540 posts categorized "Federal / U.S. Government" Feed

CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions

United States Customs and Border Patrol logo A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:

"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."

Reportedly, CBP learned about the breach on May 31. The newspaper also reported:

"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."

A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:

"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."

Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.

First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:

  • When and which executives at the vendor will be reprimanded for this violation?
  • Why did CBP fail to identify the download violation?
  • What changes are underway to prevent future violations?
  • Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
  • What other vendors have violated CBP contracts?

Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?

Thankfully, reporters at the Washington Post continued investigating:

"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."

So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.

Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?

This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.

Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:

  • When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
  • What assistance (e.g., free credit monitoring) will CBP provide affected persons?
  • What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
  • What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
  • Were any data elements encrypted? If not, why not?
  • Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
  • When will fixes be implemented so this doesn't happen again?
  • Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
  • How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
  • Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?

The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.

Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:

"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."

If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:

"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."

Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.


After Pleading Guilty To Continued Pollution And Trying To Hide It, Carnival Corporation Fined An Additional $20 Million Fine

[Editor's note: I'm back from my break. Thanks to readers for your patience. That break included a vacation on a different cruise line sailing from New Zealand to Canada via Polynesia, Tasmania, southern Australia, French Polynesia, and the Hawaiian Islands. So, this news story caught my attention.]

On Monday, Carnival Corporation acknowledged violating its probation terms from a 2016 pollution case. Government prosecutors fined the company an additional $20 million for the continuing violations. The New York Times reported:

"In 2016, Princess Cruise Lines agreed to pay a $40 million penalty for illegally dumping oil-contaminated waste into the sea and acts by employees to try to cover it up. It was the largest criminal penalty ever imposed for intentional vessel pollution... The new violations included discharging plastic into waters in the Bahamas, falsifying records and interfering with court supervision of ships... Vessel pollution is just one of the many human-caused hazards facing ocean life today. Ship traffic and noise can cause the death of sea creatures; marine animals routinely turn up dead with plastic in their stomachs; and rising sea temperatures, stemming from climate change caused by human activity, are destroying the framework of many ocean ecosystems."

Based in Miami, Carnival Corporation operates several cruise lines including Princess Cruises, Carnival Cruise Line, Holland America Line, P&O Cruises (UK), Cunard, Seabourn, AIDA Cruises (Germany), and Costa Cruises (Italy). It's website states a combined fleet of 102 ships with 19 new ships to be delivered between 2017 and 2022. The company employs about 120,000 people worldwide, and 11.5 million guests sail in its ship each year. In 2018, Carnival Corporation generated after-tax profits of $3.15 billion on revenues of $18.88 billion.

Government regulators focused upon the company after:

"... Princess agreed, in 2016, to plead guilty to felony charges and pay the hefty $40 million penalty. In that case... the Caribbean Princess ship, had used several means, including a device called a magic pipe, to circumvent water-cleaning mechanisms... Officials said that four other Princess ships had also been found to have engaged in illegal practices to discharge waste. The discharged waste included gray water — water that has been contaminated with food particles, grease and fat — and water found in the ship’s bilge, the bottom part of the ship where oil waste from engines can accumulate. A whistleblower employee alerted the authorities and certain engineers ordered a coverup, including directing subordinates to lie, according to prosecutors."

In an announcement on Monday, the U.S. Department of Justice (DOJ) listed in detail the violations by Carnival Corporation and its executives:

"1. Failing to establish a senior corporate officer as a corporate compliance manager with responsibility and sufficient authority for implementing new environmental measures required during probation;
2. Contacting the Coast Guard seeking to re-define the definition of what constitutes a major non-conformity under the ECP without going through the required process and after the government had rejected the proposal and told the company to file a motion with the court if it wanted to pursue the issue;
3. Deliberately falsifying environmental training records aboard two cruise ships; and
4. Deliberately discharging plastic in Bahamian waters from the Carnival Elation and failing to accurately record the illegal discharges. Prosecutors advised the Court that this particular instance was an example of a more widespread problem, identified by the external audits, in failing to segregate plastic and non-food garbage from waste thrown overboard from numerous cruise ships."

The DOJ announcement also listed the terms of the settlement agreement, which requires Carnival Corporation:

"i) Pay a $20 million criminal penalty;
ii) Issue a statement to all employees in which Carnival’s CEO accepts management’s responsibility for the probation violations;
iii) Restructure the company’s corporate compliance efforts, including appointing a new chief Corporate Compliance Officer, creating an Executive Compliance Committee across all cruise lines, adding a new member to the Board of Directors with corporate compliance expertise, and train its Board of Directors;
iv) Pay up to $10 million per day if it does not meet deadlines for submitting and implementing needed changes to its corporate structure;
v) Pay for 15 additional independent audits per year conducted by the third-party auditor and Court Appointed Monitor (on top of approximately 31 ship audits and 6 shore-side audits currently performed annually);
vi) Comply with new reporting requirements, including notifying the government and court of all future violations, and specifically identifying foreign violations and the country impacted; and
vii) Make major changes in how the company uses and disposes of plastic and other non-food waste to urgently address a problem on multiple vessels concerning illegal discharges of plastic mixed with other garbage."

Plus, Princess Cruise Line will remain on probation for three more years. The third-party auditor suggests that the court doesn't trust the company and its executives to accurately report progress and corrective actions toward the deadlines. That's good given the light fines (as a percentage of the company's profits).

Cruise customers have already shared their views. According to the Cruise Critic website:

"... SO DISAPPOINTED IN Carnival/Princess... NOT acceptable!!! I just went on a 12 day cruise on the Star Princess last month. I feel betrayed reading this. I had such a great time too. To intentionally break pollution laws means no integrity and shoddy business practice. I want to slap someone."
-- Marykay8

" Well now we know why they have increased some pricing, including some drink packages by 40%. Got to get more from the passengers to pay their fine. The customer always pays more in these scenarios."
-- KYwildcatfanone

"Let's hope this will finally get Carnival Corp. to ensure all of its ships adhere to environmental regulations. But in the big scheme of things, $20 million is just a minuscule amount on a company that had $3.2 billion in net income."
-- GeoHerb

More discussion by customers is available here. Clearly, cruise customers want the pollution stopped, executives held accountable, and the company to change its behavior.

A search of both the Carnival Corporation and Princess Cruises websites at press time failed to find any press releases or mention of the latest fine. The Miami Herald published a brief statement by Arnold Donald, the company's Chief Executive Officer, who appeared in court:

"Donald spoke on behalf of Carnival Corp. "I sincerely regret this case," he said. "In my role as CEO I do take responsibility for the problems we have. I am extremely disappointed that we’ve had them. I know you have reservations about our commitment and who we are. I want you to know we are fully committed." Donald was the only executive who spoke at the hearing."

Fully committed? The proof will be in the company's future actions -- not words -- to fully, consistently, and faithfully comply with the latest settlement agreement and clean up its pollution mess. Will it? What action will the board of directors take? Which executives will be disciplined? Which senior executives will resign? Will more whistle blowers come forward? Lots more news to come.


Federal Reserve Enforcement Action Against Banking Executives

Last month, the Federal Reserve Board (FRB) announced several notable enforcement actions. A February 5th press release discussed a:

"Consent Notice of Suspension and Prohibition against Fred Daibes, former Chairman of Mariner's Bancorp, Edgewater, New Jersey, for perpetuating a fraudulent loan scheme, according to a federal indictment."

The order against Daibes described the violations:

"... on October 30, 2018, a federal grand jury in the United States District Court for the District of New Jersey charged [Diabes] and an accomplice by indictment with one count conspiracy to misapply bank funds and to make false entries to deceive a financial institution and the FDIC, five counts of misapplying bank funds, six counts of making false entries to decide a financial institution and the FDIC, and one count of causing reliance on a false document to influence the FDIC... During the relevant time period, Mariner’s was subject to federal banking regulations that placed limits on the amount of money that the Bank could lend to a single borrower... the Indictment charges that in about January 2008 to December 2013, Daibes and others orchestrated a nominee loan scheme designed to circumvent the Lending Limits by ensuring that millions of dollars in loans made by the Bank (the “Nominee Loans”) flowed from the nominees to Daibes, while concealing Daibes’ beneficial interests in those loans from both the Bank and the FDIC. Daibes recruited nominees to make materially false and misleading statements and material omissions..."

The FRB and the U.S. Federal Deposit Insurance Corporation (FDIC) are two of several federal agencies which oversee and regulate the banking industry within the United States. The order bars Daibes from working within the banking industry.

Then, a February 7th FRB press release discussed a:

"Consent Prohibition against Alison Keefe, former employee of SunTrust Bank, Atlanta, Georgia, for violating bank overdraft policies for her own benefit."

The order against Keefe described the violations:

"... between September 2017 and May 2018, while employed as the manager of the Bank’s Hilltop Branch in Virginia Beach, Virginia, Keefe repeatedly overdrew her personal checking account at the Bank and instructed Bank staff, without authorization and contrary to Bank policies, to honor the overdrafts... Keefe’s misconduct described above constituted unsafe or unsound banking practices and demonstrated a reckless disregard for the safety and soundness of the Bank..."

Keefe was fired by the bank on July 12, 2018, and has repaid the bank. The order bars Keefe from working within the banking industry.

A February 21st press release discussed the agency's enforcement action against a former manager at J.P. Morgan Chase bank. The FRB:

"... permanently barred from the banking industry Timothy Fletcher, a former managing director at a non-bank subsidiary of J.P. Morgan Chase & Co. Fletcher consented to the prohibition, which includes allegations that he improperly administered a referral hiring program at the firm by offering internships and other employment opportunities to individuals referred by foreign officials, clients, and prospective clients in order to obtain improper business advantages for the firm. The FRB is also requiring Fletcher to cooperate in any pending or prospective enforcement action against other individuals who are or were affiliated with the firm. The firm was previously fined $61.9 million by the Board relating to this program. In addition, the Department of Justice and the Securities and Exchange Commission have also fined the firm."

The $61.9 million fine was levied against J.P. Morgan Chase in November, 2016. Back then, the FRB found that the bank:

"... did not have adequate enterprise-wide controls to ensure that referred candidates were appropriately vetted and hired in accordance with applicable anti-bribery laws and firm policies. The Federal Reserve's order requires J.P. Morgan Chase to enhance the effectiveness of senior management oversight and controls relating to the firm's referral hiring practices and anti-bribery policies. The Federal Reserve is also requiring the firm to cooperate in its investigation of the individuals..."

Last month's order against Fletcher described the violations:

"... from at least 2008 until 2013 [Fletcher] engaged in unsafe and unsound practices, breaches of fiduciary duty, and violations of law related to his involvement in the Firm’s referral hiring program for the Asia-Pacific region investment bank, whereby candidates who were referred, directly or indirectly, by foreign government officials and existing or prospective commercial clients were offered internships, training, and other employment opportunities in order to obtain improper business advantages for the Firm... the Firm’s internal policies prohibited Firm employees from giving anything of value, including the offer of internships or training, to certain individuals, including relatives of public officials and relatives and associates of non-government corporate representatives, in order to obtain improper business advantages for the Firm..."

Kudos to the FRB for its enforcement action. Executives must suffer direct consequences for wrongdoing. After reading this, one wonders why direct consequences are not applied against executives within the social media industry. The behaviors there do just as much damage; and cross borders, too. What are your opinions?


Brave Alerts FTC On Threats From Business Practices With Big Data

The U.S. Federal Trade Commission (FTC) held a "Privacy, Big Data, And Competition" hearing on November 6-8, 2018 as part of its "Competition And Consumer Protection in the 21st Century" series of discussions. During that session, the FTC asked for input on several topics:

  1. "What is “big data”? Is there an important technical or policy distinction to be drawn between data and big data?
  2. How have developments involving data – data resources, analytic tools, technology, and business models – changed the understanding and use of personal or commercial information or sensitive data?
  3. Does the importance of data – or large, complex data sets comprising personal or commercial information – in a firm’s ordinary course operations change how the FTC should analyze mergers or firm conduct? If so, how? Does data differ in importance from other assets in assessing firm or industry conduct?
  4. What structural, behavioral or conduct remedies should the FTC consider when remedying antitrust harm in a market or industry where data or personal or commercial information are a significant product or a key competitive input?
  5. Are there policy recommendations that would facilitate competition in markets involving data or personal or commercial information that the FTC should consider?
  6. Do the presence of personal information or privacy concerns inform or change competition analysis?
  7. How do state, federal, and international privacy laws and regulations, adopted to protect data and consumers, affect competition, innovation, and product offerings in the United States and abroad?"

Brave, the developer of a web browser, submitted comments to the FTC which highlighted two concerns:

"First, big tech companies “cross-use” user data from one part of their business to prop up others. This stifles competition, and hurts innovation and consumer choice. Brave suggests that FTC should investigate. Second, the GDPR is emerging as a de facto international standard. Whether this helps or harms United States firms will be determined by whether the United States enacts and actively enforces robust federal privacy laws."

A letter by Dr. Johnny Ryan, the Chief Policy & Industry Relations Officer at Brave, described in detail the company's concerns:

"The cross-use and offensive leveraging of personal information from one line of business to another is likely to have anti-competitive effects. Indeed anti-competitive practices may be inevitable when companies with Google’s degree of market dominance update their privacy policies to include the cross-use of personal information. The result is that a company can leverage all the personal information accumulated from its users in one line of business to dominate other lines of business too. Rather than competing on the merits, the company can enjoy the unfair advantage of massive network effects... The result is that nascent and potential competitors will be stifled, and consumer choice will be limited... The cross-use of data between different lines of business is analogous to the tying of two products. Indeed, tying and cross-use of data can occur at the same time, as Google Chrome’s latest “auto sign in to everything” controversy illustrates..."

Historically, Google let Chrome web browser users decide whether or not to sign in for cross-device usage. The Chrome 69 update forced auto sign-in, but a Chrome 70 update restored users' choice after numerous complaints and criticism.

Regarding topic #7 by the FTC, Brave's response said:

"A de facto international standard appears to be emerging, based on the European Union’s General Data Protection Regulation (GDPR)... the application of GDPR-like laws for commercial use of consumers’ personal data in the EU, Britain (post EU), Japan, India, Brazil, South Korea, Malaysia, Argentina, and China bring more than half of global GDP under a common standard. Whether this emerging standard helps or harms United States firms will be determined by whether the United States enacts and actively enforces robust federal privacy laws. Unless there is a federal GDPR-like law in the United States, there may be a degree of friction and the potential of isolation for United States companies... there is an opportunity in this trend. The United States can assume the global lead by adopting the emerging GDPR standard, and by investing in world-leading regulation that pursues test cases, and defines practical standards..."

Currently, companies collect, archive, share, and sell consumers' personal information at will -- often without notice nor consent. While all 50 states and territories have breach notification laws, most states have not upgraded their breach notification laws to include biometric and passport data. While the Health Insurance Portability and Accountability Act (HIPAA) is the federal law which governs healthcare data and related breaches, many consumers share health data with social media sites -- robbing themselves of HIPAA protections.

Moreover, it's an unregulated free-for-all of data collection, archiving, and sharing by telecommunications companies after the revoking in 2017 of broadband privacy protections for consumers in the USA. Plus, laws have historically focused upon "declared data" (e.g., the data users upload or submit into websites or apps) while ignoring "inferred data" -- which is arguably just as sensitive and revealing.

Regarding future federal privacy legislation, Brave added:

"... The GDPR is compatible with a United States view of consumer protection and privacy principles. Indeed, the FTC has proposed important privacy protections to legislators in 2009, and again in 2012 and 2014, which ended up being incorporated in the GDPR. The high-level principles of the GDPR are closely aligned, and often identical to, the United States’ privacy principles... The GDPR also incorporates principles endorsed by the U.S. in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and the principles endorsed by the United States this year, in Article 19.8 (3) of the new United States-Mexico-Canada Agreement."

"The GDPR differs from established United States privacy principles in its explicit reference to “proportionality” as a precondition of data use, and in its more robust approach to data minimization and to purpose specification. In our view, a federal law should incorporate these elements too. We also recommend that federal law should adopt the GDPR definitions of concepts such as “personal data”, “legal basis” including opt-in “consent”, “processing”, “special category personal data”, ”profiling”, “data controller”, “automated decision making”, “purpose limitation”, and so forth, and tools such as data protection impact assessments, breach notification, and records of processing activities."

"In keeping with the fair information practice principles (FIPPs) of the 1974 US Privacy Act, Brave recommends that a federal law should require that the collection of personal information is subject to purpose specification. This means that personal information shall only be collected for specific and explicit purposes. Personal information should not used beyond those purposes without consent, unless a further purpose is poses no risk of harm and is compatible with the initial purpose, in which case the data subject should have the opportunity to opt-out."

Submissions by Brave and others are available to the public at the FTC website in the "Public Comments" section.


Survey: People In Relationships Spy On Cheating Partners. FTC: Singles Looking For Love Are The Biggest Target Of Scammers

Happy Valentine's Day! First, BestVPN announced the results of a survey of 1,000 adults globally about relationships and trust in today's digital age where social media usage is very popular. Key findings:

"... nearly 30% of respondents admitted to using tracking apps to catch a partner [suspected of or cheating]. After all, over a quarter of those caught cheating were busted by modern technology... 85% of those caught out in the past now take additional steps to protect their privacy, including deleting their browsing data or using a private browsing mode."

Below is an infographic with more findings from the survey.

Valentines-day-infograph-bestvpn-feb2019

Second, the U.S. Federal Trade Commission (FTC) issued a warning earlier this week about fraud affecting single persons:

"... romance scams generated more reported losses than any other consumer fraud type reported to the agency... The number of romance scams reported to the FTC has grown from 8,500 in 2015 to more than 21,000 in 2018, while reported losses to these scams more than quadrupled in recent years—from $33 million in 2015 to $143 million last year. For those who said they lost money to a romance scam, the median reported loss was $2,600, with those 70 and over reporting the biggest median losses at $10,000."

"Romance scammers often find their victims online through a dating site or app or via social media. These scammers create phony profiles that often involve the use of a stranger’s photo they have found online. The goals of these scams are often the same: to gain the victim’s trust and love in order to get them to send money through a wire transfer, gift card, or other means."

So, be careful out there. Don't cheat, and beware of scammers and dating imposters. You have been warned.


Senators Demand Answers From Facebook And Google About Project Atlas And Screenwise Meter Programs

After news reports surfaced about Facebook's Project Atlas, a secret program where Facebook paid teenagers (and other users) for a research app installed on their phones to track and collect information about their mobile usage, several United States Senators have demanded explanations. Three Senators sent a join letter on February 7, 2019 to Mark Zuckerberg, Facebook's chief executive officer.

The joint letter to Facebook (Adobe PDF format) stated, in part:

"We write concerned about reports that Facebook is collecting highly-sensitive data on teenagers, including their web browsing, phone use, communications, and locations -- all to profile their behavior without adequate disclosure, consent, or oversight. These reports fit with Longstanding concerns that Facebook has used its products to deeply intrude into personal privacy... According to a journalist who attempted to register as a teen, the linked registration page failed to impose meaningful checks on parental consent. Facebook has more rigorous mechanism to obtain and verify parental consent, such as when it is required to sign up for Messenger Kids... Facebook's monitoring under Project Atlas is particularly concerning because the data data collection performed by the research app was deeply invasive. Facebook's registration process encouraged participants to "set it and forget it," warning that if a participant disconnected from the monitoring for more than ten minutes for a few days, that they could be disqualified. Behind the scenes, the app watched everything on the phone."

The letter included another example highlighting the alleged lack of meaningful disclosures:

"... the app added a VPN connection that would automatically route all of a participant's traffic through Facebook's servers. The app installed a SSL root certificate on the participant's phone, which would allow Facebook to intercept or modify data sent to encrypted websites. As a result, Facebook would have limitless access to monitor normally secure web traffic, even allowing Facebook to watch an individual log into their bank account or exchange pictures with their family. None of the disclosures provided at registration offer a meaningful explanation about how the sensitive data is used, how long it is kept, or who within Facebook has access to it..."

The letter was signed by Senators Richard Blumenthal (Democrat, Connecticut), Edward J. Markey (Democrat, Massachusetts), and Josh Hawley (Republican, Mississippi). Based upon news reports about how Facebook's Research App operated with similar functionality to the Onavo VPN app which was banned last year by Apple, the Senators concluded:

"Faced with that ban, Facebook appears to have circumvented Apple's attempts to protect consumers."

The joint letter also listed twelve questions the Senators want detailed answers about. Below are selected questions from that list:

"1. When did Project Atlas begin and how many individuals participated? How many participants were under age 18?"

"3. Why did Facebook use a less strict mechanism for verifying parental consent than is Required for Messenger Kids or Global Data Protection Requlation (GDPR) compliance?"

"4.What specific types of data was collected (e.g., device identifieers, usage of specific applications, content of messages, friends lists, locations, et al.)?"

"5. Did Facebook use the root certificate installed on a participant's device by the Project Atlas app to decrypt and inspect encrypted web traffic? Did this monitoring include analysis or retention of application-layer content?"

"7. Were app usage data or communications content collected by Project Atlas ever reviewed by or available to Facebook personnel or employees of Facebook partners?"

8." Given that Project Atlas acknowledged the collection of "data about [users'] activities and content within those apps," did Facebook ever collect or retain the private messages, photos, or other communications sent or received over non-Facebook products?"

"11. Why did Facebook bypass Apple's app review? Has Facebook bypassed the App Store aproval processing using enterprise certificates for any other app that was used for non-internal purposes? If so, please list and describe those apps."

Read the entire letter to Facebook (Adobe PDF format). Also on February 7th, the Senators sent a similar letter to Google (Adobe PDF format), addressed to Hiroshi Lockheimer, the Senior Vice President of Platforms & Ecosystems. It stated in part:

"TechCrunch has subsequently reported that Google maintained its own measurement program called "Screenwise Meter," which raises similar concerns as Project Atlas. The Screenwise Meter app also bypassed the App Store using an enterprise certificate and installed a VPN service in order to monitor phones... While Google has since removed the app, questions remain about why it had gone outside Apple's review process to run the monitoring program. Platforms must maintain and consistently enforce clear policies on the monitoring of teens and what constitutes meaningful parental consent..."

The letter to Google includes a similar list of eight questions the Senators seek detailed answers about. Some notable questions:

"5. Why did Google bypass App Store approval for Screenwise Meter app using enterprise certificates? Has Google bypassed the App Store approval processing using enterprise certificates for any other non-internal app? If so, please list and describe those apps."

"6. What measures did Google have in place to ensure that teenage participants in Screenwise Meter had authentic parental consent?"

"7. Given that Apple removed Onavoo protect from the App Store for violating its terms of service regarding privacy, why has Google continued to allow the Onavo Protect app to be available on the Play Store?"

The lawmakers have asked for responses by March 1st. Thanks to all three Senators for protecting consumers' -- and children's -- privacy... and for enforcing transparency and accountability.


Technology And Human Rights Organizations Sent Joint Letter Urging House Representatives Not To Fund 'Invasive Surveillance' Tech Instead of A Border Wall

More than two dozen technology and human rights organizations sent a joint letter Tuesday to representatives in the House of Representatives, urging them not to fund "invasive surveillance technologies" in replacement of a physical wall or barrier along the southern border of the United States. The joint letter cited five concerns:

"1. Risk-based targeting: The proposal calls for “an expansion of risk-based targeting of passengers and cargo entering the United States.” We are concerned that this includes the expansion of programs — proven to be ineffective and to exacerbate racial profiling — that use mathematical analytics to make targeting determinations. All too often, these systems replicate the biases of their programmers, burden vulnerable communities, lack democratic transparency, and encourage the collection and analysis of ever-increasing amounts of data... 3. Biometrics: The proposal calls for “new cutting edge technology” at the border. If that includes new face surveillance like that deployed at international airline departures, it should not. Senator Jeff Merkley and the Congressional Black Caucus have expressed serious concern that facial recognition technology would place “disproportionate burdens on communities of color and could stifle Americans’ willingness to exercise their first amendment rights in public.” In addition, use of other biometrics, including iris scans and voice recognition, also raise significant privacy concerns... 5. Biometric and DNA data: We oppose biometric screening at the border and the collection of immigrants’ DNA, and fear this may be another form of “new cutting edge technology” under consideration. We are concerned about the threat that any collected biometric data will be stolen or misused, as well as the potential for such programs to be expanded far beyond their original scope..."

The letter was sent to Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, Minority Leader Steny Hoyer, Minority Whip Steve Scalise, Chair Nita Lowey a Ranking Member of House Appropriations, and Kay Granger of the House Appropriations committee.

27 organizations signed the joint letter, including Fight for the Future, the Electronic Frontier Foundation, the American Civil Liberties Union (ACLU), the American-Arab Anti-Discrimination Committee, the Center for Media Justice, the Project On Government Oversight, and others. Read the entire letter.

Earlier this month, a structural and civil engineer cited several reasons why a physical wall won't work and would be vastly more expensive than the $5.7 billion requested.

Clearly, the are distinct advantages and disadvantages for each and all border-protection solutions the House and President are considering. It is a complex problem. These advantages and disadvantages of all proposals need to be clear, transparent, and understood by taxpayers prior to any final decisions.


The Federal Reserve Introduced A New Publication For And About Consumers

The Federal Reserve Board (FRB) has introduced a new publication titled, "Consumer & Community Context." According to the FRB announcement, the new publication will feature:

"... original analyses about the financial conditions and experiences of consumers and communities, including traditionally under-served and economically vulnerable households and neighborhoods. The goal of the series is to increase public understanding of the financial conditions and concerns of consumers and communities... The inaugural issue covers the theme of student loans, and includes articles on the effect that rising student loan debt levels may have on home ownership rates among young adults; and the relationship between the amount of student loan debt and individuals' decisions to live in rural or urban areas."

Authors are employees of the FRB or the Federal Reserve System (FRS). As the central bank of the United States, the FRS performs five general functions to "promote the effective operation of the U.S. economy and, more generally, the public interest:" i) conducts the nation’s monetary policy to promote maximum employment, stable prices, and moderate long-term interest rates; ii) promotes the stability of the financial system and seeks to minimize and contain systemic risks; iii) promotes the safety and soundness of individual financial institutions; iv) fosters payment and settlement system safety and efficiency through services to the banking industry; and v) promotes consumer protection and community development through consumer-focused supervision, examination, and monitoring of the financial system. Learn more about the Federal Reserve.

The first issue of Consumer & Community Context is available, in Adobe PDF format, at the FRB site. Economists, bank executives, consumer advocates, researchers, teachers, and policy makers may be particularly interested. To better understand the publication's content, below is an excerpt.

In their analysis of student loan debt and home ownership among young adults, the researchers found:

"... home ownership rate in the United States fell approximately 4 percentage points in the wake of the financial crisis, from a peak of 69 percent in 2005 to 65 percent in 2014. The decline in home ownership was even more pronounced among young adults. Whereas 45 percent of household heads ages 24 to 32 in 2005 owned their own home, just 36 percent did in 2014 — a marked 9 percentage point drop... We found that a $1,000 increase in student loan debt (accumulated during the prime college-going years and measured in 2014 dollars) causes a 1 to 2 percentage point drop in the home ownership rate for student loan borrowers during their late 20s and early 30s... higher student loan debt early in life leads to a lower credit score later in life, all else equal. We also find that, all else equal, increased student loan debt causes borrowers to be more likely to default on their student loan debt, which has a major adverse effect on their credit scores, thereby impacting their ability to qualify for a mortgage..."

The FRB announcement described the publication schedule as, "periodically." Perhaps, this is due to the partial government shutdown. Hopefully, in the near future the FRB will commit to a more regular publication schedule.


Report: Navient Tops List Of Student Loan Complaints

The Consumer Financial Protection Bureau (CFPB), a federal government agency in the United States, collects complaints about banks and other financial institutions. That includes lenders of student loans.

The CFPB and private-sector firms analyze these complaints, looking for patterns. Forbes magazine reported:

"The team at Make Lemonade analyzed these complaints [submitted during 2018], and found that there were 8,752 related to student loans. About 64% were related to federal student loans and 36% were related to private student loans. Nearly 67% of complaints were related to an issue with a student loan lender or student loan servicer."

"Navient, one of the nation's largest student loan servicers, ranked highest in terms of student loan complaints. In 2018, student loan borrowers submitted 4,032 complaints about Navient to the CFPB, which represents 46% of all student loan complaints. AES/PHEAA and Nelnet, two other major student loan servicers, received approximately 20% and 7%, respectively."

When looking for a student loan, wise consumers shop around, do their research, and shop wisely. Some lenders are better than others. The Forbes article is very helpful as it contains links to additional resources and information for consumers.

Learn more about the CFPB and its complaints database designed to help consumers and regulators:


Federal Regulators Encourage Banks To Work With Borrowers Affected By Partial Government Shutdown

Six financial regulatory agencies issued a joint statement advising banks and financial institutions to be flexible with borrowers during the partial government shutdown in the United States. The January 11, 2019 statement said:

"While the effects of the federal government shutdown on individuals should be temporary, affected borrowers may face a temporary hardship in making payments on debts such as mortgages, student loans, car loans, business loans, or credit cards. As they have in prior shutdowns, the agencies encourage financial institutions to consider prudent efforts to modify terms on existing loans or extend new credit to help affected borrowers."

"Prudent workout arrangements that are consistent with safe-and-sound lending practices are generally in the long-term best interest of the financial institution, the borrower, and the economy. Such efforts should not be subject to examiner criticism. Consumers affected by the government shutdown are encouraged to contact their lenders immediately should they encounter financial strain."

The six agencies which signed the joint statement include the:

  • Board of Governors of the Federal Reserve System
  • Conference of State Bank Supervisors
  • Consumer Financial Protection Bureau
  • Federal Deposit Insurance Corporation
  • National Credit Union Administration
  • Office of the Comptroller of the Currency

Today is day 25 of the shutdown. Yesterday, President Trump rejected calls by Republicans to temporarily reopen several agencies to encourage negotiations with Democrats in the House of Representatives.

Reportedly, OceanFirst Bank has suspended fees for borrowers unable to make monthly payments on mortgage loans, home equity loans, and lines of credit. Provident Bank it would offer a limited number of refunds on late payment fees for mortgages, home equity loans, checking account overdraft fees, and late credit card payment fees.

Has your bank shown flexibility? Or has it refused your requests? Share your experiences and opinions below.


House Oversight Committee Report On The Equifax Data Breach. Did The Recommendations Go Far Enough?

On Monday, the U.S. House of Representatives Committee on Oversight and Government Reform released its report (Adobe PDF) on the massive Equifax data breach, where the most sensitive personal and payment information of more than 148 million consumers -- nearly half of the population -- was accessed and stolen. The report summary:

"In 2005, former Equifax Chief Executive Officer(CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks... Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report cited several failures by Equifax. First:

"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threate and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."

As bad as that is, it gets worse:

"On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases."

"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic..."

Findings so far: 1) growth prioritized over security while archiving highly valuable data; 2) antiquated computer systems; 3) failed security patches; 4) unprotected user credentials; and 5) failed intrusion detection mechanism. Geez!

Only after updating its expired security certificate did Equifax notice the intrusion. After that, you'd think that Equifax would have implemented a strong post-breach response. You'd be wrong. More failures:

"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."

"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. "Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging..."

Findings so far: 6) inadequate post-breach response; and 7) complicated IT structure making updates difficult. Geez!

The report listed the executives who retired and/or were fired. That's a small start for a company archiving the most sensitive personal and payment information of all USA citizens. The report included seven recommendations:

"1: Empower Consumers through Transparency. Consumer reporting agencies (CRAs) should provide more transparency to consumers on what data is collected and how it is used. A large amount of the public’s concern after Equifax’s data breach announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data..."

"2: Review Sufficiency of FTC Oversight and Enforcement Authorities. Currently, the FTC uses statutory authority under Section 5 of the Federal Trade Commission Act to hold businesses accountable for making false or misleading claims about their data security or failing to employ reasonable security measures. Additional oversight authorities and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices..."

"3: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims. The General Accounting Office (GAO) should examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress. In particular, GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks. Equifax offered free credit monitoring and protection services for one year to any consumer who requested it... This GAO study would help clarify the value of credit monitoring services and the length of time such services should be maintained. The GAO study should examine alternatives to credit monitoring services and identify addit ional or complimentary services..."

"4: Increase Transparency of Cyber Risk in Private Sector. Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a private entity can increase transparency related to the company’s cyber risk is by making disclosures in its Securities and Exchange Commission (SEC) filings. In 2011, the SEC developed guidance to assist companies in disclosing cybersecurity risks and incidents. According to the SEC guidance, if cybersecurity risks or incidents are “sufficiently material to investors” a private company may be required to disclose the information... Equifax did not disclose any cybersecurity risks or cybers ecurity incidents in its SEC filings prior to the 2017 data breach..."

"5: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements. The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements. In 2016, the Committee urged OMB to focus on improving and updating cybersecurity requirements for federal acquisition... The Committee again urges OMB to expedite development of a long-promised cybersecurity acquisition memorandum to provide guidance to federal agencies and acquisition professionals..."

"6: Reduce Use of Social Security Numbers as Personal Identifiers. The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals. Authenticators are only useful if they are kept confidential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use."

"7: Implement Modernized IT Solutions. Companies storing sensitive consumer data should transition away from legacy IT and implement modern IT security solutions. Equifax failed to modernize its IT environments in a timely manner. The complexity of the legacy IT environment hosting the ACIS application allowed the attackers to move throughout the Equifax network... Equifax’s legacy IT was difficult to scan, patch, and modify... Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies...."

The history of corporate data breaches and the above list of corporate failures by Equifax both should be warnings to anyone in government promoting the privatization of current government activities. Companies screw up stuff, too.

Recommendation #6 is frightening in that it hasn't been implemented. Yikes! No federal agency should do business with a private sector firm operating with antiquated computer systems. And, if Equifax can't protect the information it archives, it should cease to exist. While that sounds harsh, it ain't. Continual data breaches place risks and burdens upon already burdened consumers trying to control and protect their data.

What are your opinions of the report? Did it go far enough?


Massive Data Breach At U.S. Postal Service Affects 60 Million Users

United States Postal Service logo The United States Postal Service (USPS) experienced a massive data breach due to a vulnerable component at its website. The "application program interface" or API component allowed unauthorized users to access and download details about other users of the Informed Visibility service.

Security researcher Brian Krebs explained:

"In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox."

Geez! The USPS has since fixed the API vulnerability. Regardless, this is bad, very bad, for several reasons. Not only should the vulnerable API have prevented one user from viewing details about another, but it allowed changes to some data elements. Krebs added:

"A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details. Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields... The ability to modify database entries related to Informed Visibility user accounts could create problems for the USPS’s largest customers — think companies like Netflix and others that get discounted rates for high volumes. For instance, the API allowed any user to convert regular usps.com accounts to Informed Visibility business accounts, and vice versa."

About 13 million Informed Delivery users were also affected, since the vulnerable API component affected all USPS.com users. A vulnerability like this makes package theft easier since criminals could determine when certain types of mail (e.g., debit cards, credit cards, etc.) arrive at users' addresses. The vulnerable API probably existed for more than one year, when a security researcher first alerted the USPS about it.

While the USPS provided a response to Krebs on Security, a check at press time of the Newsroom and blog sections of About.USPS.com failed to find any mention of the data breach. Not good. Transparency matters.

If the USPS is serious about data security, then it should issue a public statement. When will users receive breach notification letters, if they haven't been sent? Who fixed the vulnerable API? How long was it broken? What post-breach investigation is underway? What types of changes (e.g., employee training, software testing, outsource vendor management, etc.) are being implement so this won't happen again?

Trust matters. The lack of a public statement makes it difficult for consumers to judge the seriousness of the breach and the seriousness of the fix by USPS. We probably will hear more about this breach.


Federal Reserve Released Its Non-cash Payments Fraud Report. Have Chip Cards Helped?

Many consumers prefer to pay for products and services using methods other than cash. How secure are these non-cash payment methods? The Federal Reserve Board (FRB) analyzed the payments landscape within the United States. Its October 2018 report found good and bad news. The good news: non-cash payments fraud is small. The bad news:

  • Overall, non-cash payments fraud is growing,
  • Card payments fraud drove the growth
Non-Cash Payment Activity And Fraud
Payment Type 2012 2015 Increase (Decrease)
Card payments & ATM withdrawal fraud $4 billion $6.5 billion 62.5 percent
Check fraud $1.1 billion $710 million (35) percent
Non-cash payments fraud $6.1 billion $8.3 billion 37 percent
Total Non-cash payments $161.2 trillion $180.3 trillion 12 percent

The FRB report included:

"... fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks, the automated clearinghouse (ACH) transfer system, and the check clearing system. These payment systems form the core of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States. The fraud data were collected as part of Federal Reserve surveys of depository institutions in 2012 and 2015 and payment card networks in 2015 and 2016. The types of fraudulent payments covered in the study are those made by an unauthorized third party."

Data from the card network survey included general-purpose credit and debit (non-prepaid and prepaid) card payments, but did not include ATM withdrawals. The card networks include Visa, MasterCard, Discover and others. Additional findings:

"... the rate of card fraud, by value, was nearly flat from 2015 to 2016, with the rate of in-person card fraud decreasing notably and the rate of remote card fraud increasing significantly..."

The industry defines several categories of card fraud:

  1. "Counterfeit card. Fraud is perpetrated using an altered or cloned card;
  2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder’s consent;
  3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud;
  4. Fraudulent application. A new card is issued based on a fake identity or on someone else’s identity;
  5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone; and
  6. Other. Fraud including fraud from account take-over and any other types of fraud not covered above."
Card Fraud By Category
Fraud Category 2015 2016 Increase/(Decrease)
Fraudulent use of account number $2.88 billion $3.46 billion 20 percent
Counterfeit card fraud $3.05 billion $2.62 billion (14) percent
Lost or stolen card fraud $730 million $810 million 11 percent
Fraudulent application $210 million $360 million 71 percent

The increase in fraudulent application suggests that criminals consider it easy to intercept pre-screened credit and card offers sent via postal mail. It is easy for consumers to opt out of pre-screened credit and card offers. There is also the National Do Not Call Registry. Do both today if you haven't.

The report also covered EMV chip cards, which were introduced to stop counterfeit card fraud. Card networks distributed both chip cards to consumers, and chip-reader terminals to retailers. The banking industry had set an October 1, 2015 deadline to switch to chip cards. The FRB report:

EMV Chip card fraud and payments. Federal Reserve Board. October 2018

The FRB concluded:

"Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards. By value, the share of non-fraudulent in-person payments made with [chip cards] shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent. The share of fraudulent in-person payments made with [chip cards] also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As [chip cards] are more secure, this growth in the share of fraudulent in-person chip payments may seem counter-intuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with [chip cards] (4.1 percent) was greater than the share of non-fraudulent in-person payments with [chip cards] (3.2 percent), a relationship that reversed in 2016."


Senator Wyden Introduces Bill To Help Consumers Regain Online Privacy And Control Over Sensitive Data

Late last week, Senator Ron Wyden (Dem - Oregon) introduced a "discussion draft" of legislation to help consumers recover online privacy and control over their sensitive personal data. Senator Wyden said:

"Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared... It’s time for some sunshine on this shadowy network of information sharing. My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”

The press release by Senator Wyden's office explained the need for new legislation:

"The government has failed to respond to these new threats: a) Information about consumers’ activities, including their location information and the websites they visit is tracked, sold and monetized without their knowledge by many entities; b) Corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships has resulted in major data breaches and the misuse of Americans’ personal data; c) Consumers have no effective way to control companies’ use and sharing of their data."

Consumers in the United States lost both control and privacy protections when the U.S. Federal Communications Commission (FCC), led by President Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some internet service providers (ISPs).

With the repealed broadband privacy, ISPs are free to collect and archive as much data about consumers as desired without having to notify and get consumers' approval of the collection nor of who they share archived data with. That's 100 percent freedom for ISPs and zero freedom for consumers.

By repealing online privacy and net neutrality protections for consumers, the FCC essentially punted responsibility to the U.S. Federal Trade Commission (FTC). According to Senator Wyden's press release:

"The FTC, the nation’s main privacy and data security regulator, currently lacks the authority and resources to address and prevent threats to consumers’ privacy: 1) The FTC cannot fine first-time corporate offenders. Fines for subsequent violations of the law are tiny, and not a credible deterrent; 2) The FTC does not have the power to punish companies unless they lie to consumers about how much they protect their privacy or the companies’ harmful behavior costs consumers money; 3) The FTC does not have the power to set minimum cybersecurity standards for products that process consumer data, nor does any federal regulator; and 4) The FTC does not have enough staff, especially skilled technology experts. Currently about 50 people at the FTC police the entire technology sector and credit agencies."

This means consumers have no protections nor legal options unless the company, or website, violates its published terms-of-conditions and privacy policies. To solves the above gaps, Senator Wyden's new legislation, titled the Consumer Data Privacy Act (CDPA), contains several new and stronger protections. It:

"... allows consumers to control the sale and sharing of their data, gives the FTC the authority to be an effective cop on the beat, and will spur a new market for privacy-protecting services. The bill empowers the FTC to: i) Establish minimum privacy and cybersecurity standards; ii) Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives; iii) Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized; iv) Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it; v) Hire 175 more staff to police the largely unregulated market for private data; and vi) Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security."

Permitting companies to charge consumers who opt out of data collection and sharing is a good thing. Why? Monthly payments by consumers are leverage -- a strong incentive for companies to provide better cybersecurity.

Business as usual -- cybersecurity methods by corporate executives and government enforcement -- isn't enough. The tsunami of data breaches is an indication. During October alone:

A few notable breach events from earlier this year:

The status quo, or business as usual, is unacceptable. Executives' behavior won't change without stronger consequences like jail time, since companies perform cost-benefit analyses regarding how much to spend on cybersecurity versus the probability of breaches and fines. Opt-outs of data collection and sharing by consumers, steeper fines, and criminal penalties could change those cost-benefit calculations.

Four former chief technologists at the FCC support Senator Wyden's legislation. Gabriel Weinberg, the Chief Executive Officer of DuckDuckGo also supports it:

"Senator Wyden’s proposed consumer privacy bill creates needed privacy protections for consumers, mandating easy opt-outs from hidden tracking. By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field."

Regular readers of this blog know that the DuckDuckGo search engine (unlike Google, Bing and Yahoo search engines) doesn't track users, doesn't collect nor archive data about users and their devices, and doesn't collect nor store users' search criteria. So, DuckDuckGo users can search knowing their data isn't being sold to advertisers, data brokers, and others.

Lastly, Wyden's proposed legislation includes several key definitions (emphasis added):

"... The term "automated decision system" means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers... The term "automated decision system impact assessment" means a study evaluating an automated decision system and the automated decision system’s development process, including the design and training data of the automated decision 14 system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes... The term "data protection impact assessment" means a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes... "

The draft legislation requires companies to perform both automated data impact assessments and data protection impact assessments; and requires the FTC to set the frequency and conditions for both. A copy of the CDPA draft is also available here (Adobe PDF; 67.7 k bytes).

This is a good start. It is important... critical... to hold accountable both corporate executives and the automated decision systems their approve and deploy. Based upon history, outsourcing has been one corporate tactic to manage liability by shifting it to providers. Good to close any loopholes now where executives could abuse artificial intelligence and related technologies to avoid responsibility.

What are your thoughts, opinions of the proposed legislation?


Data Breach Affects 75,000 Healthcare.gov Users

On Friday, the Centers For Medicare and Medicaid Services (CMS) announced a data breach at a computer system which interacts with the Healthcare.gov site. Files for about 75,000 users -- agents and brokers -- were accessed by unauthorized persons. The announcement stated:

"Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE... CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled."

CMS has notified and is working with Federal law enforcement. It expects to restore the Direct Enrollment pathway for agents and brokers within the next 7 days, before the start of the sign-up period on November 1st for health care coverage under the Affordable Care Act.

CMS Administrator Seema Verma said:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

Sadly, data breaches happen -- all too often within government agencies and corporations. It should be noted that this breach was detected quickly -- within 3 days. Other data breaches have gone undetected for weeks or months; and too many corporate data breaches affected millions.

 


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


FTC: How You Should Handle Robocalls. 4 Companies Settle Regarding Privacy Shield Claims

First, it seems that the number of robocalls has increased during the past two years. Some automated calls are English. Some are in other languages. All try to trick consumers into sending money or disclosing sensitive financial and payment information. Advice from the U.S. Federal Trade Commission (FTC):

Second, the FTC announced a settlement agreement with four companies:

"In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law... The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework."

According to the lawsuits, IDmission, a cloud-based services firm, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. The other three companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. VenPath is a data analytics firm. SmartStart offers employment and background screening services. mResource provides talent management and recruitment services.

Terms of the settlement agreements prohibit all four companies from misrepresenting their participation in any privacy or data security program sponsored by the government. Also:

"... VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order."


The Overlooked Weak Link in Election Security

[Editor's note: today's guest post, by reporters at ProPublica, discusses voting and elections security within the United States. It is reprinted with permission.]

By Jack Gillum and Jessica Huseman, ProPublica

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information.

A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password — potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. “This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

The email vulnerabilities emerged in ProPublica’s survey of election security in 27 counties encompassing all or part of roughly 40 congressional districts that the Cook Political Report has said are toss-ups. These contests could determine if Democrats take control the U.S. House of Representatives, where the party needs to pick up about two dozen seats to flip the current Republican majority. Of the 12 districts in counties with less protected email systems, Republicans are seeking re-election in 10. The other two are open seats where incumbents are stepping down.

Much attention has focused on the potential to hack voting machines. In the “Voting Village” at the Def Con security conference this summer in Las Vegas, hackers sought to compromise a handful of machines. But lax protections for internet-connected systems like email servers may pose just as serious a threat.

The lack of two-factor verification may have helped Russian hackers ultimately gain access to the Democratic National Committee’s network in April 2016, according to a federal indictment. Prosecutors say a Democratic campaign employee unwittingly put her password into a spearphishing email – a targeted message meant to dupe users into sharing their login information. Russian hackers also tricked John Podesta, Hillary Clinton’s campaign chairman, into handing over his password, enabling an embarrassing leak of his emails weeks before the election.

Even a program created by the Kansas secretary of state’s office to prevent voter fraud was vulnerable to snooping, ProPublica reported last year. The program, Crosscheck, sought to identify voters casting ballots in more than one state by comparing the rolls across states. But its files were hosted on an insecure server, and program officials regularly shared user names and passwords—many of them overly simplistic—for the site by email as late as 2017. Crosscheck paused operations in 2018 because of concerns about security and accuracy, and it is unclear when it will begin matching rolls again. The Kansas Secretary of State’s office did not return a request for comment.

A different kind of cyber-attack in 2016 manipulated the software code behind Illinois’ voter-registration system to expose the personal details of thousands of people. Matt Dietrich, a spokesman for the state board of elections, said the flaws that allowed the penetration have been fixed. Special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials said was very likely the attack on the voter registration database.

“This wasn’t about to steal votes, but to create havoc,” Dietrich said. “If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: That the United States can’t run a competent election.”

Using a checklist developed by Harvard’s Belfer Center for Science and International Affairs, ProPublica asked county election officials about their email systems, as well as about cybersecurity protections for voting machines and computers that check in voters at polling sites. Voter registration is generally handled at the state level, while counties administer elections and are responsible for protecting voting machines and verifying end-of-night vote tallies that determine winners.

Funded by local taxes, counties are generally run by elected commissioners and often have centralized IT staff overseeing email services for departments ranging from the medical examiner to public works. As a result, elections officials have to compete for IT resources and attention.

Most of the counties interviewed said they had bulletproofed their computer systems and voting equipment. Joel Miller, an election official in Linn County, Iowa, said the county has recently put in place two-factor authentication requirements for its email systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The counties with vulnerable email systems ranged in population from Orange County, California, with 3.1 million people to Olmsted County, Minnesota, with 155,000. Orange County elections director Neal Kelley said he’d prefer to have two-factor authentication. It hasn’t been implemented yet, but is “on the short horizon,” he said. There are two toss-up House races in Orange County.

Noah Praetz, the director of elections for Cook County, Illinois, except the city of Chicago, said his office “lacks a little bit of control” when it comes to changing IT systems because the county-run network serves more than 24,000 employees. He said the county government doesn’t require two-factor authentication for employees to log into emails.

One county reported two problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its electronic voting machines don’t produce a separate paper trail for voters to verify their choices. Nor does it use two-factor authentication on its email system. Fayette, one of the state’s largest counties, is home to a chunk of Kentucky’s 6th congressional district, where a once-safe Republican incumbent is facing an unexpectedly competitive challenger.

Don Blevins, the Fayette elections chief, told ProPublica his county is not at risk for an email hack that would affect voting or registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the counties without two-factor authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; King County, Washington; and Harris County, Texas.

Some counties have secured their emails but had other shortcomings. Shawnee County, Kansas, said it doesn’t yet have countermeasures to stop hackers from bringing down its website by overloading it with malicious traffic. If such a denial-of-service attack takes the site offline, election commissioner Andrew Howell said, officials would instead publish election results on social media.

Five of the 27 counties surveyed did not respond to multiple emails or phone calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. law enforcement officials and cybersecurity experts have been working with states in the months leading up to the November midterms to improve election security. States are using some of the $380 million in newly earmarked federal funds to test for vulnerabilities and recruit and train IT staff, according to congressional testimony from the National Association of Secretaries of State.

Fixing technical problems isn’t cheap, and county governments have had to make hard choices when prioritizing spending. Tammy Patrick, a former election administrator in Arizona and now a senior adviser at the nonprofit Democracy Fund, said counties may consider it more urgent to replace outdated voting machines than to fix email systems.

That said, even short-lived IT security problems may have a corrosive effect on public trust in the accuracy of ballot results. “The last thing you want to do on Election Day is face problems you could have easily dealt with before then,” Hall, the technologist, said. “Officials will dismissively say, ‘It hasn’t happened to us.’ But with that attitude, you’re building a castle on sand.”

Ally Levine, Lilia Chang and Blake Paterson contributed to this report.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


How the Trump Administration Went Easy on Small-Town Police Abuses

[Editor's note: today's guest post, by reporters at ProPublica, explores allegations of inequities in law enforcement in the United States. It is reprinted with permission.]

By Ian MacDougall, ProPublica

On a chilly morning in December 2016, 12-year-old Bobby Lewis found himself sitting in a little room at the police station in Ville Platte, a town of 7,300 in southern Louisiana. He wasn’t sure exactly how long it had been, but the detective grilling him had been at it for some time. Bobby was a middle school student — a skinny kid with a polite demeanor — and though he got in trouble at school from time to time, he wasn’t used to getting treated like this. He was alone, facing the detective without a parent or a lawyer.

A blank piece of paper sat on the table in front of Bobby. He and his friends were thieves, the detective insisted. They sold drugs. They trafficked guns. The detective brushed off Bobby’s denials. She knew what he was up to, and if he didn’t write it all down — inform on his friends and confess to his crimes — she’d charge him. She’d confiscate his dog, Cinnamon, she told him. She’d throw his mother in jail. Bobby was nothing but a “B” and an “MF,” as he later relayed the detective’s words to me, sheepish about repeating them. When his mother finally turned up at the station house, it seemed only to enrage the detective further. “Wipe that fucking smile off your face, and sit up in that fucking chair,” Bobby and his mother recall the detective barking at him.

Earlier that day, Bobby told me, he had been walking home from a friend’s house when a police cruiser pulled up alongside him. He recognized one of the officers. Her name was Jessica LaBorde, but like most people in Ville Platte, Bobby knew her only as Scrappy. The sobriquet was too fitting not to stick. Profanity prone in the extreme, LaBorde was known for her tinderbox temper and hostile disposition. She styled herself like a Marine drill sergeant — fastidiously pressed police blues, jet-black hair pulled back tight — and she would become Bobby’s interrogator. (LaBorde did not respond to calls or a detailed list of questions about the incident.)

Somebody had put a rock through a window in one of the abandoned houses that litter Ville Platte, and a neighbor had seen three boys taking shelter from the rain under a carport nearby. But, the neighbor later told Bobby’s mother, Charlotte Lewis, he didn’t know which of the boys had thrown the rock. Bobby admitted he had been there but insisted he wasn’t the culprit.

Police need probable cause — evidence sufficient to show there’s a fair likelihood that a person committed a crime — to take someone into custody. Generally, an officer can’t detain somebody just because that person was near the scene of a crime. “Mere propinquity,” the U.S. Supreme Court has written, “does not, without more, give rise to probable cause.” Whether LaBorde didn’t know that or didn’t care, she ordered Bobby into the back of her squad car.

LaBorde didn’t call Bobby’s mother to tell her that her 12-year-old was in custody, according to a complaint Lewis later filed with the police department. But eventually another officer did. Lewis says she told the officer not to let anybody question her son until she got there. She had to wait out a morning downpour before she could walk to the station house.

Lewis was familiar with LaBorde’s rough reputation. Still, she told me, she was shocked by how her son was treated. “She cussed him out like he’s a stray dog,” she said. “It’s like my child is a convict or a criminal.” After two hours of pressing Bobby fruitlessly, LaBorde finally let him go — but not before charging him with criminal mischief, police records show. (A judge later dismissed the charge, Lewis told me; a friend admitted throwing the rock.)

Two weeks later, on Dec. 19, the U.S. Department of Justice issued a scathing report on policing in Ville Platte and surrounding Evangeline Parish. The investigation found that, for decades, the city Police Department and the parish Sheriff’s Office maintained an unwritten policy of jailing people without probable cause — for days and even weeks at a time — to pressure them to cooperate with law enforcement. These “investigative holds” ensnared anybody who might know something about criminal activity, from a suspect to a potential witness to a suspect’s relatives. As the Justice Department report put it, “Literally anyone in Evangeline Parish or Ville Platte could be arrested and placed ‘on hold’ at any time.” Many were. From 2012 to 2014 alone, the police unlawfully held at least 700 people in Ville Platte — close to a tenth of the town’s residents.

That, the report concluded, amounted to “a pattern or practice of unconstitutional conduct.” To end this cycle of abuses, the report prescribed an array of institutional changes to eliminate investigative holds, such as imposing new department protocols and overhauling training regimens.

The case wasn’t merely about Ville Platte. The Justice Department lawyers viewed it as a template. Similar policing practices exist in scores of towns and villages across the country, and Justice Department officials selected Ville Platte precisely because it was a pure embodiment of a widespread problem. They hoped it would provide a model for reform at other police departments.

Justice Department officials planned to negotiate a consent decree — a long-term reform plan supervised by a federal judge — with local officials. Systemic police reform was a defining feature of the Obama-era Justice Department, which considered judicial oversight key to dislodging unlawful practices as firmly entrenched as investigative holds were in Ville Platte.

But Jeff Sessions, who took office as attorney general just months after the Justice Department report, has a different view. He considers his predecessors’ reform efforts, particularly via consent decree, to be gross federal overreach that denigrates and demoralizes police. Sessions all but declared that the Justice Department was getting out of the business of meaningful police reform. There would be no consent decree in Ville Platte. Instead, the result is what former Justice Department officials say is an anemic reform plan, announced in June, that largely leaves the future of policing there to the police.

There’s little reason, they say, to expect that this plan will induce law enforcement in Ville Platte to change its ways. The town’s policing culture is defined by arbitrary arrest and detention — and it has been for a long time. It’s a culture that’s proven intensely resistant to change. “You do what you know,” one former Ville Platte police official told me. “And that’s all they know.”

When Neal Lartigue joined the Ville Platte Police Department in 1991, investigative holds were part of his training. “I’ve been here 27 years, and that was going on before I started,” he told me when I visited Ville Platte early this year. The practice was never enshrined in any manual, but it was as good as official policy at both the department and the Evangeline Parish Sheriff’s Office, which is headquartered in Ville Platte. (For its part, the Sheriff’s Office didn’t have a policy manual at all until last year.)

Lartigue rose to become the Police Department’s narcotics officer, and in that role, he was a regular practitioner of investigative holds, according to a former police official who worked with him during that time. Lartigue would “put people in jail” — people he thought might be drug users or small-time dealers — “and he’d make them sit there, and say: ‘You gonna tell me something? I know you ain’t got the drugs, but you’re getting them from somebody. Who you getting them from?’” the former police official told me.

It was an unnerving experience. Lartigue is an intimidating figure — a stern, laconic man with a shaved head and a stout frame. If his detainee pleaded ignorance, the former official said, Lartigue’s response was inevitably, “Well, then you’re gonna sit in jail till you decide you want to talk.” (Lartigue did not respond to requests for comment on his practices as an officer.)

Nothing had changed by 2006, when Lartigue was elected chief of police, a position he holds today. Investigative holds remained a basic policing tool in Ville Platte, like dusting for fingerprints or mapping a crime scene. According to the Justice Department report and former local law enforcement officials, the purpose of most investigative holds was to obtain information from a reticent subject: a confession from a suspect, details from a potential witness, denunciations from a prospective informant. On occasion, the point was simpler: to keep a suspect from getting in the way while a detective gathered enough evidence to support an arrest warrant, the probable cause needed to arrest the suspect in the first place. Age was no limiting factor. The Justice Department found more than two dozen instances in which juveniles were subjected to investigative holds.

Detainees — even those suspected of no wrongdoing — were strip-searched, booked and thrown in a jail cell, without access to a phone or a lawyer. The intermittent interrogations that followed, the Justice Department noted in its report, carried out “under the threat of continued, secret, indefinite detention,” raised the specter of “coerced statements or false confessions” and, worse, “improper criminal convictions.”

In 1991, the year Lartigue became a patrolman, the Supreme Court held that if police make an arrest without a warrant, they have to get a judge to verify that the arrest was based on probable cause “as soon as is reasonably feasible, but in no event later than 48 hours after arrest.” Police are not allowed, the high court said, to delay going to a judge “for the purpose of gathering additional evidence to justify the arrest.” Yet, investigative holds were unilateral in Ville Platte; judges were never asked to determine whether each arrest and detention was in line with the law.

Local officials maintain that the holds were an innocent outgrowth of parochialism. “We never intended to violate anyone’s constitutional rights,” Lartigue told local media after the Justice Department issued its 2016 report. The prevailing belief in Ville Platte, the Justice Department found, was that law enforcement could legally jail anybody for up to 72 hours without probable cause — a view of the law that had been wrong for more than half a century.

Ville Platte is a deeply isolated place. It sits on the upper edge of the Cajun Prairie, a plain of humid farmland flecked with palmettos, crawfish ponds and live oak that sprawls north from the marshy cane fields nearer to the Gulf of Mexico. In French, the words “ville platte” mean “flat town,” a name that, legend has it, was conferred by one of Napoleon’s former officers. Passing through in the 1850s, the landscape architect Frederick Law Olmsted lamented the tedium of the region’s “immense moist plain.”

The construction of Interstate 49, in the mid-1980s, bypassed Ville Platte and left it all the more sequestered. Apart from a few annual events, such as the summer Festival de la Viande Boucanée (the Festival of Smoked Meat), Ville Platte has few attractions to draw outsiders. It retains a distinctive sense of place. Gas stations still advertise boudin, cracklin and tasso. It’s not uncommon to run into some locals who speak the regional French dialect.

The other side of Ville Platte’s isolation is its poverty. Little gabled houses of shingle and clapboard are left abandoned to rot and collapse in the Woods, south of Main Street. In Crosstown, on the north side, the Parkview Shopping Center sits nearly tenantless, its vast, empty parking lot a reminder of all the spending power there’s not in Ville Platte. This May, an article in USA Today declared the town the poorest in Louisiana. Its median household income is about $18,700, compared with roughly $59,000 for the U.S. as a whole.

Ville Platte doesn’t have an organized civil rights community or a legal aid group to investigate policing practices, or any money to fund them. Local criminal defense attorneys might be expected to raise legal challenges to investigative holds, but they, too, thought a person could be held without probable cause for up to 72 hours, former Justice Department officials told me.

Some scoff at the notion that the problem was ignorance alone. There has always been an element within the local law enforcement apparatus, particularly in its upper ranks, that didn’t care what courts and statutes required, say five current and former local law enforcement officials. For that set, the guiding principle was convenience. “We call it the Sovereign State of Evangeline,” one parish resident told me. “Our officials don’t follow the law. They make their own law, and we have to follow it.”

In fact, those officials even flouted their own mistaken view of the law: the 72 hours they believed to be the legal limit on holds. The Justice Department documented “several dozen investigate holds” at the Ville Platte Police Department that “extended for at least a full week.”

In 2014, attorneys at the Justice Department’s Civil Rights Division, which handles police reform cases, received a call from an FBI agent named Steve Krueger. Krueger had been assisting a murder investigation in Ville Platte when he’d learned about investigative holds. The FBI agent had been shocked by the patent illegality of the practice, people familiar with the episode said. He met with Lartigue and his detectives to explain that the holds were unconstitutional. The police chief shrugged off Krueger’s entreaties, according to the Justice Department’s 2016 report.

Krueger saw firsthand the harm investigative holds did to public safety in Ville Platte. People with information about his murder case had proved uncommonly hesitant to talk to him, he told colleagues. Citizens worried about getting thrown in jail if the police thought they knew anything of value. As the Justice Department’s report put it, decades of arbitrary detention had bred “deep community mistrust and fear of law enforcement.”

Police reform cases rely primarily on a Clinton-era law that Civil Rights Division attorneys often call 14141, for its original designation in the U.S. Code. The law empowers the Justice Department to investigate and sue law enforcement agencies when they “engage in a pattern or practice of conduct” that deprives people of their civil rights.

In 2009, Tom Perez took the helm at the Civil Rights Division and began to breathe new life into 14141, several former Justice Department officials say. (Perez is now chairman of the Democratic National Committee.) The Bush administration had largely sidelined police reform, favoring out-of-court settlement agreements when they entered into agreements at all. The federal government, Bush said, shouldn’t be “a separate internal affairs division.”

After studying earlier cases, Perez’s team became convinced that a court-enforceable consent decree was far more likely to produce meaningful change in most instances. Given the time reform can take, “you need to have a sustained effort, and that needs to be supported and backed up by a judge, a federal judge who’s got the authority to force people to comply with their obligations,” said Jonathan Smith, who led the section that handles police reform from 2010 to 2015.

A consent decree contains a set of institutional changes a police department has agreed to make, after negotiations with the Justice Department. A judge approves the agreement and oversees the reform process, usually assisted by an independent monitoring team. Intransigent police officials risk being held in contempt of court or even prosecuted. The judge lifts the consent decree only after the department has restructured its practices and ended its abuses. This typically occurs several years after the decree was put in place.

A growing (albeit not unanimous) body of empirical evidence suggests consent decrees measurably improve police practices. But nobody argues they’re a panacea. “Consent decrees don’t turn departments into A+ departments,” said Christy Lopez, the supervisor for the Civil Rights Division’s police-reform attorneys during the Obama administration. But, she added, “if, after a consent decree, a department is still a C-, it sure makes a big difference for the people who were living with an F department.”

Perez and his successor, Vanita Gupta, had an ambitious vision for what 14141 could achieve. They targeted common types of police misconduct and designed consent decrees to be templates for reform at other departments. “They became models for a set of best practices across the field,” Gupta told me. Another innovation was bringing local communities into the reform process. It was their rights police had violated, and they would be the ones to hold police accountable after a consent decree was lifted.

By the time Krueger placed his call to Washington, in 2014, the small group of attorneys handling 14141 cases had their hands full. In all, the Obama Justice Department would enter into 14 consent decrees, more than twice as many as the Bush and Clinton administrations combined.

But Ville Platte struck supervisors as worth the time commitment. Moving law enforcement there away from investigative holds — an egregious example of a fairly widespread policing practice — could guide improvements at other police forces that used such tactics.

Lawyers at the Civil Rights Division had received reports of similar practices throughout Louisiana, Mississippi and Alabama, as well as parts of Florida. “The problem in Ville Platte is very common throughout the South,” Smith said. Indeed, court records showed the problem extended across the U.S., from Texas to Michigan and Georgia to Montana. “You would constantly see judges dropping footnotes: ‘I’m not really sure about the constitutionality of this practice, but nobody raised it,’” a former Justice Department official told me. “So, we need to raise it.”

In April 2015, the Justice Department announced an investigation into whether the use of investigative holds in Ville Platte amounted to a pattern or practice of unconstitutional police conduct. In the meantime, the FBI’s Krueger had continued to examine policing practices in the town.

In response to the attention from the FBI, Lartigue told me, he told his officers and detectives that they couldn’t use investigative holds any longer. Instead, there was a new procedure: Before they booked anybody, they needed to write up a statement of probable cause, have it notarized and prepare it to be sent to a judge. In December 2014, the Police Department began to require that its detectives and officers become notaries public. That, Lartigue said, would reduce the time it took after an arrest to get a statement of probable cause notarized and sent to a judge for review. “That was our only issue — the holds — and we quickly, swiftly got rid of it,” he told me. (The Sheriff’s Office instituted similar changes.)

But what Justice Department attorneys found over the next 20 months indicated that serious problems remained. Local detectives still maintained that all they needed to jail somebody was a “hunch,” a “gut instinct” or “a pretty good feeling” that a person knew something about a crime.

Many less senior members of the Ville Platte Police Department acknowledged to Justice Department attorneys that they knew little about proper police procedure. “You haven’t had anybody tell you the right way to do things,” said Jonathon Sparks, a former officer who began working at the Ville Platte Police Department in 2009, when he was 19. “It was only later in life I realized these people’s civil rights were being violated.”

There were no beds, toilets, or running water in Ville Platte’s jail cells. Cut off from the outside world, a person on hold spent nights sleeping on a metal bench or on the concrete floor. A woman named Shawana Deville told the attorneys from Washington about the time police had held her overnight as a potential witness to a shooting. Jail guards ordered her to remove her tampon, and she spent the night sleeping on the floor without one. Lartigue confirmed her detention to Justice Department officials. “I just cried the whole time,” Deville would later tell a local television station.

Deville is white, but the vast majority of people put on hold were black, former Justice Department officials told me. It wasn’t a simple story of racist white cops, though. Two thirds of Ville Platte’s residents are black, and the local power structure has given ground in recent years to black officials, including the mayor and Lartigue.

But that hasn’t uprooted the old dynamic between power and race. “When we were growing up, there was nothing but white cops, and we thought it was bad,” one black Ville Platte resident, Raymond Anderson, told me. “But when the blacks came in, that didn’t make it easier.” (Anderson’s son is in prison — wrongfully, Anderson contends — for the murder that led police to hold Deville.)

Local residents, as Krueger had seen, feared what law enforcement would do to them if they spoke out. Nevertheless, at a community meeting in September 2015, about 150 people turned up to share their experiences with the Justice Department attorneys. “When you speak up, you are looked at as a trouble maker,” one of them told a local reporter after the meeting. But optimism overcame fear of police retaliation. If they shared their stories, the Justice Department might bring its power and resources to bear on police misconduct in Ville Platte.

As the investigation proceeded, Lartigue told me, he made a few more changes aimed at satisfying the Justice Department — “very few,” he added, to underscore his view that he’d already done all he needed to do. In March 2016, the Police Department revised its policy manual to prohibit detaining witnesses. “Unfortunately,” the policy stated, though the practice is “convenient and effective,” it “can result in civil liability.”

Despite such steps, the legal peril for law enforcement in Ville Platte seemed to be rising as 2016 progressed. The feds weren’t the only ones circling; Louisiana state prosecutors had begun their own investigation. Krueger had retired from the FBI in 2015 — and promptly teamed up with the Louisiana State Inspector General, people familiar with the case said. They eventually brought a case to Jeff Landry, the state’s newly elected attorney general. Landry agreed to open a criminal investigation, with assistance from the FBI, into unlawful detention in Ville Platte.

In mid-November 2016, Donald Trump announced that he would nominate Sessions to be his attorney general. The choice didn’t bode well for the Justice Department’s plans in Ville Platte. As a senator, Sessions had made no secret of his antipathy for consent decrees and Obama-era police reform. Critics argued that the Justice Department deployed them too aggressively.

Sessions’ concern, however, wasn’t that police reform by consent decree was overused or ineffective. His problem was with the very premise. He saw consent decrees as unconstitutional federal intrusions into state and local affairs. They “undermine the respect for police officers,” he testified at his January 2017 confirmation hearing, “and create an impression that the entire department is not doing their work consistent with fidelity to law and fairness.”

In its December 2016 report, the Justice Department laid out the changes it anticipated requiring of the Ville Platte Police Department and Evangeline Parish Sheriff’s Office: They would need to overhaul policies, training procedures, recordkeeping systems and internal accountability mechanisms. The plan was to implement those reforms through a consent decree, former Justice Department officials said, and in early March 2017, Civil Rights Division attorneys traveled to Ville Platte to discuss reforms with community members and local officials.

But on March 31, Sessions issued what many lawyers for the Justice Department saw as the coup de grâce to its police reform efforts. “It is not the responsibility of the federal government to manage non-federal law enforcement agencies,” the attorney general wrote in an agency-wide memorandum, which ordered a review of contemplated consent decrees. He expanded on his thinking in an Op-Ed in USA Today: “We will not sign consent decrees for political expediency that will cost more lives by handcuffing the police instead of the criminals.”

In April 2017, the Justice Department made its first endeavor to translate policy into practice — an 11th-hour attempt to scuttle a consent decree with Baltimore’s embattled police department. A judge in Maryland swatted it away. Meanwhile, in Ville Platte, the Justice Department went silent.

In an interview with a local newspaper right after the Justice Department report was issued, Lartigue compared investigative holds to an old family recipe for boudin sausage. He meant to highlight the lost provenance of the practice. But the analogy was apt in another sense, too. In Ville Platte, the police were used to making their sausage in particular ways, and they wouldn’t be easy to give up. Even townspeople who’d suffered under the holds saw them as a kind of local custom. “Dat just how dey do,” was the refrain I heard, in patois laced with resignation.

In one sense, Lartigue was right that law enforcement in Ville Platte had stopped using investigative holds. There was no longer an open policy of jailing local residents without probable cause. But that didn’t mean local law enforcement had stopped using arbitrary arrest and detention. They hadn’t. As one law enforcement official in Ville Platte put it, “They’re just finding another way.” (“It’s very common,” a former Justice Department official told me, to see unlawful policing practices, in the face of federal scrutiny, “simply morph and take on new forms that are harder to ferret out.”)

On May 15, 2017, Robert Wilson and three friends walked into the Ville Platte police station, a squat, salmon-colored bunker that sits just behind City Hall, at the center of town. Three weeks earlier, a stray bullet had killed a bystander down the street from a housing project where Wilson — who is 22 and goes by his middle name, Marquez — and several friends had been wiling away a Sunday evening. A couple days after the shooting, Marquez’s 19-year-old brother, Tieberrious, was arrested on murder charges.

Now, Marquez had gotten word that detectives wanted to talk to him. At the police station, Marquez was ushered into the office of the chief detective, Steve Deville. A heavyset man with a dark goatee and a low, soft drawl, Deville turned on a tape recorder and asked Marquez to sign a form to confirm he understood his Miranda rights. Marquez panicked when he saw where Deville was asking him to sign. “Why you — why you got it as ‘suspect’?” he asked Deville. “I’m a suspect?” Deville assured him that was just how the form is designed.

Marquez walked Deville through what had happened the night of the shooting, according to a police transcript of the interview. His account largely lined up with what Tieberrious had told detectives the previous month. Marquez had gotten into an argument on the street with a contemporary of his named Santiago Thomas. Afterward, Marquez, Tieberrious, and their companions had gone to a friend’s house to avoid further conflict. Ten or fifteen minutes later, they heard gunshots and ran outside to see Thomas’ car careening down the street.

Deville wasn’t buying it. “I’m not saying that you are lying,” he told Marquez. “But if you are, I want to just explain something to you, okay? If you are, then there’s nothing that we can do to help later on.” Marquez insisted he was telling the truth.

After 14 minutes, Deville turned off his tape recorder. But, according to Marquez, the interrogation didn’t end: “If you lie to me again, I’m going to lock you up,” Deville told him. Marquez again insisted that he wasn’t lying. “All right,” Deville said. “We’re gonna see if you’re lying.”

Deville led him to a holding cell. “I was terrified,” Marquez told me. Deville said he’d find out soon enough if Marquez’s story matched the recollections of the friends who’d come with him to the police station. Marquez took a seat on a metal bench and waited. He’d grown up in Beaumont, Texas, and he wasn’t used to how the police operated in Ville Platte. He’d never been to jail before, he told me.

When I later reached Deville by phone, he denied having put Marquez in a jail cell. “After he gave us the recorded statement, we walked him straight back to the front lobby, where he waited for everybody to finish, and they left together,” Deville told me. But the friends who accompanied Marquez to the station house that day recall things differently. One of them, Ebony Soileau, said she doesn’t remember seeing Marquez after he went to be interviewed, and Marquez later told another friend, Shawn Thomas, that “they had him in the back,” Thomas said, a reference to the police station’s jail.

Marquez didn’t know this, but Deville had a reason to lean on him. The detective had next to no evidence against Tieberrious. In three weeks — with a woman dead, Tieberrious in jail and memories growing no sharper — police had collected statements from only two witnesses, according to Deville’s official summary of his investigation. Neither witness had seen Tieberrious fire a gun.

Two hours later, Marquez told me, Deville opened the cell door. Deville had interviewed his friends. His story checked out. He was free to go.

This, three former Ville Platte police officials told me, is one of the tactics that has come to replace investigative holds at the police department. In this case the hold is unofficial and it’s shorter, rarely lasting more than a day. “They would bring them in and make the person think they’re being arrested,” one of the former police officials said. The detainee was never actually booked into the jail, and the absence of a paper trail made it harder to prove that somebody had been illegally detained.

“The longer-term holds — the overnight holds — stopped by 2016,” Jonathon Sparks, one of the former officers, said. After leaving the Ville Platte Police Department in late 2009 and working at other law-enforcement agencies in southwestern Louisiana, he’d returned in 2016, hoping to find that things had changed. They hadn’t, and he left after a few months. “They were still bringing people in during the day,” Sparks said. “They were very much holding them with no charges and no warrants — just smoke and mirrors.” The tactic remained in regular use for several months after the Justice Department issued its report, said another former officer, Natosha Murphy, who worked at the Police Department until summer 2017.

Lartigue disputed these accounts. “That never happened,” he said. (Murphy is suing Lartigue and the department, alleging she was forced to resign after she contacted state and federal authorities to reveal illegal conduct at the department.)

Often, Murphy and Sparks told me, detectives hold their quarries in the station house breakroom, where the surveillance cameras don’t work. Sometimes, as Marquez learned firsthand, detectives transfer them to a jail cell for a few hours to scare them into talking.

To compel reluctant Ville Platte residents to go with police to the station house — without actually arresting them — detectives developed a separate set of dubious tactics. “You say you’re going to arrest them for interfering with an investigation for not talking or you say, ‘We have a warrant on you,’” Murphy told me. “Ninety percent of the time, there’s no warrant.” (Courts let police lie about a lot of things but not about having a warrant.) When I asked Deville, the chief detective, about this practice, he was silent.

At times, police took this method a step further. When a detective didn’t have enough evidence to get a judge to approve an arrest, the three former Ville Platte police officials said, the detective filled out a probable cause affidavit and got another officer to notarize it, but never forwarded it to a judge. To the untrained eye, a notarized affidavit could pass for an arrest warrant. Other times, detectives would flash an official-looking document that had nothing to do with the case. “They’d show it to suspects, pretending it was a warrant,” Murphy told me. “A lot of people can’t read or write.”

When I asked him about notarized affidavits doubling as ersatz warrants, Lartigue grew uncharacteristically animated. “No,” he insisted. “That’s a blatant lie. I guarantee you that’s not the case. No.” Three former Ville Platte police officials, including Murphy and Sparks, told me Lartigue was aware of the practices they described. Those who refused to take part, they said, were threatened with professional reprisal.

Sometimes, instead of faking warrants, detectives faked their way to real warrants. The trick was to write — but never issue — a ticket or citation for a fabricated infraction in the name of whomever a detective wanted to talk to, the three former Ville Platte police officials told me. Detectives could get an arrest warrant on the basis of the un-issued ticket. A popular choice of infraction was fleeing from the police, Murphy and Sparks told me. “The person might not have been doing anything. They might have been at their house,” Sparks said. Lartigue denied the existence of this practice, too. Deville hung up on me when I asked him about it.

By the time Lartigue and I spoke in late February, he hadn’t heard from the Justice Department in nearly a year. He figured that meant the feds were satisfied with what they’d seen when they visited a year earlier. He maintained that he’d gotten his department right with the law a long time ago. “We corrected it, and we’re sticking to it,” he said. “We’re still operating like we were.”

In Washington, meanwhile, Sessions and his team continued to dismantle the Justice Department’s police-reform programs. During the summer of 2017, they achieved in Chicago what they’d failed to accomplish in Baltimore: stop a consent-decree process initiated by the previous administration.

Despite Sessions’ explicit opposition to consent decrees, attorneys in the Civil Rights Division felt strongly enough about the problems in Ville Platte, according to a Justice Department official, that they drafted a consent decree. Their bosses rejected it.

The Evangeline Parish Sheriff’s Office assists the police in Ville Platte, but it chiefly patrols the further-flung parts of the parish, outside its towns. The consensus among residents and those who’ve seen local law enforcement from the inside is that it’s less prone to arbitrary detention than the Ville Platte Police Department. The Justice Department’s report bears that out: It documented about 200 investigative holds at the Sheriff’s Office from 2012 to 2014, compared with about 700 at the Police Department.

Still, unlawful detentions have persisted at the Sheriff’s Office. Detectives and deputies have adapted to the Justice Department probe by holding people by the roadside instead of in the jailhouse, a law enforcement official in Ville Platte told me. “To protect themselves, they strong-arm people on the street,” the official said. It’s relatively easy to avoid documenting a catch-and-release-style street stop.

One Saturday in mid-February, Leeann Fontenot witnessed a friend steal a truck. Later that night, she offered to give a statement to deputies from the Evangeline Parish Sheriff’s Office, but they weren’t interested, she told me a few days later.

Fontenot drifts between the homes of friends and relatives. “I’m actually homeless,” she told me. Her warbling Cajun accent betrays hints of a hard Texan “r,” the result of a childhood crisscrossing Texas and Louisiana with her mother. Several run-ins with the law have made it difficult to find steady work, she says. When we spoke, she was staying at a house just outside Ville Platte. Rusted gardening implements and propane tanks cluttered the front porch. Two metal crosses and what looked like part of an animal skull hung beside the front door.

By Sunday evening — the day after the truck theft — the sheriff’s deputies had seemingly changed their minds. Fontenot and a friend had just pulled into the driveway of another house where she sometimes stayed when her friend’s pickup truck filled with pulsing light. Two deputies ordered Fontenot and her friend, Jeff Fontenot, out of the truck. (The pair aren’t related; the surname Fontenot is to Ville Platte what Smith is to the rest of the country.)

One of the deputies took her aside. Fontenot is 26, but she looks a decade younger; she’s barely 5 feet tall and slight. The deputy handcuffed her nevertheless. “Where’s the truck?” he asked. Fontenot said she didn’t know.

As the deputy began searching her pockets, Fontenot says she asked him to stop and call a female officer, but the plea went unheeded. She wasn’t wearing a belt, and as the deputy shoved his hands into her pockets, she told me, her shorts began to slide down her thigh. When she asked the deputy to pull them back up, he told her to wait. The deputy went through her cell phone, Fontenot says, without her permission. (Under a 2013 Supreme Court decision, police need a warrant or permission for such a search.)

Fontenot was perplexed. The deputy, whose name she didn’t catch, had seen her the night before. “Why y’all doing all this?” she asked. “Y’all saw me last night.” The deputy called her a liar. “It happens all the time,” Fontenot told me later — law enforcement stopping her on the street for no reason other than to press her for information.

In the meantime, the other sheriff’s deputy, Eric Frugé, had taken Jeff behind his police cruiser. Frugé patted him down but didn’t cuff him. When the deputy searched Jeff’s truck, he found a small amount of marijuana. Fontenot admitted it was hers.

The deputies ordered her to come in the following morning, a Monday, and tell them where the stolen truck was. Otherwise, they’d charge her with marijuana possession and grand theft auto. The second charge confused her; it was her friend who’d stolen the truck. (Jeff corroborated key details of Fontenot’s account but was standing a squad car’s length away from her, so he didn’t know whether the deputy had searched Fontenot’s phone or threatened to charge her. The Sheriff’s Office did not respond to a detailed set of questions. In response to questions sent to Frugé via Facebook, the deputy responded with an emoji of an angry face.)

Fontenot didn’t go to the sheriff’s office that Monday. She didn’t know where the truck was, but more to the point, she was afraid of what might happen to her. She’d been subjected to an investigative hold before, she told me. “I don’t want them to put me on another hold.”

On Feb. 27, 2018, after nearly a year of silence, a lawyer from the Justice Department’s Civil Rights Division sent an email to Eric LaFleur, a powerful state senator who moonlights as the Ville Platte city attorney. The Justice Department, the attorney wrote, had “prepared a proposal to address the findings” in its December 2016 report.

Arthur Sampson, arguably the only civil rights activist in Ville Platte, had been a key community liaison. But he was caught by surprise when I told him I’d learned Justice Department attorneys were coming to town in March. The Trump administration had eliminated from the discussions the local community whose rights its police-reform work was meant to protect. “How can they know what we need when they’re not meeting with the community?” Sampson said. (A Civil Rights Division official said community input obtained earlier in the process “played an important role.”)

It wasn’t initially a happy moment for local officials, either. I called Lartigue in March to ask about the negotiations. “You’ll have to ask the Justice Department,” he said curtly, before hanging up on me.

The tenor would soon change. When I spoke with LaFleur a couple of weeks later, he was evasive about the details of the agreement. But he chuckled and said: “We’re happy with what they’re recommending.”

By June 4, it was official: There would be no consent decree and no federal judge to ensure compliance. Instead, the Justice Department announced a pair of out-of-court settlement agreements with the Ville Platte Police Department and the Evangeline Parish Sheriff’s Office.

“This is a way to basically allow these departments to go forward just as they were before,” said Roy Austin, who oversaw the department’s police-reform docket from 2010 to 2014. Austin was troubled by the lack of a local independent monitor, a regular feature of Obama-era reform agreements. Combined with the lack of judicial oversight, that meant “there’s no one to hold them accountable in any formal way,” Austin said. “It’s very hard to hide things from a true monitoring team, as compared to hiding things from someone who can’t be there all the time.”

The Justice Department disagreed, calling the agreements “stringent.” “The Justice Department monitors and assesses the compliance” of the Police Department and Sheriff’s Office “on a basis similar to an independent monitor team, and reserves the right to take appropriate legal action if we determine that both parties are not in substantial compliance or have not worked in good faith to achieve substantial compliance,” Justice Department spokesperson Kelly Laco said. Laco did not explain what led the department to reject the recommendation of the attorneys working on the case to implement a consent decree.

The Justice Department will superintend reforms from 1,000 miles away in Washington. The difficulty isn’t just distance. Even in the best of circumstances, “these cases are really time intensive and very difficult to do,” Austin said. These weren’t the best of circumstances. The Civil Rights Division’s police-reform group has lost a quarter of its staff attorneys during the Trump administration, and those who remain have told former colleagues they’ve grown more deferential in their dealings with local law enforcement. They don’t believe the political leadership will back them if disputes arise.

The settlement terms themselves mostly retained only a faint outline of what past agreements would have required. For example, there was a section called “Community Engagement,” which in earlier agreements contained detailed requirements for improving and monitoring police-community relations, sometimes even obligating cities to establish civilian oversight bodies. In the Ville Platte agreements, the section consisted of a single short paragraph calling for a “public education effort.” What does that mean in practice? In early August came the apparent answer: The Police Department held its first “Police and Community Together Fun Day,” an event advertised as featuring face painting, a dunking booth and “LoLo the Clown.”

The “outcome assessments” that determine when the agreements are satisfied — usually carried out by an independent monitor under a consent decree — are now self-assessments. “The city is coming up with the metrics, measuring its own compliance with the metrics, and then the parties are deciding on that basis whether the police get out of the agreement,” a former Justice Department official said. “It undermines the whole purpose of the agreement.”

Lartigue seemed content with the settlement. As he told a local publication, it amounts to “just a few more documents.” Indeed, the types of reforms the agreements emphasize — “clear policy guidance”; “thorough documentation” of arrests, detentions and interrogations; “supervisory oversight” — amount to just a few more documents if nobody’s making sure they amount to more than that.

Policy, for example, is easily flouted. What happened to Leeann Fontenot, Bobby Lewis and Marquez Wilson was already forbidden by policy. It happened anyway. (This year, after a judge ordered Marquez’s brother released from jail for lack of evidence, prosecutors charged Marquez in his place. He has pleaded not guilty, and it’s unclear whether the evidence is any less shaky this time around.) And supervisory oversight is of dubious value if the supervisors themselves — the detectives — are the chief perpetrators of the misconduct.

The settlement agreements did change at least one thing in Ville Platte: It raised the likelihood that no police official will be held individually accountable for illegally detaining the town’s citizens. For more than two years, the Louisiana attorney general’s office and the FBI had been collecting evidence of criminal wrongdoing by officials at the Ville Platte Police Department, according to several people familiar with the case. “Their file is like this,” said one person who had spoken repeatedly with investigators, gesturing to indicate a stack of documents a foot high.

All of that fizzled after the Justice Department unveiled its deal. The press release announcing the agreements lauded police officials: they had “cooperated fully throughout this matter, and we are eager to continue to work together,” it read. Investigators saw the agreement as lenient, according to people who have spoken with them.

The Louisiana attorney general’s office felt it was untenable to recommend the indictment of officials at a police department the Justice Department had publicly praised and, in the view of investigators, had let off the hook with a lax settlement agreement. That, two people familiar with the decision say, led the office to conclude that it had to close the criminal investigation. (The attorney general’s office and FBI declined to comment. The Justice Department’s Laco said the agreement “does not in any way preclude or prevent any law enforcement agency from taking criminal action against an individual under any other law.”)

In Ville Platte, as news of the agreements spread, a familiar fatalism settled on the town. Residents had taken risks sharing their stories because the federal government had promised change. Nobody from the Justice Department had come to explain what the agreements purported to do — another past practice jettisoned — but locals had a pretty good idea that the federal government wasn’t living up to its side of the bargain. After talk of a lawsuit and a federal judge, they got watered-down agreements brokered in secret. “A lot of people stuck their necks out on the promise that the Justice Department was going to do something and that change was coming,” said a former official there who had been involved in the case. “And then they didn’t do anything — they soft-shoed it instead.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Fund Meant to Protect Elections May Be Too Little, Too Late

[Editor's note: today's guest post, by reporters at ProPublica, is the latest in a series about the integrity and security of voting systems in the United States. It is reprinted with permission.]

By Blake Paterson and Ally J. Levine, ProPublica

The Election Assistance Commission (EAC), the government agency charged with distributing federal funds to support elections, released a report two weeks ago detailing how each state plans to spend a total of $380 million in grants allocated to improve and secure their election systems.

But even as intelligence officials warn of foreign interference in the midterm election, much of the money is not expected to be spent before Election Day. The EAC expects states to spend their allotted money within two to three years and gives them until 2023 to finish spending it.

Election experts have expressed skepticism that the money will be enough to modernize election equipment and secure it against state-sponsored cyber threats.

“Nationally, $380 million sounds like a huge amount of money, but in the context of what the election officials are needing to defend, replace, oversee and mitigate, it’s really not that much,” said Tammy Patrick, a senior adviser at the Democracy Fund. Federal funds were allocated to states proportionally, based on each one’s voting-age population.

As California Secretary of State Alex Padilla wrote in an opinion piece for The Hill, the $380 million isn’t even new money: “Remember butterfly ballots and hanging chads? The recent federal appropriation was simply the final disbursement of money originally approved in 2003 to address the debacle of the 2000 presidential election in Florida.”

Nearly two-thirds of the funds are expected to go toward new voting equipment and increased cybersecurity protection, with the remainder going toward updating voter registration systems, implementing post-election audits, improving election-related communication efforts and holding the money in reserve.

Two states — Kansas and Montana — received extensions and have yet to submit plans to the federal government.

Here’s how the other states plan to use their portions of federal funds.

The largest portion of the $380 million will be used to improve election cybersecurity, on items such as training local election officials, purchasing new software, and hiring IT personnel and cybersecurity experts.

Thirty-eight states are allocating funds to cybersecurity. Illinois is one of three — Wisconsin and New York are the others — planning to dedicate all of their allotments to this. In 2016, Russian hackers breached Illinois’ voter registration database and stole the names, emails and partial Social Security numbers of nearly half a million voters.

“We needed to send a strong signal that we were doing everything we could to make sure that nothing like that happened again,” said Matt Dietrich, the public information officer at the Illinois State Board of Elections. Illinois is using part of its $13.2 million share to deploy a “cyber navigator” team to perform on-site risk assessments for local election officials.

Thirty states plan to use grant money to purchase new voting equipment, replacing voting machines that are often decades old. Six of those states — Alaska, Arkansas, Delaware, Louisiana, North Dakota and Pennsylvania — are expected to use all of their funds to replace voting equipment. The last time a new voting system was purchased in Alaska, for example, was in 1998.

Replacing voting equipment, however, is a costly endeavor that often takes years, and few states will make widespread improvements to their machinery before the midterms. “These machines are not something you can just go to Best Buy and fire up,” said Thomas Hicks, the chairman of the EAC. “It’s going to take time to build that infrastructure.”

In the lead-up to the 2016 election, hackers targeted election systems in 21 states and in a small number of cases successfully penetrated voter registration databases. Twenty-six states plan to use grant money to improve their voter registration systems.

Nevada, which is the state allocating the highest percentage of its funding — 65.4 percent — to voter registration systems, plans to implement multi-factor authentication and require training modules for local election officials. The state also plans to add a full-time position to work on implementing these goals.

North Carolina, which plans to spend a higher dollar amount than any other state, will be improving its voter registration system, dedicating more than $5 million to modernize its decentralized, decades-old statewide election information system by late 2019.

Twenty-one states plan to use some portion of the federal grant money to perform election audits, accounting for 5.1 percent of the funds. Oregon is spending the highest percentage of its funds — 52 percent — on election audits, according to an estimate from the EAC.

Depending on how elections are run, audits come in a variety of forms.

Connecticut plans to run forensic audits on all of its election vendors. Maryland plans to perform a software audit to validate the election results after the midterm election. Rhode Island plans to deploy a pilot “risk-limiting audit” for the upcoming election.

Election auditing remains an “evolving” field, Patrick said, and many of the states will follow Rhode Island’s lead in piloting audits.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.