretly mining and selling user location data with the extremely popular Weather Channel App. Stating that the app unfairly manipulates users into enabling their location settings for more accurate weather reports, the lawsuit affirms that the app collects and then sells this data to third-party companies... Citing a recent investigation by The New York Times that revealed more than 75 companies silently collecting location data (if you haven’t seen it yet, it’s worth a read), the lawsuit is basing its case on California’s Unfair Competition Law... the California Consumer Privacy Act, which is set to go into effect in 2020, would make it harder for companies to blindly profit off customer data... This lawsuit hopes to fine the Weather Company up to $2,500 for each violation of the Unfair Competition Law. With more than 200 million downloads and a reported 45+ million users..."

Long-term readers remember that a data breach in 2007 at IBM Inc. prompted this blog. It's not only internet service providers which collect consumers' location data. Advertisers, retailers, and data brokers want it, too.

Burger King logo Second, Burger King ran last month a national "Whopper Detour" promotion which offered customers a once-cent Whopper burger if they went near a competitor's store. News 5, the ABC News affiliate in Cleveland, reported:

"If you download the Burger King mobile app and drive to a McDonald’s store, you can get the penny burger until December 12, 2018, according to the fast-food chain. You must be within 600 feet of a McDonald's to claim your discount, and no, McDonald's will not serve you a Whopper — you'll have to order the sandwich in the Burger King app, then head to the nearest participating Burger King location to pick it up. More information about the deal can be found on the app on Apple and Android devices."

Next, the relevant portions from Burger King's privacy policy for its mobile apps (emphasis added):

"We collect information you give us when you use the Services. For example, when you visit one of our restaurants, visit one of our websites or use one of our Services, create an account with us, buy a stored-value card in-restaurant or online, participate in a survey or promotion, or take advantage of our in-restaurant Wi-Fi service, we may ask for information such as your name, e-mail address, year of birth, gender, street address, or mobile phone number so that we can provide Services to you. We may collect payment information, such as your credit card number, security code and expiration date... We also may collect information about the products you buy, including where and how frequently you buy them... we may collect information about your use of the Services. For example, we may collect: 1) Device information - such as your hardware model, IP address, other unique device identifiers, operating system version, and settings of the device you use to access the Services; 2) Usage information - such as information about the Services you use, the time and duration of your use of the Services and other information about your interaction with content offered through a Service, and any information stored in cookies and similar technologies that we have set on your device; and 3) Location information - such as your computer’s IP address, your mobile device’s GPS signal or information about nearby WiFi access points and cell towers that may be transmitted to us..."

So, for the low, low price of one hamburger, participants in this promotion gave RBI, the parent company which owns Burger King, perpetual access to their real-time location data. And, since RBI knows when, where, and how long its customers visit competitors' fast-food stores, it also knows similar details about everywhere else you go -- including school, work, doctors, hospitals, and more. Sweet deal for RBI. A poor deal for consumers.

Expect to see more corporate promotions like this, which privacy advocates call "surveillance capitalism."

Consumers' real-time location data is very valuable. Don't give it away for free. If you decide to share it, demand a fair, ongoing payment in exchange. Read privacy and terms-of-use policies before downloading mobile apps, so you don't get abused or taken. Opinions? Thoughts?


The Privacy And Data Security Issues With Medical Marijuana

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.


Report: Navient Tops List Of Student Loan Complaints

The Consumer Financial Protection Bureau (CFPB), a federal government agency in the United States, collects complaints about banks and other financial institutions. That includes lenders of student loans.

The CFPB and private-sector firms analyze these complaints, looking for patterns. Forbes magazine reported:

"The team at Make Lemonade analyzed these complaints [submitted during 2018], and found that there were 8,752 related to student loans. About 64% were related to federal student loans and 36% were related to private student loans. Nearly 67% of complaints were related to an issue with a student loan lender or student loan servicer."

"Navient, one of the nation's largest student loan servicers, ranked highest in terms of student loan complaints. In 2018, student loan borrowers submitted 4,032 complaints about Navient to the CFPB, which represents 46% of all student loan complaints. AES/PHEAA and Nelnet, two other major student loan servicers, received approximately 20% and 7%, respectively."

When looking for a student loan, wise consumers shop around, do their research, and shop wisely. Some lenders are better than others. The Forbes article is very helpful as it contains links to additional resources and information for consumers.

Learn more about the CFPB and its complaints database designed to help consumers and regulators:


After Promises To Stop, Mobile Providers Continued Sales Of Location Data About Consumers. What You Can Do To Protect Your Privacy

Sadly, history repeats itself. First, the history: after getting caught selling consumers' real-time GPS location data without notice nor consumers' consent, in 2018 mobile providers promised to stop the practice. The Ars Technica blog reported in June, 2018:

"Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users. Senator Ron Wyden (D-Ore.) recently urged all four major carriers to stop the practice, and today he published responses he received from Verizon, AT&T, T-Mobile USA, and SprintWyden's statement praised Verizon for "taking quick action to protect its customers' privacy and security," but he criticized the other carriers for not making the same promise... AT&T changed its stance shortly after Wyden's statement... Senator Wyden recognized AT&T's change on Twitter and called on T-Mobile and Sprint to follow suit."

Kudos to Senator Wyden. The other mobile providers soon complied... sort of.

Second, some background: real-time location data is very valuable stuff. It indicates where you are as you (with your phone or other mobile devices) move about the physical world in your daily routine. No delays. No lag. Yes, there are appropriate uses for real-time GPS location data -- such as by law enforcement to quickly find a kidnapped person or child before further harm happens. But, do any and all advertisers need real-time location data about consumers? Data brokers? Others?

I think not. Domestic violence and stalking victims probably would not want their, nor their children's, real-time location data resold publicly. Most parents would not want their children's location data resold publicly. Most patients probably would not want their location data broadcast every time they visit their physician, specialist, rehab, or a hospital. Corporate executives, government officials, and attorneys conducting sensitive negotiations probably wouldn't want their location data collected and resold, either.

So, most consumers probably don't want their real-time location data resold publicly. Well, some of you make location-specific announcements via posts on social media. That's your choice, but I conclude that most people don't. Consumers want control over their location information so they can decide if, when, and with whom to share it. The mass collection and sales of consumers' real-time location data by mobile providers prevents choice -- and it violates persons' privacy.

Third, fast forward seven months from 2018. TechCrunch reported on January 9th:

"... new reporting by Motherboard shows that while [reseller] LocationSmart faced the brunt of the criticism [in 2018], few focused on the other big player in the location-tracking business, Zumigo. A payment of $300 and a phone number was enough for a bounty hunter to track down the participating reporter by obtaining his location using Zumigo’s location data, which was continuing to pay for access from most of the carriers. Worse, Zumigo sold that data on — like LocationSmart did with Securus — to other companies, like Microbilt, a Georgia-based credit reporting company, which in turn sells that data on to other firms that want that data. In this case, it was a bail bond company, whose bounty hunter was paid by Motherboard to track down the reporter — with his permission."

"Everyone seemed to drop the ball. Microbilt said the bounty hunter shouldn’t have used the location data to track the Motherboard reporter. Zumigo said it didn’t mind location data ending up in the hands of the bounty hunter, but still cut Microbilt’s access. But nobody quite dropped the ball like the carriers, which said they would not to share location data again."

The TechCrunch article rightly held offending mobile providers accountable. Example: T-Mobile's chief executive tweeted last year:

Then, Legere tweeted last week:

The right way? In my view, real-time location never should have been collected and resold. Almost a year after reports first surfaced, T-Mobile is finally getting around to stopping the practice and terminating its relationships with location data resellers -- two months from now. Why not announce this slow wind-down last year when the issue first surfaced? "Emergency assistance" is the reason we are supposed to believe. Yeah, right.

The TechCrunch article rightly took AT&T and Verizon to task, too. Good. I strongly encourage everyone to read the entire TechCrunch article.

What can consumers make of this? There seem to be several takeaways:

  1. Transparency is needed, since corporate privacy policies don't list all (or often any) business partners. This lack of transparency provides an easy way for mobile providers to resume location data sales without notice to anyone and without consumers' consent,
  2. Corporate executives will say anything in tweets/social media. A healthy dose of skepticism by consumers and regulators is wise,
  3. Consumers can't trust mobile providers. They are happy to make money selling consumers' real-time location data, regardless of consumers' desires not for our data to be collected and sold,
  4. Data brokers and credit reporting agencies want consumers' location data,
  5. To ensure privacy, consumers also must take action: adjust the privacy settings on your phones to limit or deny mobile apps access to your location data. I did. It's not hard. Do it today, and
  6. Oversight is needed, since a) mobile providers have, at best, sloppy to minimal oversight and internal processes to prevent location data sales; and b) data brokers and others are readily available to enable and facilitate location data transactions.

I cannot over-emphasize #5 above. What issues or takeaways do you see? What are your opinions about real-time location data?


Marriott Lowered The Number Of Guests Affected By Its Data Breach. Class Action Lawsuits Filed

Marriott International logo Important updates about the gigantic Marriott-Starwood data breach. The incident received more attention after security experts said that China's intelligence agencies may have been behind the cyberattack, which also targeted healthcare insurance companies.

Earlier this month, Marriott announced a lower number of guests affected:

"Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure... Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated [in November, 2018]. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved...

The announcement also said that fewer than 383 million different persons were affected because its database contained multiple records for the same guests. The announcement also stated that about:

"... 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers... Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018..."

This is mixed news. Fewer breach victims is good news. The bad news: multiple database records for the same guests, and unencrypted passport numbers. Better, stronger data security always includes encrypting sensitive information. The announcement did not explain why some data was encrypted and some wasn't.

The hotel chain said that it will terminate its Starwood reservations database at the end of the year, and continue its post-breach investigation:

"While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests."

Also, the hotel chain admitted during its January 4th announcement that it still wasn't fully ready to help affected guests:

"Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) when it has this capability in place."

In related news, about 150 former guests have sued Marriott. Vox reported that a class-action lawsuit:

"... was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, “failed to provide timely, accurate, and adequate notice” to guests whose information may have been obtained by hackers... According to the suit, Marriott’s purchase of the Starwood properties is part of the problem. “This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood,” Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox... According to a December report by the Wall Street Journal, Marriott could have caught the breach years earlier."

At least one other class-action lawsuit has been filed by breach victims.


Samsung Phone Owners Unable To Delete Facebook And Other Apps. Anger And Privacy Concerns Result

Some consumers have learned that they can't delete Facebook and other mobile apps from their Samsung smartphones. Bloomberg described one consumer's experiences:

"Winke bought his Samsung Galaxy S8, an Android-based device that comes with Facebook’s social network already installed, when it was introduced in 2017. He has used the Facebook app to connect with old friends and to share pictures of natural landscapes and his Siamese cat -- but he didn’t want to be stuck with it. He tried to remove the program from his phone, but the chatter proved true -- it was undeletable. He found only an option to "disable," and he wasn’t sure what that meant."

Samsung phones operate using Google's Android operating system (OS). The "chatter" refers to online complaints by Samsung phone owners. There were plenty of complaints, ranging from snarky:

To informative:

And:

Some persons shared their (understandable) anger:

One person reminded consumers of bigger issues with Android OS phones:

And, that privacy concern still exists. Sophos Labs reported:

"Advocacy group Privacy International announced the findings in a presentation at the 35th Chaos Computer Congress late last month. The organization tested 34 apps and documented the results, as part of a downloadable report... 61% of the apps tested automatically tell Facebook that a user has opened them. This accompanies other basic event data such as an app being closed, along with information about their device and suspected location based on language and time settings. Apps have been doing this even when users don’t have a Facebook account, the report said. Some apps went far beyond basic event information, sending highly detailed data. For example, the travel app Kayak routinely sends search information including departure and arrival dates and cities, and numbers of tickets (including tickets for children)."

After multiple data breaches and privacy snafus, some Facebook users have decided to either quit the Facebook mobile app or quit the service entirely. Now, some Samsung phone users have learned that quitting can be more difficult, and they don't have as much control over their devices as they thought.

How did this happen? Bloomberg explained:

"Samsung, the world’s largest smartphone maker, said it provides a pre-installed Facebook app on selected models with options to disable it, and once it’s disabled, the app is no longer running. Facebook declined to provide a list of the partners with which it has deals for permanent apps, saying that those agreements vary by region and type... consumers may not know if Facebook is pre-loaded unless they specifically ask a customer service representative when they purchase a phone."

Not good. So, now we know that there are two classes of mobile apps: 1) pre-installed and 2) permanent. Pre-installed apps come on new devices. Some pre-installed apps can be deleted by users. Permanent mobile apps are pre-installed apps which cannot be removed/deleted by users. Users can only disable permanent apps.

Sadly, there's more and it's not only Facebook. Bloomberg cited other agreements:

"A T-Mobile US Inc. list of apps built into its version of the Samsung Galaxy S9, for example, includes the social network as well as Amazon.com Inc. The phone also comes loaded with many Google apps such as YouTube, Google Play Music and Gmail... Other phone makers and service providers, including LG Electronics Inc., Sony Corp., Verizon Communications Inc. and AT&T Inc., have made similar deals with app makers..."

This is disturbing. There seem to be several issues:

  1. Notice: consumers should be informed before purchase of any and all phone apps which can't be removed. The presence of permanent mobile apps suggests either a lack of notice, notice buried within legal language of phone manufacturers' user agreements, or both.
  2. Privacy: just because a mobile app isn't running doesn't mean it isn't operating. Stealth apps can still collect GPS location and device information while running in the background; and then transmit it to manufacturers. Hopefully, some enterprising technicians or testing labs will verify independently whether "disabled" permanent mobile apps have truly stopped working.
  3. Transparency: phone manufacturers should explain and publish their lists of partners with both pre-installed and permanent app agreements -- for each device model. Otherwise, consumers cannot make informed purchase decisions about phones.
  4. Scope: the Samsung-Facebook pre-installed apps raises questions about other devices with permanent apps: phones, tablets, laptops, smart televisions, and automotive vehicles. Perhaps, some independent testing by Consumer Reports can determine a full list of devices with permanent apps.
  5. Nothing is free. Pre-installed app agreements indicate another method which device manufacturers use to make money, by collecting and sharing consumers' data with other tech companies.

The bottom line is trust. Consumers have more valid reasons to distrust some device manufacturers and OS developers. What issues do you see? What are your thoughts about permanent mobile apps?


Pennsylvania Ruling May Help Plaintiffs in Class Action Lawsuits About Data Breaches

An article in the Lexology site by attorneys at Thompson Coburn LLP provides an important update about class-action lawsuits in Pennsylvania regarding data breaches and data security:

"One of the most insurmountable barriers for security breach class action plaintiffs has been the ability to show concrete damages. In order to bring a lawsuit, fundamentally, plaintiffs must have standing to sue. In federal court, this standing to sue is governed by Article III of the U.S. Constitution. The U.S. Supreme Court has articulated standing to sue as requiring (1) injury in fact, (2) fairly traceable to the defendant’s conduct, (3) that is likely redressed by a favorable decision... Proving a concrete and particularized injury therefore becomes difficult for plaintiffs... since it often becomes an individualized analysis of harms. Many state courts follow similar standing requirements as those articulated by the federal courts..."

The case involved a class-action lawsuit by employees against their employer, the University of Pittsburgh Medical Center (UPMC). The suit alleged that the sensitive personal and financial information for 62,000 current and former employees had been stolen, and that:

"... UPMC breached an implied contract and was negligent by failing to implement adequate security measures to safeguard information relating to employees."

The claims were dismissed by a trial court. The employees appealed that decision, and the appellate court agreed with the trial court's decision. The good news:

"... the Pennsylvania Supreme Court concluded the lower courts erred in determining UPMC did not owe a duty to safeguard the employees’ personal information and that the economic loss doctrine barred the negligence claim... While the Pennsylvania decision affects only Pennsylvania for the time being, anyone that collects or stores personal information should be aware that this could signal a new tide for security breach plaintiffs..."


If You're Over 50, Chances Are The Decision To Leave a Job Won't Be Yours

[Editor's note: today's guest post, by reporters at ProPublica, discusses workplace discrimination. It is reprinted with permission. Older than 50? Some of the employment experiences below may be familiar. Younger than 50? Save as much money as you can -- now.]

By Peter Gosselin, ProPublica

Tom Steckel hunched over a laptop in the overheated basement of the state Capitol building in Pierre, South Dakota, early last week, trying to figure out how a newly awarded benefit claims contract will make it easier for him do his job. Steckel is South Dakota’s director of employee benefits. His department administers programs that help the state’s 13,500 public employees pay for health care and prepare for retirement.

It’s steady work and, for that, Steckel, 62, is grateful. After turning 50, he was laid off three times before landing his current position in 2014, weathering unemployment stints of up to eight months. When he started, his $90,000-a-year salary was only 60 percent of what he made at his highest-paying job. Even with a subsequent raise, he’s nowhere close to matching his peak earnings.

Money is hardly the only trade-off Steckel has made to hang onto the South Dakota post.

He spends three weeks of every four away from his wife, Mary, and the couple’s three children, who live 700 miles away in Plymouth, Wisconsin, in a house the family was unable to sell for most of the last decade.

Before Christmas, he set off late on Dec. 18 for the 11-hour drive home. After the holiday is over, he drove back to Pierre. “I’m glad to be employed,” he said, “but this isn’t what I would have planned for this point in my life.”

Many Americans assume that by the time they reach their 50s they’ll have steady work, time to save and the right to make their own decisions about when to retire. But as Steckel’s situation suggests, that’s no longer the reality for many — indeed, most — people.

ProPublica and the Urban Institute, a Washington think tank, analyzed data from the Health and Retirement Study, or HRS, the premier source of quantitative information about aging in America. Since 1992, the study has followed a nationally representative sample of about 20,000 people from the time they turn 50 through the rest of their lives.

Through 2016, our analysis found that between the time older workers enter the study and when they leave paid employment, 56 percent are laid off at least once or leave jobs under such financially damaging circumstances that it’s likely they were pushed out rather than choosing to go voluntarily.

Only one in 10 of these workers ever again earns as much as they did before their employment setbacks, our analysis showed. Even years afterward, the household incomes of over half of those who experience such work disruptions remain substantially below those of workers who don’t.

“This isn’t how most people think they’re going to finish out their work lives,” said Richard Johnson, an Urban Institute economist and veteran scholar of the older labor force who worked on the analysis. “For the majority of older Americans, working after 50 is considerably riskier and more turbulent than we previously thought.”

The HRS is based on employee surveys, not employer records, so it can’t definitively identify what’s behind every setback, but it includes detailed information about the circumstances under which workers leave jobs and the consequences of these departures.

We focused on workers who enter their 50s with stable, full-time jobs and who’ve been with the same employer for at least five years — those who HRS data and other economic studies show are least likely to encounter employment problems. We considered only separations that result in at least six months of unemployment or at least a 50 percent drop in earnings from pre-separation levels.

Then, we sorted job departures into voluntary and involuntary and, among involuntary departures, distinguished between those likely driven by employers and those resulting from personal issues, such as poor health or family problems. (See the full analysis here.)

We found that 28 percent of stable, longtime employees sustain at least one damaging layoff by their employers between turning 50 and leaving work for retirement.

“We’ve known that some workers get a nudge from their employers to exit the work force and some get a great big kick,” said Gary Burtless, a prominent labor economist with the Brookings Institution in Washington. “What these results suggest is that a whole lot more are getting the great big kick.”

An additional 13 percent of workers who start their 50s in long-held positions unexpectedly retire under conditions that suggest they were forced out. They begin by telling survey takers they plan to keep working for many years, but, within a couple of years, they suddenly announce they’ve retired, amid a substantial drop in earnings and income.

Jeffrey Wenger, a senior labor economist with the RAND Corp., said some of these people likely were laid off, but they cover it up by saying they retired. “There’s so much social stigma around being separated from work,” he said, “even people who are fired or let go will say they retired to save face.”

Finally, a further 15 percent of over-50 workers who begin with stable jobs quit or leave them after reporting that their pay, hours, work locations or treatment by supervisors have deteriorated. These, too, indicate departures that may well not be freely chosen.

Taken together, the scale of damage sustained by older workers is substantial. According to the U.S. Census Bureau, there are currently 40 million Americans age 50 and older who are working. Our analysis of the HRS data suggests that as many as 22 million of these people have or will suffer a layoff, forced retirement or other involuntary job separation. Of these, only a little over 2 million have recovered or will.

“These findings tell us that a sizable percentage, possibly a majority, of workers who hold career jobs in their 50s will get pushed out of those jobs on their way to retirement,” Burtless said. “Yes, workers can find jobs after a career job comes to an early, unexpected end. But way too often, the replacement job is a whole lot worse than the career job. This leaves little room for the worker to rebuild.”

When you add in those forced to leave their jobs for personal reasons such as poor health or family trouble, the share of Americans pushed out of regular work late in their careers rises to almost two-thirds. That’s a far cry from the voluntary glide path to retirement that most economists assume, and many Americans expect.

Steckel knows a lot about how tough the labor market can be for older workers, and not just because of his own job losses. He’s spent much of his career in human resources, often helping employers show workers — including many, like him, over 50 — the door.

In most instances, he said he’s understood the business rationale for the cuts. Employers need to reduce costs, boost profits and beat the competition. But he also understands the frustration and loss of control older workers feel at having their experience work against them and their expectations come undone.

“Nobody plans to lose their job. If there’s work to do and you’re doing it, you figure you’ll get to keep doing it,” he said recently. But once employers start pushing people out, no amount of hard work will save you, he added, and “nothing you do at your job really prepares you for being out” of work.

For 50 years, it has been illegal under the federal Age Discrimination in Employment Act, or ADEA, for employers to treat older workers differently than younger ones with only a few exceptions, such as when a job requires great stamina or quick reflexes.

For decades, judges and policymakers treated the age law’s provisions as part and parcel of the nation’s fundamental civil rights guarantee against discrimination on the basis of race, sex, ethnic origin and other categories.

But in recent years, employers’ pleas for greater freedom to remake their workforces to meet global competition have won an increasingly sympathetic hearing. Federal appeals courts and the U.S. Supreme Court have reacted by widening the reach of the ADEA’s exceptions and restricting the law’s protections.

Meanwhile, most employers have stopped offering traditional pensions, which once delivered a double-barreled incentive for older workers to retire voluntarily: maximum payouts for date-certain departures and the assurance that benefits would last as long as the people receiving them. That’s left workers largely responsible for financing their own retirements and many in need of continued work.

“There’s no safe haven in today’s labor market,” said Carl Van Horn, a public policy professor and director of the Heldrich Center for Workforce Development at Rutgers University in New Jersey. “Even older workers who have held jobs with the same employer for decades may be laid off without warning” or otherwise cut.

In a story this year, ProPublica described how IBM has forced out more than 20,000 U.S. workers aged 40 and over in just the past five years in order to, in the words of one internal company planning document, “correct seniority mix.” To accomplish this, the company used a combination of layoffs and forced retirements, as well as tactics such as mandatory relocations seemingly designed to push longtime workers to quit.

In response, IBM issued a statement that said, in part, “We are proud of our company and our employees’ ability to reinvent themselves era after era, while always complying with the law.”

As an older tech firm trying to keep up in what’s seen as a young industry, IBM might seem unique, but our analysis of the HRS data suggests the company is no outlier in how it approaches shaping its workforce.

The share of U.S. workers who’ve suffered financially damaging, employer-driven job separations after age 50 has risen steadily from just over 10 percent in 1998 to almost 30 percent in 2016, the analysis shows.

The turbulence experienced by older workers is about the same regardless of their income, education, geography or industry.

Some 58 percent of those with high school educations who reach their 50s working steadily in long-term jobs subsequently face a damaging layoff or other involuntarily separation. Yet more education provides little additional protection; 55 percent of those with college or graduate degrees experience similar job losses.

Across major industrial sectors and regions of the country, more than half of older workers experience involuntarily separations. The same is true across sexes, races and ethnicities, although a larger share of older African-American and Hispanic workers than whites are forced out of work by poor health and family crises, the data shows. This could indicate that minority workers are more likely to have jobs that take a bigger toll on health.

Once out, older workers only rarely regain the income and stability they once enjoyed.

Jaye Crist, 58, of Lancaster, Pennsylvania, was a mid-level executive with printing giant RR Donnelley until his May 2016 layoff. Today, he supports his family on less than half his previous $100,000-a-year salary, working 9 a.m. to 5 p.m. at a local print shop, 7 p.m. to 2 a.m. at the front desk of a Planet Fitness gym and bartending on Sundays.

Linda Norris, 62, of Nashua, New Hampshire, earned a similar amount doing engineering work for defense contractors before being laid off in late 2015. She spent much of 2016 campaigning for then-candidate Donald Trump and is convinced her fortunes will change now that he’s president. In the meantime, she hasn’t been able to find a permanent full-time job and said she has $25 to her name.

The HRS is widely considered the gold standard for information about the economic lives and health of older Americans. It’s funded by the National Institutes of Health and the Social Security Administration and is administered by the University of Michigan. It has been cited in thousands of academic papers and has served as the basis for a generation of business and government policymaking.

Our analysis suggests that some of those policies, as well as a good deal of what analysts and advocates focus on when it comes to aging, don’t grapple with the key challenges faced by working Americans during the last third or so of their lives.

Much public discussion of aging focuses on Social Security, Medicare and how to boost private retirement savings. But our analysis shows that many, perhaps most, older workers encounter trouble well before they’re eligible for these benefits and that their biggest economic challenge may be hanging onto a job that allows for any kind of savings at all.

“We’re talking about the wrong issues,” said Anne Colamosca, an economic commentator who co-authored one of the earliest critiques of tax-advantaged savings plans, “The Great 401(k) Hoax.” “Having a stable job with good wages is more important to most people than what’s in their 401(k). Getting to the point where you can collect Social Security and Medicare can be every bit as hard as trying to live on the benefits once you start getting them.”

Layoffs are the most common way workers over 50 get pushed out of their jobs, and more than a third of those who sustain one major involuntary departure go on to experience additional ones, as the last decade of Steckel’s work life illustrates.

Steckel spent 27 years with the U.S. affiliate of Maersk, the world’s largest container cargo company, working at several of its operations across the country. It was while managing a trucking terminal in Chicago that he met his wife, an MBA student who went on to become the marketing director at Thorek Memorial Hospital on the city’s North Side.

In the late 1990s, Steckel was promoted to a human resources position. It required the family to relocate to the company’s headquarters in northern New Jersey, but the salary — which, with bonuses, would eventually reach about $130,000 — allowed Mary to be a stay-at-home mom.

Steckel saw himself continuing to climb the company’s ranks, but as shipping technology changed and business slumped in the middle of the last decade, Maersk started consolidating operations and laying people off. Steckel flew around the country to notify employees, including some he knew personally.

“It was pretty hard not to notice that many — not all, but many — were over 50,” he said. A Maersk spokesman confirmed Steckel worked for the company but otherwise declined to comment.

In early 2007, Steckel, then 51, was laid off. He and Mary moved back to the Midwest, where the cost of living was lower and they had relatives.

Layoffs are common in the U.S. economy; there were 20.7 million of them last year alone, according to the Bureau of Labor Statistics. In most instances, those who lose their jobs find new ones quickly. Steckel certainly assumed he would.

But laid-off workers in their 50s and beyond are more apt than those in their 30s or 40s to be unemployed for long periods and land poorer subsequent jobs, the HRS data shows. “Older workers don’t lose their jobs any more frequently than younger ones,” said Princeton labor economist Henry Farber, “but when they do, they’re substantially less likely to be re-employed.”

Steckel was out of work for eight months. The family made do, buoyed by generous severance pay and a short consulting contract. They did without dinners out, vacations or big purchases, but were basically okay.

Steckel was hired again in January 2008, this time as a benefits manager for Kohler, a manufacturer of bathroom fixtures. At about $90,000, his salary was 30 percent lower than what he’d made at Maersk, but Wisconsin was so affordable that the family was able to buy the house and five acres in Plymouth.

Kohler seemed like a safe bet. Many of its employees had never worked anywhere else, following their parents and grandparents into lifetime jobs with the company. But as Steckel started in his new position, the U.S. financial crisis cratered real estate and home construction and, with them, Kohler’s business.

This time, Steckel’s role in executing layoffs was explaining severance packages to the company’s shellshocked factory workers.

“Most of these people were in their late 40s and 50s and there was nothing out there for them,” he said. “They’d come in with their wives and some of them would break down and cry.”

After three years, Kohler’s problems leapt from the factory to the front office. Steckel, by then 54, was laid off again in April 2010. A Kohler spokeswoman did not reply to phone calls and emails.

Still the family’s sole breadwinner, with kids in fourth, eighth and ninth grades, he scrambled for new work and, after a string of interviews, landed a job just four months later as the manager of retirement plans at Alpha Natural Resources.

Alpha, in the coal mining business, was riding a double wave of demand from China and U.S. steel producers, snapping up smaller companies on its way to becoming an industry behemoth.

Steckel’s job was a big one, overseeing complicated, union-negotiated pensions and savings arrangements. At $145,000, the salary represented a substantial raise from what he’d been making at Kohler and was even more than he’d earned at Maersk. The Steckels relocated again, this time to the tiny southwest Virginia town of Abingdon.

“We started thinking: ‘This may be it. This is where we’ll stay,’” Mary Steckel said. “Then, all that changed.”

In January 2011, Alpha bought Massey Energy for $8.5 billion and with it the responsibility for reaching financial settlements with the families of 29 miners killed the previous year in an explosion at Massey’s Upper Big Branch mine in West Virginia. The combination of the settlement costs and a sustained fall in coal prices forced layoffs at Alpha and eventually led to the company’s bankruptcy.

Steckel struggled to collect decades of paper records on wages and years of service in order to calculate pension payments for laid-off miners, virtually all in their 50s and 60s. “There were no jobs for them, but they were owed [pension benefits] and they wanted their money yesterday,” he said. A spokesman for the successor company to Alpha, Contura Energy, did not return phone calls or emails.

Once again, he processed other employees’ layoffs right up until his own, in March 2013. He was 56. The Steckels packed the kids and the family’s belongings into their Mercury Sable station wagon and went back to Wisconsin.

There, Mary took a job at Oshkosh Defense, which builds Humvees and other equipment for the military. Tom was out of work almost six months before landing a consulting contract to work in Milwaukee with Harley-Davidson, the motorcycle maker.

If it had lasted, the position would have paid about $90,000, or about what he’d made at Kohler, and, for a time, it seemed possible that it might turn into a regular job. But it didn’t, and he was out again that December.

Unlike Steckel, Jean Potter of Dallas, Georgia, seemed to leave her longtime job at BellSouth by her own choice, taking early retirement in 2009, when she was 55.

But that wasn’t the full story, she said. Potter, who’d had a 27-year career with the telephone company, rising from operator services to pole-climbing line work to technical troubleshooting, said she only retired after hearing she was going to lose her $54,000-a-year job along with thousands of other employees being laid off as part of the company’s acquisition by AT&T.

Under the law, retirements are supposed to be voluntary decisions made by employees. The 1967 ADEA barred companies from setting a mandatory retirement age lower than 65. Congress raised that to 70 and then, in 1986, largely prohibited mandatory retirement at any age. Outraged by companies’ giving employees the unpalatable choice of retiring or getting laid off, lawmakers subsequently added a requirement that people’s retirement decisions must be “knowing and voluntary.”

Yet for almost two decades now, when HRS respondents who’ve recently retired have been asked whether their retirements were “something you wanted to do or something you felt forced into,” those who’ve answered they were forced or partially forced has risen steadily. The number of respondents saying this has grown from 33 percent in 1998 to 55 percent in 2014, the last year for which comparable figures are available.

“The expectation that American workers decide when they want to retire is no longer realistic for a significant number of older workers who are pushed out before they are ready to retire,” said Rutgers’ Van Horn.

Potter was convinced she’d secured money and benefits by leaving as a retiree that she would not otherwise have received. She felt better for making the decision herself and figured she’d go back to school, get a college degree and find a better job.

“I thought I’d gotten the drop on them by retiring,” she said.

But looking back, Potter acknowledges, her decision to retire was hardly freely chosen.

“If I had to do it over, I’d take early retirement again, but you can’t very well call it voluntary,” she said recently. “All the old people were toast. They were going to get laid off, me included.”

Jim Kimberly, a spokesman for AT&T, said the company could not confirm Potter’s employment at BellSouth because of privacy concerns. Speaking more generally, Kimberly said “We’re recognized for our longstanding commitment to diversity. We don’t tolerate discrimination based on an employee’s age.”

There was a time when older workers thought they could use early retirements as a stepping stone, locking in years of payments for leaving and then adding income from new jobs on top of that.

But many have discovered they can’t land comparable new jobs, or, in many cases, any jobs at all. In the decade since she left Bell South, Potter, now 65, has yet to find stable, long-term work.

After getting her bachelor’s degree in Spanish in 2014, Potter applied to teach in the Cobb County, Georgia, public schools but could only get substitute work. She got certified to teach English as a second language but said she was told she’d need a master’s degree to land anything beyond temporary jobs.

She’s scheduled to receive her master’s degree next June. In the meantime, she tutors grade-school students in math, English and Spanish and works as a graduate assistant in the office of multicultural student affairs at Kennesaw State University. She makes do on $1,129 a month from Social Security and a graduate-student stipend of $634, while applying, so far unsuccessfully, for other work.

She’s applied for jobs selling cellphones in a mall, providing call-center customer service and even being a waitress at a Waffle House. For the Waffle House job, she said she was told she wouldn’t be hired because she’d just leave when she got a better offer.

“Isn’t that what every waitress does?” she recalled replying. “Why hire them and not me?”

As with retirements, our analysis of the HRS data shows that, among older workers, quitting a job isn’t always the voluntary act most people, including economists, assume it to be.

The survey asks why people leave their jobs, including when they quit. It includes questions about whether their supervisors encouraged the departure, whether their wages or hours were reduced prior to their exit and whether they thought they “would have been laid off” if they didn’t leave.

We found that even when we excluded all but the most consequential cases — those in which workers subsequently experienced at least six months of unemployment or a 50 percent wage decline — 15 percent of workers over 50 who’d had long-term, stable jobs quit or left their positions after their working conditions deteriorated or they felt pressured to do so.

Quitting a job carries far greater risk for older workers than for younger ones, both because it’s harder to get rehired and because there’s less time to make up for what’s lost in being out of work.

After a simmering disagreement with a supervisor, David Burns, 50, of Roswell, Georgia, quit his $90,000-a-year logistics job with a major shipping company last February. He figured that the combination of his education and experience and the fact that unemployment nationally is at a 20-year low assured that he’d easily land a new position. But 10 months on, he says he’s yet to receive a single offer of comparable work. To help bring in some money, he’s doing woodworking for $20 an hour.

Burns has an MBA from Georgia State University and two decades in shipping logistics. A quick scan of online job ads turns up dozens for logistics management positions like the one he had in the area where he lives.

When he’d last lost a job at the age of 35, he said it took him only a couple of months and four applications to get three offers and a new spot. But in the years since, he said, he seems to have crossed a line that he wasn’t aware existed, eliminating his appeal to employers.

He keeps a spreadsheet of his current efforts to find new work. Through November, it shows he filed 160 online job applications and landed 14 phone interviews, nine face-to-face meetings and zero offers.

“My skills are in high demand,” he said. “But what’s not in high demand is me, a 50-year-old dude!”

“People can quibble about exactly why this kind of thing is going on or what to do about it, but it’s going on.”

Meg Bourbonniere had a similar experience just as she seemingly had reached the pinnacle of a successful career.

Two weeks after being appointed to a $200,000-a-year directorship managing a group of researchers at Massachusetts General Hospital in Boston in March 2015, Bourbonniere, then 59, said her supervisor called with an odd question: When did she think she’d be retiring?

“I kept asking myself, ‘Why would that be important today?’” she recalled. “The only thing I could come up with was they think I’m too old for the job.‘’

After she answered, “I’ll be here as long as you are,” she said she ran into an array of problems on the job: her decisions were countermanded, she was given what she saw as an unfairly negative job review and she was put on a “personal improvement plan” that required her to step up her performance or risk dismissal. Finally, a year after being hired, she was demoted from director to nurse scientist, the title held by those she’d managed.

Michael Morrison, a spokesman for Mass General’s parent organization, Partners HealthCare, confirmed the dates of Bourbonniere’s employment but said there was nothing further he could share as the company doesn’t comment on individual employees.

Bourbonniere said she accepted the demotion because her husband was unemployed at the time. “I couldn’t not work,” she said. “I was the chief wage earner.”

Through a friend, she found out about an opening for an assistant professor of nursing at the University of Rhode Island that, at about $75,000, paid only a third as much as the Mass General job. She told the friend she’d apply on one condition. “I said she had to tell the dean how old I was so I wouldn’t go through the same experience all over again.”

On paper, Bourbonniere quit Mass General of her own accord to take the position at URI. But, in her eyes, there was nothing voluntary about the move. “I had to go find another job,” she said. “They demoted me; I couldn’t stay.”

Soon after Steckel’s consulting contract ended in late 2013, he got what he saw as a sharp reminder of the role age was playing in his efforts to get and keep a job.

While searching job sites on his computer, Steckel stumbled across what seemed like his dream job on LinkedIn. Business insurer CNA Financial was looking for an assistant vice president to head its employee benefits operation. Best yet, the position was at CNA’s Chicago headquarters, a mere 145 miles from Plymouth. He immediately applied.

The application asked for the year he’d graduated from college.

Older job seekers are almost universally counseled not to answer questions like this. The ADEA bars employers from putting age requirements in help-wanted ads, but as job searches have moved online, companies have found other ways to target or exclude applicants by age. Last year, ProPublica and The New York Times reported that employers were using platforms like Facebook to micro-target jobs ads to younger users. Companies also digitally scour resumes for age indicators, including graduation dates.

Steckel left the field in the CNA application blank, but when he pushed “submit,” the system kicked it back, saying it was incomplete. He reluctantly filled in 1978. This time, the system accepted the application and sent back an automated response that he was in the top 10 percent of applicants based on his LinkedIn resume.

Hours later, however, he received a second automated response saying CNA had decided to “move forward with other candidates.” The rejection rankled Steckel enough that he tracked down the email address of the CNA recruiter responsible for filling the slot.

“Apparently, CNA believes a college application date is so important that it is a mandatory element in your job application process,” his email to the recruiter said. “Please cite a credible, peer-reviewed study that affirms the value of the year and date of one’s college graduation as a valid and reliable predictor of job success.”

He never got an answer.

Contacted by ProPublica, CNA spokesman Brandon Davis did not respond to questions but issued a statement. “CNA adheres to all applicable federal, state and local employment laws, and our policy prohibits any form of discrimination,” it said.

Steckel landed his current job with the state of South Dakota in March 2014.

Going back and forth between Pierre and Plymouth since then, he’s driven the equivalent of once around the world. If, as he hopes, he can hang onto the position until he retires, he figures he’ll make it around a second time.

During his off hours in the spring, when he’s not with his family, he fishes in the Black Hills. In the fall, he goes out with his Mossberg 12-gauge shotgun and hunts duck. The loneliest months are January and February. That’s when the Legislature is in session, so he can’t go home, and it’s usually too cold to do much outside. He spends a lot of time at the Y.

A half-century ago, in a report that led to enactment of the ADEA, then-U.S. Labor Secretary W. Willard Wirtz said that half of all private-sector job ads at the time explicitly barred anyone over the age of 55 from applying and a quarter barred anyone over 45.

Wirtz lambasted the practice in terms that, although backward in their depiction of work as solely a male concern, still ring true for older workers like Steckel and their families.

“There is no harsher verdict in most men’s lives than someone else’s judgment that they are no longer worth their keep,” he wrote. “It is then, when the answer at the hiring gate is ‘You’re too old,’ that a man turns away … finding nothing to look backwards to with pride [or] forward to with hope.”

Asked how the years of job turmoil and now separation have affected her family, Mary Steckel resists anger or bitterness. “The children know they are loved by two parents, even if Tom is not always here,” she said. She doesn’t dwell on the current arrangement. “I just deal with it.”

As for Tom?

“He hasn’t admitted defeat,” Mary said, although something has changed. “He’s not hopeful anymore.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


More Than One Billion Accounts Affected By Data Breaches During 2018

Now that 2019 is here, we can assess 2018. It was a terrible year for identity theft, privacy, and data breaches. Several corporations failed miserably to protect the data they archive about consumers. This included failures within websites and mobile apps. There were so many massive data breaches that it isn't a question of whether or not you were affected.

You were. NordVPN reviewed the failures during 2018:

"If your data wasn’t leaked in 2018, you’re lucky. The information of over a billion people was compromised in 2018 as many of the companies we trust failed to protect our data."

That's billion with a "b." NordVPN provides virtual private network (VPN) services. If you want to use the internet with privacy, a VPN is the way to go. That is especially important for residents of the United States, since the U.S. Federal Communications Commission (FCC) repealed in 2017 both broadband privacy and net neutrality protections for consumers. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

PC Magazine reviewed NordVPN earlier this month and concluded:

"... NordVPN has proved itself to be our top service for securing your online activities. The company now has more than 5,100 servers across the globe, making it the largest service we've yet tested. It also takes a strong stance on privacy for its customers and includes tools rarely seen in the competition."

The NordVPN articled listed the major corporate data security failures during 2018. Frequent readers of this blog are familiar with the breaches. Chances are you use one or more of the services. Below is a partial list:

  • Marriott: 500 million
  • Twitter: 330 million
  • My Fitness Pal: 150 million accounts
  • Facebook: 147 million accounts
  • Quora: 100 million accounts
  • Firebase: 100 million accounts
  • Google+ : 500,000 accounts
  • British Airways: 380,000 accounts

While Google is closing its Google+ service, that is little help for breach victims whose personal data is out in the wild. The massive Equifax breach affecting 145.5 million persons isn't on the list because it happened in 2017. It's important to remember Equifax because persons cannot opt out of Equifax, or any of the other credit reporting agencies. Ain't corporate welfare nice?

What can consumers do to protect themselves and their sensitive personal and payment information? NordVPN advised:

  1. "Use strong and unique passwords.
  2. Think twice before posting anything on social media. This information can be used against you.
  3. If you shop online, use a credit card. You will have less liability for fraudulent charges if your financial information leaks.
  4. Provide companies only with necessary information. The less information they have, the less they can leak.
  5. Look out for fraud. If notified that your data was leaked, change your passwords and take the steps advised by the company that compromised your data."

Well, there you go. That's a good starter list for consumers to protect themselves. Do it because your personal data is out in the wild. The only question is which bad actor is abusing it.


Dirty Tricks By Some Sellers At Amazon To Eliminate Competitors. Is Its Resolution System The Best Amazon Can Do?

Amazon logo Many consumers like shopping at Amazon.com. What you may not realize are the dirty tricks and scams among some sellers -- the individuals and firms who provide the products you purchase at the site. The Verge reported:

"When you buy something on Amazon, the odds are, you aren’t buying it from Amazon at all... They are largely hidden from customers, but behind any item for sale, there could be dozens of sellers, all competing for your click. This year, Marketplace sales were almost double those of Amazon retail itself, according to Marketplace Pulse, making the seller platform alone the largest e-commerce business in the US... "

Reportedly, there are 6 million sellers in Amazon Marketplace. So, there's plenty of competition. The Verge article described one dirty track where a seller posted posted bogus 5-star reviews on a competitor's page within the site. When the bogus reviews were removed, the targeted seller was accused of falsely manipulating buyers' reviews -- a violation of the site's rules -- and suspended. The Verge described several attacks by scammers. Here's another:

"Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office... Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings... Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry..."

No online shopper wants to buy products from a seller who has fraudulently taken over a valid seller's trademarks.

Punishment is harsh for violators within Amazon Marketplace: suspension, monies frozen, de-listed from the site, and unable to sell products online. If the suspension lasts long enough or if reinstatement doesn't happen fast enough, bankruptcy can result. And all of this happens behind the scenes unbeknownst to customers:

"For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced... Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says... Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying. Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals... They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors."

So, rather than using the established, well-documented public courts and legal system, this happens secretly within a corporation's processes with some unintended consequences:

"... what’s a seller to do when they end up in Amazon court? They can turn to someone like Cynthia Stine, who is part of a growing industry of consultants who help sellers navigate the ruthless world of Marketplace and the byzantine rules by which Amazon governs it. They are like lawyers, only their legal code is the Amazon Terms of Service, their court is a secretive and semi-automated corporate bureaucracy..."

How byzantine? Consider:

"Many sellers can’t even figure out what Amazon is accusing them of. A suspension message will typically list an item along with a broad and tangentially related category of an infraction, like "used sold as new." Understandably, sellers respond by sending invoices that show that the items are, in fact, new. Actually, Stine says, the suspension usually has nothing to do with the item being used, but with something like a peeling label on the box. “The thing Amazon wants you to fix is the buyer perception,” Stine says... JC Hewitt, whose law firm frequently works with Amazon sellers, calls the system’s mandatory guilty pleas, arbitrary verdicts, and obscure language "a Kafkaesque bureaucracy with bad writing." Inscrutable rulings emerge as if from a black box. The Performance team, which handles suspensions, has no phone number; there’s no one to ask for clarification. The only way to interact with them is by filing an appeal, and when it’s rejected, sellers often have no idea why... The secrecy can be so frustrating that sellers have traveled to Seattle or Amazon’s London office to try to find a human, to no avail..."

Huh? What? I'll bet many Amazon customers don't know this. And the system seems to use a poor balance of automation and humans:

"... there were likely humans reading [a seller's] appeal, but they’re part of a highly automated bureaucracy, according to former Amazon employees. An algorithm flags sellers based on a range of metrics — customer complaints, number of returns, certain keywords used in reviews, and other, more mysterious variables — and passes them to Performance workers based in India, Costa Rica, and other locations. These workers choose between several prewritten blurbs to send to sellers. They may see what the actual problem is or the key item missing from an appeal, but they can’t be more specific than the forms allow... The Performance workers’ incentives favor rejection. They must process approximately one claim every four minutes, and reinstating someone who later gets suspended again counts against them..."

Is this the best system possible? Probably not. I hope not. My guess is many Amazon Prime customers would prefer a better system to resolve disputes between sellers. My guess is that most shoppers would want to avoid using sellers who abuse or frame other sellers. And no shoppers want to buy from a seller who has fraudulently taken over another seller's trademarks.

The situation raises several issues:

  • A private court system prevents amazon customers from knowing about and avoiding shopping at sellers who abuse or frame other sellers
  • A private court system prevents external reviews and/or oversight by independent parties
  • An algorithm-based system may save money, but a poor balance of humans and automation causes problems. Is this the best system possible?
  • Amazon determines what's in its customers' best interests (versus disclosure and then feedback from customers)
  • There seem to be few penalties for sellers who frame or setup other sellers. What fix is underway?
  • The current system smells like a bloated monopoly. With some transparency and input, a better system seems possible... preferred.

What are your opinions? What issues do you see? Is a private court system a good thing?


A Series Of Recent Events And Privacy Snafus At Facebook Cause Multiple Concerns. Does Facebook Deserve Users' Data?

Facebook logo So much has happened lately at Facebook that it can be difficult to keep up with the data scandals, data breaches, privacy fumbles, and more at the global social service. To help, below is a review of recent events.

The the New York Times reported on Tuesday, December 18th that for years:

"... Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules... The special arrangements are detailed in hundreds of pages of Facebook documents obtained by The New York Times. The records, generated in 2017 by the company’s internal system for tracking partnerships, provide the most complete picture yet of the social network’s data-sharing practices... Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent... and gave Netflix and Spotify the ability to read Facebook users’ private messages. The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier..."

According to the Reuters newswire, a Netflix spokesperson denied that Netflix accessed Facebook users' private messages, nor asked for that access. Facebook responded with denials the same day:

"... none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC... most of these features are now gone. We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them."

Needed tighter management with its partners and developers? That's an understatement. During March and April of 2018 we learned that bad actors posed as researchers and used both quizzes and automated tools to vacuum up (and allegedly resell later) profile data for 87 million Facebook users. There's more news about this breach. The Office of the Attorney General for Washington, DC announced on December 19th that it has:

"... sued Facebook, Inc. for failing to protect its users’ data... In its lawsuit, the Office of the Attorney General (OAG) alleges Facebook’s lax oversight and misleading privacy settings allowed, among other things, a third-party application to use the platform to harvest the personal information of millions of users without their permission and then sell it to a political consulting firm. In the run-up to the 2016 presidential election, some Facebook users downloaded a “personality quiz” app which also collected data from the app users’ Facebook friends without their knowledge or consent. The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits. Facebook took more than two years to disclose this to its consumers. OAG is seeking monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District."

Sadly, there's still more. Facebook announced on December 14th another data breach:

"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018... the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post... we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers... Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users. We will also notify the people potentially impacted..."

We believe? That sounds like Facebook doesn't know for sure. Where was the quality assurance (QA) team on this? Who is performing the post-breach investigation to determine what happened so it doesn't happen again? This post-breach response seems sloppy. And, the "bug" description seems disingenuous. Anytime persons -- in this case developers -- have access to data they shouldn't have, it is a data breach.

One quickly gets the impression that Facebook has created so many niches, apps, APIs, and special arrangements for developers and advertisers that it really can't manage nor control the data it collects about its users. That implies Facebook users aren't in control of their data, either.

There were other notable stumbles. There were reports after many users experienced repeated bogus Friend Requests, due to hacked and/or cloned accounts. It can be difficult for users to distinguish valid Friend Requests from spammers or bad actors masquerading as friends.

In August, reports surfaced that Facebook approached several major banks offering to share its detailed financial information about consumers in order, "to boost user engagement." Reportedly, the detailed financial information included debit/credit/prepaid card transactions and checking account balances. Not good.

Also in August, Facebook's Onavo VPN App was removed from the Apple App store because the app violated data-collection policies. 9 To 5 Mac reported on December 5th:

"The UK parliament has today publicly shared secret internal Facebook emails that cover a wide-range of the company’s tactics related to its free iOS VPN app that was used as spyware, recording users’ call and text message history, and much more... Onavo was an interesting effort from Facebook. It posed as a free VPN service/app labeled as Facebook’s “Protect” feature, but was more or less spyware designed to collect data from users that Facebook could leverage..."

Why spy? Why the deception? This seems unnecessary for a global social networking company already collecting massive amounts of content.

In November, an investigative report by ProPublica detailed the failures in Facebook's news transparency implementation. The failures mean Facebook hasn't made good on its promises to ensure trustworthy news content, nor stop foreign entities from using the social service to meddle in elections in democratic countries.

There is more. Facebook disclosed in October a massive data breach affecting 30 million users (emphasis added):

For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches..."

The stolen data allows bad actors to operate several types of attacks (e.g., spam, phishing, etc.) against Facebook users. The stolen data allows foreign spy agencies to collect useful information to target persons. Neither is good. Wired summarized the situation:

"Every month this year—and in some months, every week—new information has come out that makes it seem as if Facebook's big rethink is in big trouble... Well-known and well-regarded executives, like the founders of Facebook-owned Instagram, Oculus, and WhatsApp, have left abruptly. And more and more current and former employees are beginning to question whether Facebook's management team, which has been together for most of the last decade, is up to the task.

Technically, Zuckerberg controls enough voting power to resist and reject any moves to remove him as CEO. But the number of times that he and his number two Sheryl Sandberg have over-promised and under-delivered since the 2016 election would doom any other management team... Meanwhile, investigations in November revealed, among other things, that the company had hired a Washington firm to spread its own brand of misinformation on other platforms..."

Hiring a firm to distribute misinformation elsewhere while promising to eliminate misinformation on its platform. Not good. Are Zuckerberg and Sandberg up to the task? The above list of breaches, scandals, fumbles, and stumbles suggest not. What do you think?

The bottom line is trust. Given recent events, BuzzFeed News article posed a relevant question (emphasis added):

"Of all of the statements, apologies, clarifications, walk-backs, defenses, and pleas uttered by Facebook employees in 2018, perhaps the most inadvertently damning came from its CEO, Mark Zuckerberg. Speaking from a full-page ad displayed in major papers across the US and Europe, Zuckerberg proclaimed, "We have a responsibility to protect your information. If we can’t, we don’t deserve it." At the time, the statement was a classic exercise in damage control. But given the privacy blunders that followed, it hasn’t aged well. In fact, it’s become an archetypal criticism of Facebook and the set up for its existential question: Why, after all that’s happened in 2018, does Facebook deserve our personal information?"

Facebook executives have apologized often. Enough is enough. No more apologies. Just fix it! And, if Facebook users haven't asked themselves the above question yet, some surely will. Earlier this week, a friend posted on the site:

"To all my FB friends:
I will be deleting my FB account very soon as I am disgusted by their invasion of the privacy of their users. Please contact me by email in the future. Please note that it will take several days for this action to take effect as FB makes it hard to get out of its grip. Merry Christmas to all and with best wishes for a Healthy, safe, and invasive free New Year."

I reminded this friend to also delete any Instagram and What's App accounts, since Facebook operates those services, too. If you want to quit the service but suffer with FOMO (Fear Of Missing Out), then read the experiences of a person who quit Apple, Google, Facebook, Microsoft, and Amazon for a month. It can be done. And, your social life will continue -- spectacularly. It did before Facebook.

Me? I have reduced my activity on Facebook. And there are certain activities I don't do on Facebook: take quizzes, make online payments, use its emotion reaction buttons (besides "Like"), use its mobile app, use the Messenger mobile app, nor use its voting and ballot previews content. Long ago I disabled the Facebook API platform on my Facebook account. You should, too. I never use my Facebook credentials (e.g., username, password) to sign into other sites. Never.

I will continue to post on Facebook links to posts in this blog, since it is helpful information for many Facebook users. In what ways have you reduced your usage of Facebook?


House Oversight Committee Report On The Equifax Data Breach. Did The Recommendations Go Far Enough?

On Monday, the U.S. House of Representatives Committee on Oversight and Government Reform released its report (Adobe PDF) on the massive Equifax data breach, where the most sensitive personal and payment information of more than 148 million consumers -- nearly half of the population -- was accessed and stolen. The report summary:

"In 2005, former Equifax Chief Executive Officer(CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks... Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report cited several failures by Equifax. First:

"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threate and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."

As bad as that is, it gets worse:

"On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases."

"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic..."

Findings so far: 1) growth prioritized over security while archiving highly valuable data; 2) antiquated computer systems; 3) failed security patches; 4) unprotected user credentials; and 5) failed intrusion detection mechanism. Geez!

Only after updating its expired security certificate did Equifax notice the intrusion. After that, you'd think that Equifax would have implemented a strong post-breach response. You'd be wrong. More failures:

"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."

"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. "Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging..."

Findings so far: 6) inadequate post-breach response; and 7) complicated IT structure making updates difficult. Geez!

The report listed the executives who retired and/or were fired. That's a small start for a company archiving the most sensitive personal and payment information of all USA citizens. The report included seven recommendations:

"1: Empower Consumers through Transparency. Consumer reporting agencies (CRAs) should provide more transparency to consumers on what data is collected and how it is used. A large amount of the public’s concern after Equifax’s data breach announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data..."

"2: Review Sufficiency of FTC Oversight and Enforcement Authorities. Currently, the FTC uses statutory authority under Section 5 of the Federal Trade Commission Act to hold businesses accountable for making false or misleading claims about their data security or failing to employ reasonable security measures. Additional oversight authorities and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices..."

"3: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims. The General Accounting Office (GAO) should examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress. In particular, GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks. Equifax offered free credit monitoring and protection services for one year to any consumer who requested it... This GAO study would help clarify the value of credit monitoring services and the length of time such services should be maintained. The GAO study should examine alternatives to credit monitoring services and identify addit ional or complimentary services..."

"4: Increase Transparency of Cyber Risk in Private Sector. Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a private entity can increase transparency related to the company’s cyber risk is by making disclosures in its Securities and Exchange Commission (SEC) filings. In 2011, the SEC developed guidance to assist companies in disclosing cybersecurity risks and incidents. According to the SEC guidance, if cybersecurity risks or incidents are “sufficiently material to investors” a private company may be required to disclose the information... Equifax did not disclose any cybersecurity risks or cybers ecurity incidents in its SEC filings prior to the 2017 data breach..."

"5: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements. The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements. In 2016, the Committee urged OMB to focus on improving and updating cybersecurity requirements for federal acquisition... The Committee again urges OMB to expedite development of a long-promised cybersecurity acquisition memorandum to provide guidance to federal agencies and acquisition professionals..."

"6: Reduce Use of Social Security Numbers as Personal Identifiers. The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals. Authenticators are only useful if they are kept confidential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use."

"7: Implement Modernized IT Solutions. Companies storing sensitive consumer data should transition away from legacy IT and implement modern IT security solutions. Equifax failed to modernize its IT environments in a timely manner. The complexity of the legacy IT environment hosting the ACIS application allowed the attackers to move throughout the Equifax network... Equifax’s legacy IT was difficult to scan, patch, and modify... Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies...."

The history of corporate data breaches and the above list of corporate failures by Equifax both should be warnings to anyone in government promoting the privatization of current government activities. Companies screw up stuff, too.

Recommendation #6 is frightening in that it hasn't been implemented. Yikes! No federal agency should do business with a private sector firm operating with antiquated computer systems. And, if Equifax can't protect the information it archives, it should cease to exist. While that sounds harsh, it ain't. Continual data breaches place risks and burdens upon already burdened consumers trying to control and protect their data.

What are your opinions of the report? Did it go far enough?