458 posts categorized "Government" Feed

Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


Senators Demand Answers From Facebook And Google About Project Atlas And Screenwise Meter Programs

After news reports surfaced about Facebook's Project Atlas, a secret program where Facebook paid teenagers (and other users) for a research app installed on their phones to track and collect information about their mobile usage, several United States Senators have demanded explanations. Three Senators sent a join letter on February 7, 2019 to Mark Zuckerberg, Facebook's chief executive officer.

The joint letter to Facebook (Adobe PDF format) stated, in part:

"We write concerned about reports that Facebook is collecting highly-sensitive data on teenagers, including their web browsing, phone use, communications, and locations -- all to profile their behavior without adequate disclosure, consent, or oversight. These reports fit with Longstanding concerns that Facebook has used its products to deeply intrude into personal privacy... According to a journalist who attempted to register as a teen, the linked registration page failed to impose meaningful checks on parental consent. Facebook has more rigorous mechanism to obtain and verify parental consent, such as when it is required to sign up for Messenger Kids... Facebook's monitoring under Project Atlas is particularly concerning because the data data collection performed by the research app was deeply invasive. Facebook's registration process encouraged participants to "set it and forget it," warning that if a participant disconnected from the monitoring for more than ten minutes for a few days, that they could be disqualified. Behind the scenes, the app watched everything on the phone."

The letter included another example highlighting the alleged lack of meaningful disclosures:

"... the app added a VPN connection that would automatically route all of a participant's traffic through Facebook's servers. The app installed a SSL root certificate on the participant's phone, which would allow Facebook to intercept or modify data sent to encrypted websites. As a result, Facebook would have limitless access to monitor normally secure web traffic, even allowing Facebook to watch an individual log into their bank account or exchange pictures with their family. None of the disclosures provided at registration offer a meaningful explanation about how the sensitive data is used, how long it is kept, or who within Facebook has access to it..."

The letter was signed by Senators Richard Blumenthal (Democrat, Connecticut), Edward J. Markey (Democrat, Massachusetts), and Josh Hawley (Republican, Mississippi). Based upon news reports about how Facebook's Research App operated with similar functionality to the Onavo VPN app which was banned last year by Apple, the Senators concluded:

"Faced with that ban, Facebook appears to have circumvented Apple's attempts to protect consumers."

The joint letter also listed twelve questions the Senators want detailed answers about. Below are selected questions from that list:

"1. When did Project Atlas begin and how many individuals participated? How many participants were under age 18?"

"3. Why did Facebook use a less strict mechanism for verifying parental consent than is Required for Messenger Kids or Global Data Protection Requlation (GDPR) compliance?"

"4.What specific types of data was collected (e.g., device identifieers, usage of specific applications, content of messages, friends lists, locations, et al.)?"

"5. Did Facebook use the root certificate installed on a participant's device by the Project Atlas app to decrypt and inspect encrypted web traffic? Did this monitoring include analysis or retention of application-layer content?"

"7. Were app usage data or communications content collected by Project Atlas ever reviewed by or available to Facebook personnel or employees of Facebook partners?"

8." Given that Project Atlas acknowledged the collection of "data about [users'] activities and content within those apps," did Facebook ever collect or retain the private messages, photos, or other communications sent or received over non-Facebook products?"

"11. Why did Facebook bypass Apple's app review? Has Facebook bypassed the App Store aproval processing using enterprise certificates for any other app that was used for non-internal purposes? If so, please list and describe those apps."

Read the entire letter to Facebook (Adobe PDF format). Also on February 7th, the Senators sent a similar letter to Google (Adobe PDF format), addressed to Hiroshi Lockheimer, the Senior Vice President of Platforms & Ecosystems. It stated in part:

"TechCrunch has subsequently reported that Google maintained its own measurement program called "Screenwise Meter," which raises similar concerns as Project Atlas. The Screenwise Meter app also bypassed the App Store using an enterprise certificate and installed a VPN service in order to monitor phones... While Google has since removed the app, questions remain about why it had gone outside Apple's review process to run the monitoring program. Platforms must maintain and consistently enforce clear policies on the monitoring of teens and what constitutes meaningful parental consent..."

The letter to Google includes a similar list of eight questions the Senators seek detailed answers about. Some notable questions:

"5. Why did Google bypass App Store approval for Screenwise Meter app using enterprise certificates? Has Google bypassed the App Store approval processing using enterprise certificates for any other non-internal app? If so, please list and describe those apps."

"6. What measures did Google have in place to ensure that teenage participants in Screenwise Meter had authentic parental consent?"

"7. Given that Apple removed Onavoo protect from the App Store for violating its terms of service regarding privacy, why has Google continued to allow the Onavo Protect app to be available on the Play Store?"

The lawmakers have asked for responses by March 1st. Thanks to all three Senators for protecting consumers' -- and children's -- privacy... and for enforcing transparency and accountability.


Technology And Human Rights Organizations Sent Joint Letter Urging House Representatives Not To Fund 'Invasive Surveillance' Tech Instead of A Border Wall

More than two dozen technology and human rights organizations sent a joint letter Tuesday to representatives in the House of Representatives, urging them not to fund "invasive surveillance technologies" in replacement of a physical wall or barrier along the southern border of the United States. The joint letter cited five concerns:

"1. Risk-based targeting: The proposal calls for “an expansion of risk-based targeting of passengers and cargo entering the United States.” We are concerned that this includes the expansion of programs — proven to be ineffective and to exacerbate racial profiling — that use mathematical analytics to make targeting determinations. All too often, these systems replicate the biases of their programmers, burden vulnerable communities, lack democratic transparency, and encourage the collection and analysis of ever-increasing amounts of data... 3. Biometrics: The proposal calls for “new cutting edge technology” at the border. If that includes new face surveillance like that deployed at international airline departures, it should not. Senator Jeff Merkley and the Congressional Black Caucus have expressed serious concern that facial recognition technology would place “disproportionate burdens on communities of color and could stifle Americans’ willingness to exercise their first amendment rights in public.” In addition, use of other biometrics, including iris scans and voice recognition, also raise significant privacy concerns... 5. Biometric and DNA data: We oppose biometric screening at the border and the collection of immigrants’ DNA, and fear this may be another form of “new cutting edge technology” under consideration. We are concerned about the threat that any collected biometric data will be stolen or misused, as well as the potential for such programs to be expanded far beyond their original scope..."

The letter was sent to Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, Minority Leader Steny Hoyer, Minority Whip Steve Scalise, Chair Nita Lowey a Ranking Member of House Appropriations, and Kay Granger of the House Appropriations committee.

27 organizations signed the joint letter, including Fight for the Future, the Electronic Frontier Foundation, the American Civil Liberties Union (ACLU), the American-Arab Anti-Discrimination Committee, the Center for Media Justice, the Project On Government Oversight, and others. Read the entire letter.

Earlier this month, a structural and civil engineer cited several reasons why a physical wall won't work and would be vastly more expensive than the $5.7 billion requested.

Clearly, the are distinct advantages and disadvantages for each and all border-protection solutions the House and President are considering. It is a complex problem. These advantages and disadvantages of all proposals need to be clear, transparent, and understood by taxpayers prior to any final decisions.


Google Fined 50 Million Euros For Violations Of New European Privacy Law

Google logo Google has been find 50 million Euros (about U.S. $57 million) under the new European privacy law for failing to properly disclose to users how their data is collected and used for targeted advertising. The European Union's General Data Protection Regulations, which went into effect in May 2018, give EU residents more control over their information and how companies use it.

After receiving two complaints last year from privacy-rights groups, France's National Data Protection Commission (CNL) announced earlier this month:

"... CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android. On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR."

The first violation involved transparency failures:

"... information provided by GOOGLE is not easily accessible for users. Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions... some information is not always clear nor comprehensive. Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner..."

So, important information is buried and scattered across several documents making it difficult for users to access and to understand. The second violation involved the legal basis for personalized ads processing:

"... GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons. First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Playstore, Google pictures, etc.) and therefore of the amount of data processed and combined."

"[Second], the restricted committee observes that the collected consent is neither “specific” nor “unambiguous.” When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads. That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose."

So, not only is important information buried and scattered across multiple documents (again), but also critical boxes for users to give consent are pre-checked when they shouldn't be.

CNIL explained its reasons for the massive fine:

"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations... Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement..."

This is the largest fine, so far, under GDPR laws. Reportedly, Google will appeal the fine:

"We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing... We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond... For all these reasons, we've now decided to appeal."

This is not the first EU fine for Google. CNet reported:

"Google is no stranger to fines under EU laws. It's currently awaiting the outcome of yet another antitrust investigation -- after already being slapped with a $5 billion fine last year for anticompetitive Android practices and a $2.7 billion fine in 2017 over Google Shopping."


The Privacy And Data Security Issues With Medical Marijuana

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.


Google To EU Regulators: No One Country Should Censor The Web Globally. Poll Finds Canadians Support 'Right To Be Forgotten'

For those watching privacy legislation in Europe, MediaPost reported:

"... Maciej Szpunar, an advisor to the highest court in the EU, sided with Google in the fight, arguing that the right to be forgotten should only be enforceable in Europe -- not the entire world. The opinion is non-binding, but seen as likely to be followed."

For those unfamiliar, in the European Union (EU) the right to be forgotten:

"... was created in 2014, when EU judges ruled that Google (and other search engines) must remove links to embarrassing information about Europeans at their request... The right to be forgotten doesn't exist in the United States... Google interpreted the EU's ruling as requiring removal of links to material in search engines designed for European countries but not from its worldwide search results... In 2015, French regulators rejected Google's position and ordered the company to remove material from all of its results pages. Google then asked Europe's highest court to reject that view. The company argues that no one country should be able to censor the web internationally."

No one corporation should be able to censor the web globally, either. Meanwhile, Radio Canada International reported:

"A new poll shows a slim majority of Canadians agree with the concept known as the “right to be forgotten online.” This means the right to have outdated, inaccurate, or no longer relevant information about yourself removed from search engine results. The poll by the Angus Reid Institute found 51 percent of Canadians agree that people should have the right to be forgotten..."

Consumers should have control over their information. If that control is limited to only the country of their residence, then the global nature of the internet means that control is very limited -- and probably irrelevant. What are your opinions?


Pennsylvania Ruling May Help Plaintiffs in Class Action Lawsuits About Data Breaches

An article in the Lexology site by attorneys at Thompson Coburn LLP provides an important update about class-action lawsuits in Pennsylvania regarding data breaches and data security:

"One of the most insurmountable barriers for security breach class action plaintiffs has been the ability to show concrete damages. In order to bring a lawsuit, fundamentally, plaintiffs must have standing to sue. In federal court, this standing to sue is governed by Article III of the U.S. Constitution. The U.S. Supreme Court has articulated standing to sue as requiring (1) injury in fact, (2) fairly traceable to the defendant’s conduct, (3) that is likely redressed by a favorable decision... Proving a concrete and particularized injury therefore becomes difficult for plaintiffs... since it often becomes an individualized analysis of harms. Many state courts follow similar standing requirements as those articulated by the federal courts..."

The case involved a class-action lawsuit by employees against their employer, the University of Pittsburgh Medical Center (UPMC). The suit alleged that the sensitive personal and financial information for 62,000 current and former employees had been stolen, and that:

"... UPMC breached an implied contract and was negligent by failing to implement adequate security measures to safeguard information relating to employees."

The claims were dismissed by a trial court. The employees appealed that decision, and the appellate court agreed with the trial court's decision. The good news:

"... the Pennsylvania Supreme Court concluded the lower courts erred in determining UPMC did not owe a duty to safeguard the employees’ personal information and that the economic loss doctrine barred the negligence claim... While the Pennsylvania decision affects only Pennsylvania for the time being, anyone that collects or stores personal information should be aware that this could signal a new tide for security breach plaintiffs..."


China Blamed For Cyberattack In The Gigantic Marriott-Starwood Hotels Data Breach

Marriott International logo An update on the gigantic Marriott-Starwood data breach where details about 500 million guests were stolen. The New York Times reported that the cyberattack:

"... was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation. The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency... While American intelligence agencies have not reached a final assessment of who performed the hacking, a range of firms brought in to assess the damage quickly saw computer code and patterns familiar to operations by Chinese actors... China has reverted over the past 18 months to the kind of intrusions into American companies and government agencies that President Barack Obama thought he had ended in 2015 in an agreement with Mr. Xi. Geng Shuang, a spokesman for China’s Ministry of Foreign Affairs, denied any knowledge of the Marriott hacking..."

Why any country's intelligence agency would want to hack a hotel chain's database:

"The Marriott database contains not only credit card information but passport data. Lisa Monaco, a former homeland security adviser under Mr. Obama, noted last week at a conference that passport information would be particularly valuable in tracking who is crossing borders and what they look like, among other key data."

Also, context matters. First, this corporate acquisition was (thankfully) blocked:

"The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions..."

Later that year, Marriott Hotels acquired Starwood for $13.6 billion. Second, remember the massive government data breach in 2014 at the Office of Personnel Management (OPM). The New York Times added that the Marriott breach:

"... was only part of an aggressive operation whose centerpiece was the 2014 hacking into the Office of Personnel Management. At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting..."

MSS Inside Not good. And, this is not the first time concerns about China have been raised. Reports surfaced in 2016 about malware installed in the firmware of smartphones running the Android operating system (OS) software. In 2015, China enacted a new "secure and controllable" security law which many security experts viewed then as a method to ensure that back doors were built into computing products and devices during into the manufacturing and assembly process.

And, even if China's MSS didn't do this massive cyberattack, it could have been another country's intelligence agency. Not good either.

Regardless who the attackers were, this incident is a huge reminder to executives in government and in the private sector to secure their computer systems. Hopefully, executives at major hotel chains -- especially those frequented by government officials and military members -- now realize that their systems are high-value targets.


Oath To Pay Almost $5 Million To Settle Charges By New York AG Regarding Children's Privacy Violations

Oath Inc. logo Barbara D. Underwood, the Attorney General (AG) for New York State, announced last week a settlement with Oath, Inc. for violating the Children’s Online Privacy Protection Act (COPPA). Oath Inc. is a wholly-owned subsidiary of Verizon Communications. Until June 2017, Oath was known as AOL Inc. ("AOL"). The announcement stated:

"The Attorney General’s Office found that AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children. The company has agreed to adopt comprehensive reforms to protect children from improper tracking and pay a record $4.95 million in penalties..."

The United States Congress enacted COPPA in 1998 to protect the safety and privacy of young children online. As many parents know, young children don't understand complicated legal documents such as terms-of-use and privacy policies. COPPA prohibits operators of certain websites from collecting, using, or disclosing personal information (e.g., first and last name, e-mail address) of children under the age of 13 without first obtaining parental consent.

The definition of "personal information" was revised in 2013 to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a web browser cookie or an Internet Protocol (“IP”) address. The revision effectively prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes on COPPA-covered websites.

The announcement by AG Underwood explained the alleged violations in detail. Despite policies to the contrary:

"... AOL nevertheless used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA. AOL obtained this knowledge in two ways. First, several AOL clients provided notice to AOL that their websites were subject to COPPA. These clients identified more than a dozen COPPA-covered websites to AOL. AOL conducted at least 1.3 billion auctions of display ad space from these websites. Second, AOL itself determined that certain websites were directed to children under the age of 13 when it conducted a review of the content and privacy policies of client websites. Through these reviews, AOL identified hundreds of additional websites that were subject to COPPA. AOL conducted at least 750 million auctions of display ad space from these websites."

AG Underwood said in a statement:

"COPPA is meant to protect young children from being tracked and targeted by advertisers online. AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA. My office remains committed to protecting children online and will continue to hold accountable those who violate the law."

A check at press time of both the press and "company values" sections of Oath's site failed to find any mentions of the settlement. TechCrunch reported on December 4th:

"We reached out to Oath with a number of questions about this privacy failure. But a spokesman did not engage with any of them directly — emailing a short statement instead, in which it writes: "We are pleased to see this matter resolved and remain wholly committed to protecting children’s privacy online." The spokesman also did not confirm nor dispute the contents of the New York Times report."

Hmmm. Almost a week has passed since AG Underwood's December 4th announcement. You'd think that Oath management would have released a statement by now. Maybe Oath isn't as committed to children's online privacy as they claim. Something for parents to note.

The National Law Review provided some context:

"...in 2016, the New York AG concluded a two-year investigation into the tracking practices of four online publishers for alleged COPPA violations... As recently as September of this year, the New Mexico AG filed a lawsuit for alleged COPPA violations against a children's game app company, Tiny Lab Productions, and the online ad companies that work within Tiny Lab's, including those run by Google and Twitter... The Federal Trade Commission (FTC) continues to vigorously enforce COPPA, closing out investigations of alleged COPPA violations against smart toy manufacturer VTech and online talent search company Explore Talent... there have been a total of 28 enforcement proceedings since the COPPA rule was issued in 2000."

You can read about many of these actions in this blog, and how COPPA was strengthened in 2013.

So, the COPPA law works well and it is being vigorously enforced. Kudos to AG Underwood, her staff, and other states' AGs for taking these actions. What are your opinions about the AOL/Oath settlement?


Massive Data Breach At U.S. Postal Service Affects 60 Million Users

United States Postal Service logo The United States Postal Service (USPS) experienced a massive data breach due to a vulnerable component at its website. The "application program interface" or API component allowed unauthorized users to access and download details about other users of the Informed Visibility service.

Security researcher Brian Krebs explained:

"In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox."

Geez! The USPS has since fixed the API vulnerability. Regardless, this is bad, very bad, for several reasons. Not only should the vulnerable API have prevented one user from viewing details about another, but it allowed changes to some data elements. Krebs added:

"A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details. Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields... The ability to modify database entries related to Informed Visibility user accounts could create problems for the USPS’s largest customers — think companies like Netflix and others that get discounted rates for high volumes. For instance, the API allowed any user to convert regular usps.com accounts to Informed Visibility business accounts, and vice versa."

About 13 million Informed Delivery users were also affected, since the vulnerable API component affected all USPS.com users. A vulnerability like this makes package theft easier since criminals could determine when certain types of mail (e.g., debit cards, credit cards, etc.) arrive at users' addresses. The vulnerable API probably existed for more than one year, when a security researcher first alerted the USPS about it.

While the USPS provided a response to Krebs on Security, a check at press time of the Newsroom and blog sections of About.USPS.com failed to find any mention of the data breach. Not good. Transparency matters.

If the USPS is serious about data security, then it should issue a public statement. When will users receive breach notification letters, if they haven't been sent? Who fixed the vulnerable API? How long was it broken? What post-breach investigation is underway? What types of changes (e.g., employee training, software testing, outsource vendor management, etc.) are being implement so this won't happen again?

Trust matters. The lack of a public statement makes it difficult for consumers to judge the seriousness of the breach and the seriousness of the fix by USPS. We probably will hear more about this breach.


Ireland Regulator: LinkedIn Processed Email Addresses Of 18 Million Non-Members

LinkedIn logo On Friday November 23rd, the Data Protection Commission (DPC) in Ireland released its annual report. That report includes the results of an investigation by the DPC of the LinkedIn.com social networking site, after a 2017 complaint by a person who didn't use the social networking service. Apparently, LinkedIn obtained 18 million email address of non-members so it could then use the Facebook platform to deliver advertisements encouraging them to join.

The DPC 2018 report (Adobe PDF; 827k bytes) stated on page 21:

"The DPC concluded its audit of LinkedIn Ireland Unlimited Company (LinkedIn) in respect of its processing of personal data following an investigation of a complaint notified to the DPC by a non-LinkedIn user. The complaint concerned LinkedIn’s obtaining and use of the complainant’s email address for the purpose of targeted advertising on the Facebook Platform. Our investigation identified that LinkedIn Corporation (LinkedIn Corp) in the U.S., LinkedIn Ireland’s data processor, had processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on the Facebook Platform with the absence of instruction from the data controller (i.e. LinkedIn Ireland), as is required pursuant to Section 2C(3)(a) of the Acts. The complaint was ultimately amicably resolved, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint."

So, in an attempt to gain more users LinkedIn acquired and processed the email addresses of 18 million non-members without getting governmental "instruction" as required by law. Not good.

The DPC report covered the time frame from January 1st through May 24, 2018. The report did not mention the source(s) from which LinkedIn acquired the email addresses. The DPC report also discussed investigations of Facebook (e.g., WhatsApp, facial recognition),  and Yahoo/Oath. Microsoft acquired LinkedIn in 2016. GDPR went into effect across the EU on May 25, 2018.

There is more. The investigation's findings raised concerns about broader compliance issues, so the DPC conducted a more in-depth audit:

"... to verify that LinkedIn had in place appropriate technical security and organisational measures, particularly for its processing of non-member data and its retention of such data. The audit identified that LinkedIn Corp was undertaking the pre-computation of a suggested professional network for non-LinkedIn members. As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018."

That the DPC ordered LinkedIn to stop this particular data processing, strongly suggests that the social networking service's activity probably violated data protection laws, as the European Union (EU) implements stronger privacy laws, known as General Data Protection Regulation (GDPR). ZDNet explained in this primer:

".... GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy... almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments -- almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analysed and, perhaps most importantly, stored by organisations... Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it -- and those people often have malicious intent. Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so... There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers'. The definitions of each are laid out in Article 4 of the General Data Protection Regulation..."

The new GDPR applies to both companies operating within the EU, and to companies located outside of the EU which offer goods or services to customers or businesses inside the EU. As a result, some companies have changed their business processes. TechCrunch reported in April:

"Facebook has another change in the works to respond to the European Union’s beefed up data protection framework — and this one looks intended to shrink its legal liabilities under GDPR, and at scale. Late yesterday Reuters reported on a change incoming to Facebook’s [Terms & Conditions policy] that it said will be pushed out next month — meaning all non-EU international are switched from having their data processed by Facebook Ireland to Facebook USA. With this shift, Facebook will ensure that the privacy protections afforded by the EU’s incoming GDPR — which applies from May 25 — will not cover the ~1.5 billion+ international Facebook users who aren’t EU citizens (but current have their data processed in the EU, by Facebook Ireland). The U.S. does not have a comparable data protection framework to GDPR..."

What was LinkedIn's response to the DPC report? At press time, a search of LinkedIn's blog and press areas failed to find any mentions of the DPC investigation. TechCrunch reported statements by Dennis Kelleher, Head of Privacy, EMEA at LinkedIn:

"... Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result."

What does this mean? Plenty. There seem to be several takeaways for consumer and users of social networking services:

  • EU regulators are proactive and conduct detailed audits to ensure companies both comply with GDPR and act consistent with any promises they made,
  • LinkedIn wants consumers to accept another "we are sorry" corporate statement. No thanks. No more apologies. Actions speak more loudly than words,
  • The DPC didn't fine LinkedIn probably because GDPR didn't become effective until May 25, 2018. This suggests that fines will be applied to violations occurring on or after May 25, 2018, and
  • People in different areas of the world view privacy and data protection differently - as they should. That is fine, and it shouldn't be a surprise. (A global survey about self-driving cars found similar regional differences.) Smart executives in businesses -- and in governments -- worldwide recognize regional differences, find ways to sell products and services across areas without degraded customer experience, and don't try to force their country's approach on other countries or areas which don't want it.

What takeaways do you see?


Aging Machines, Crowds, Humidity: Problems at the Polls Were Mundane but Widespread

[Editor's Note: today's guest blog post, by Reporters at ProPublica, discusses widespread problems many voters encountered earlier this month. The data below was compiled before the runoffs in Florida, Georgia and other states. It is reprinted with permission.]

By Ian MacDougall, Jessica Huseman, and Isaac Arnsdorf - ProPublica

If the defining risk of Election Day 2016 was a foreign meddling, 2018’s seems to have been a domestic overload. High turnout across the country threw existing problems — aging machines, poorly trained poll workers and a hot political landscape — into sharp relief.

Michael McDonald, a political science professor at the University of Florida who studies turnout, says early numbers indicate Tuesday’s midterm saw the highest percentage turnout since the mid-’60s. “All signs indicate that everyone is now engaged in this country — Republicans and Democrats,” he said, adding that he expects 2020 to also be a year of high turnout. “Election officials need to start planning for that now, and hopefully elected officials who hold the purse strings will be responsive to those needs.”

Aging Technology

Electionland monitored problems across the country on Election Day, supporting the work of 250 local journalists in more than 120 local newsrooms. Thousands of voters reported issues at the polls, and Electionland sought to report on as many as possible. The most striking problem of the night was perhaps the most predictable — aged or ineffective voting equipment caused hours-long lines across the country.

American voting hasn’t had a major technology refresh since the early 2000s, in the aftermath of the Florida recount and the passage of the 2002 Help America Vote Act, which infused billions of dollars into American elections. More recent upgrades, such as poll books that could be accessed via computer, were supposed to reduce bottlenecks at check-ins — but they repeatedly failed on Tuesday, worsening waits in Georgia, South Carolina and Indiana.

While aging infrastructure was already a well-known problem to election administrators, the surge of voters experiencing ordinary glitches led to extraordinarily long waits, sometimes stretching over hours. From Pennsylvania to Georgia to Arizona and Michigan, polling places started the day with broken machines leading to long lines, and never recovered.

“In 2016, we learned the technology has security vulnerabilities. Today was a wake-up call to performance vulnerabilities,” said Trey Grayson, the former president of the National Association of Secretaries of State and a member of the 2013 Presidential Commission on Election Administration. Tuesday, Grayson said, showed “the implications of turnout, stressing the system, revealing planning failures, feel impact of limited resources. If you had more resources, you’d have had more paper ballots, more machines, more polling places.”

The election hotline from the Lawyers’ Committee for Civil Rights Under Law clocked 24,000 calls by 6 p.m., twice the rate in in the 2014 midterm election. “People were not able to vote because of technical issues that are completely avoidable,” Ryan Snow, of the Lawyers’ Committee, said. “People who came to vote — registered to vote, showed up to vote — were not able to vote.”

“We think we can solve all of these voting problems by adding technology, but you have to have a contingency plan for when each of these pieces fail,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology in Washington, D.C. It appears many of the places that saw electronic poll book failures had no viable backup system.

Hall said that problems with machines and computers force election administrators to become technicians on the spot, despite their lack of training. This exacerbates problems: Poll workers aren’t able to accurately or efficiently report issues to their central offices, leading to delays in dispatches of appropriate equipment or staff.

Perhaps the most embarrassing technological faceplant was in New York City, where the machines used to scan ballots proved no match for wet weather. Humidity caused the scanners to malfunction, leading to outages and long lines.

The breakdowns proliferated up and down the East Coast. Humidity also roiled scanners in North Carolina. In Charleston, South Carolina, an interminable delay driven by a downed voting system drove one person to leave for work before she could cast her ballot. “It felt like a type of disenfranchisement,” she told ProPublica. Voting machine outages in some Georgia precincts stranded voters in hours-long lines. In predominantly black sections of St. Petersburg, Florida, wait times ballooned as voting machines froze.

Some of the pressure on the aging technology was relieved by early and mail-in voting, so that everyone didn’t have to vote on the same day, Grayson said. But many states still require people to cast their ballots on Election Day, and others have added time-consuming procedures such as strict ID requirements.

Those sorts of security measures add their own layers of confusion. Many voters reported never receiving their ballots in the mail. Georgia voter Shelley Martin couldn’t vote because her ballot was mailed to the wrong address — even though she filled out her address correctly, the county election office accidentally changed a 9 to a 0. In Ohio, some in-person voters were incorrectly told they had already received an absentee ballot, because of a computer error.

When people show up at the wrong polling place or have problems with their registration, they are usually entitled to cast a provisional ballot that will be counted once it’s verified. But these problems were so common on Tuesday that some locations ran out of provisional ballots and turned people away, according to North Carolina voters’ reports to ProPublica. In Arizona, some voters were told they couldn’t have provisional ballots because of broken printers. In Pennsylvania, some college students encountered glitches with their registration and said poll workers wouldn’t give them provisional ballots.

A newly implemented law in North Dakota left a handful of college students — many of whom had voted in previous elections — confused and unable to vote. “I was so frustrated because I’ve voted in North Dakota before,” said Alissa Maesse, a student at the University of North Dakota who came to the polls with a Minnesota driver’s license and bank statement with a North Dakota address, but needed a North Dakota driver’s license, identification card or tribal ID. “I can’t participate at all and I wanted to.”

Administrative Error

Administrative stumbling blocks and unhelpful election officials left some voters throughout the day scrambling to figure out where or how they were supposed to vote. Across the country, confusion over new laws and poll worker error forced voters to work with attorneys or drive long distances in an attempt to solve problems.

In Missouri, a last-minute court ruling resulted in chaos across the state. Less than a month before, a judge radically altered the state’s voter ID law to allow more valid forms of identification. By then, poll workers had already been trained. Many enforced the incorrect version of the law.

In St. Charles County, northwest of St. Louis, voters across the county reported that poll workers openly argued with voters who showed identification allowed under the new ruling, demanding old forms of ID. By the end of the evening, the county had ignored demand letters from attorneys at Advancement Project, a civil rights group. Denise Lieberman, an attorney with the group, said it is considering legal remedies due to the county’s “flagrant disregard” for the judge’s ruling.

Rich Chrismer, the director of elections for the county, said he never saw the letters — he was at polling places all day. By late morning, he’d been made aware of 12 different polling locations where poll workers were giving incorrect instructions. He utilized the local police to distribute memos to all 121 polling locations, correcting poll worker instructions. They were distributed by the late morning, and complaints dropped off after that, he said.

Chrismer said training had already happened by the time the judge issued his ruling, but that he’d put new instructions in “four different places” in the packet mailed to poll workers ahead of the election. “They were either ignoring me or they didn’t know how to read, which upsets me,” he said.

Dallas County Clerk Stephanie Hendricks expressed similar frustration at the short window of time allowed by the court to retrain poll workers, update signs and ensure voter understanding.

Hendricks said the small county had to “scrape the bottom of the barrel” for poll workers, who only received 90 minutes of training. This, combined with the very short notice for the legal change, made it difficult to help poll workers understand the law. “The last few elections it’s been photo ID, photo ID, photo ID, and now all of a sudden the brakes have been thrown on. It’s confusing for people,” she said.

The frustrations for Chris Sears began on Friday, when he turned up to cast an early ballot at Cinco Ranch Public Library, a brick building abutting a duck pond in the suburbs west of Houston. Sears, a 43-year-old Texan who works in real estate, had voted at the library in the 2016 election, after moving to the area from adjoining Harris County a year earlier. Now, at the library, poll workers couldn’t find him in their rolls. His only recourse, they told him, was to drive the half hour or so to the Fort Bend County election office. Sears, realizing he wouldn’t make it there and back before early voting closed, decided to go first thing Tuesday morning.

After he explained his situation and presented his driver’s license, which had a local address, the clerk at the election office had a terse message for him. She slid a fresh voter registration application across the counter and told him: “Fill this out, and you’ll be eligible to vote in the next election.” Sears told the clerk he hadn’t moved, and that he’d voted in the last election.

The clerk was unmoved. “What you can do,” the clerk repeated, pointing at the registration form, “is fill this out, and vote in the next election.”

Sears wasn’t alone. As he went back and forth with the clerk, three other men who, like Sears, had moved recently from other Texas counties, came in with near-identical complaints. The clerk gave them the same response she had given Sears. County officials told ProPublica they all should have been offered provisional ballots — not sent across town or told to register again.

Ultimately, Sears would cast a provisional ballot, but he didn’t discover this option until he’d done hours of research to try and hunt down the cause of his problems.

“I finally got to vote,” he said. “But that was after driving across two counties and spending five or six hours of my time trying to determine whether there was a way I could do it.”

Some administrative problems were a bit more bizarre — a polling place in Chandler, Arizona, was foreclosed upon overnight. Voter Joann Swain arrived at the Golf Academy of America, which housed the poll, to find TV news crews and a crowd of people in the parking lot of the type of faux Spanish Mission Revival shopping centers that fleck the desert around Phoenix. Voting booths were arrayed along the sidewalk.

A sign affixed to the building’s locked front door indicated that the landlord has foreclosed on the Golf Academy for failing to pay rent. While poll workers had set up the voting booths the night before, that didn’t appear to matter to the landlord. The sign read: “UNAUTHORIZED ENTRY UPON THESE PREMISES OR THE REMOVAL OF PROPERTY HEREFROM MAY RESULT IN CRIMINAL AND/OR CIVIL PROSECUTION.”

The timing struck Swain as suspect. “Were they trying to make it more difficult for people to vote?” she asked Wednesday. Election officials had provided no answers. “It’s just fishy.”

Swain, who is 47, waited in line for two hours as poll workers promised the machines necessary for voters to print and cast their ballot were on their way from Phoenix. She didn’t want to cast a provisional ballot, for fear it wouldn’t be counted. One man in line who took poll workers up on an alternative to waiting — voting at Chandler City Hall — returned not long after he left. With polling site difficulties cropping up throughout the Phoenix area, he hadn’t been able to vote there either.

To the puzzlement of voters waiting in line, Maricopa County Recorder Adrian Fontes tweeted that the Golf Academy polling place was open. “No it’s not. I’m here,” an Arizonan named Gary Taylor shot back.

Other voters reacted to situation more volubly. “I got things to do. I can’t stand around all day waiting because these guys can’t do their job,” a voter named Thomas Wood told reporters. “It’s ridiculous. It’s absolutely ridiculous.”

Swain ultimately left at 8:30 a.m. By the time she returned, later in the day, poll workers had set up the voting machines delivered from Phoenix in another storefront in the shopping center. The original machines remained locked in the Golf Academy, she said.

Electioneering

Back East, reports of potentially improper political messages at polling sites had begun to crop up, and the response from election officials highlighted the at times flimsy nature of electioneering laws. On Tuesday morning, a handwritten sign appeared on the door of a polling station near downtown Pittsburgh, which read “Vote Straight Democrat.” County election officials were alerted to the sign in the early afternoon, but by then the sign had been removed, Amie Downs, an Allegheny County spokeswoman, said in a statement.

An official in the county election office, who declined to give her name, blamed the sign on a member of the local Democratic Party committee. “He said he does that every year but never had problems till this year,” she said. Pennsylvania law prohibits electioneering within 10 feet of a polling place, and Downs said it wasn’t clear whether the sign violated the law.

Down the coast, in New Port Richey — a politically mixed cluster of strip malls northwest of Tampa, Florida — Pastor Al Carlisle triggered upward of 75 complaints to Pasco County election officials after he put up a handwritten sign reading “Don’t Vote for Democrats on Tuesday and Sing ‘Oh How I Love Jesus’ on Sunday” outside his church. That wouldn’t be a problem, except that on Election Day, his church doubles as a polling place. Carlisle remained unrepentant. He continued Wednesday to trumpet the sign on his Facebook page, mixed among posts conflating religious faith with support for President Donald Trump.

Local election officials, however, stopped at mild censure. Pasco County election chief Brian Corley told the Tampa Bay Times the sign was “not appropriate” but legal, since Carlisle had placed it only just more than 100 feet away from where voters were casting their ballot.

Later in the day, some voters complained about large posters opposing abortion — an example: “God Doesn’t Make Mistakes, Choose Life” — plastered on the walls of a church gymnasium in Holts Summit, Missouri, used as a polling place. Despite the political implications, election officials told local radio station KBIA that the posters were legal because there were no abortion-related issues on the ballot.

Behind the scenes, officials nationwide were addressing gaps in website reliability and security. In Kentucky, a handful of county websites that provided information to voters flickered offline for parts of the day. State officials said the issue was likely a technical problem not caused by a malicious attack.

But several states meanwhile alerted U.S. election-security officials to efforts of hackers scanning their computer systems for software vulnerabilities. Days before the election, a county clerk’s office said its email account was compromised and its messages forwarded to a private Gmail address, according to person familiar with the matter who was not authorized to discuss it publicly.

As polls closed Tuesday evening, back in New York, the crowds and ballot scanner failures remained. At one school in Brooklyn that had seen long lines in the morning, the wait to vote at 7 p.m. was no better — still upward of two hours, Emily Chen told ProPublica. By the end of the day, the New York City Council speaker had called for the elections director’s resignation, and the mayor had denounced the technical snags as “absolutely unacceptable.”

Down the coast, in Broward County, Florida, just north of Miami, election officials were struggling with a technical failure of a different sort. Seven precincts were unable to transmit vote tallies electronically. This time, it would force election officials to internalize what voters had suffered throughout much of the day. Around 11 p.m., they walked out into the balmy South Florida night, got into their cars and drove the voter files to the county election office.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Mail-Only Voting In Oregon: Easy, Simple, And Secure. Why Not In All 50 States?

Hopefully, you voted today. A democracy works best when citizens participate. And voting is one way to participate.

If you already stood in line to vote, or if your state was one which closed some polling places, know that it doesn't have to be this way. Consider Oregon. Not only is the process there easier and simpler, but elections officials in Oregon don't have to worry as much as officials in other states about hacks and tampering. Why? The don't have voting machines. Yes, that's correct. No voting machines. No polling places either.

NBC News explained:

"Twenty years ago, Oregon became the first state in the nation to conduct all statewide elections entirely by mail. Three weeks before each election, all of Oregon's nearly 2.7 million registered voters are sent a ballot by the U.S. Postal Service. Then they mark and sign their ballots and send them in. You don't have to ask for the ballot, it just arrives. There are no forms to fill out, no voter ID, no technology except paper and stamps. If you don't want to pay for a stamp, you can drop your ballot in a box at one of the state's hundreds of collection sites."

Reportedly, Washington and Colorado also have mail-only voting. Perhaps most importantly, Oregon gets a higher voter participation:

"In the 2014 election, records showed that 45 percent of registered voters 34 and under marked a ballot — twice the level of many other states."

State and local governments across the United States use a variety of voting technologies. The two dominant are optical-scan ballots or direct-recording electronic (DRE) devices. Optical-scan ballots are paper ballots where voters fill in bubbles or other machine-readable marks. DRE devices include touch-screen devices that store votes in computer memory. A study in 2016 found that half of registered voters (47%) live in areas hat use only optical-scan as their standard voting system, about 28% live in DRE-only areas, 19% live in areas with both optical-scan and DRE systems, and about 5% of registered voters live in areas that conduct elections entirely by mail.

Some voters and many experts worry about areas using old, obsolete DRE devices that lack software and security upgrades. An analysis earlier this year found that the USA has made little progress since the 2016 election in replacing antiquated, vulnerable voting machines; and done even less to improve capabilities to recover from cyberattacks.

Last week, the Pew Research Center released results of its latest survey. Key findings: while nearly nine-in-ten (89%) Americans have confidence in poll workers in their community to do a good job, 67% of Americans say it is very or somewhat likely that Russia (or other foreign governments) will try to influence the midterm elections, and less than half (45%) are very or somewhat confident that election systems are secure from hacking. The survey also found that younger voters (ages 18 - 29) are less likely to view voting as convenient, compared to older voters.

Oregon's process is more secure. There are no local, electronic DRE devices scattered across towns and cities that can be hacked or tampered with; and which don't provide paper backups. If there is a question about the count, the paper ballots are stored in a secure place after the election, so elections officials can perform re-counts when needed for desired communities. According to the NBC News report, Oregon's Secretary of State, Dennis Richardson, said:

"You can't hack paper"

Oregon posts results online at results.oregonvotes.gov starting at 8:00 pm on Tuesday. Residents of Oregon can use the oregonvotes.gov site to check their voter record, track their ballot, find an official drop box, check election results, and find other relevant information. 2) ,

Oregon's process sounds simple, comprehensive, more secure, and easy for voters. Voters don't have to stand in long lines, nor take time off from work to vote. If online retailers can reliably fulfill consumers' online purchases via package delivery, then elections officials in local towns and cities can -- and should -- do the same with paper ballots. Many states already provide absentee ballots via postal mail, so a mail-only process isn't a huge stretch.


Data Breach Affects 75,000 Healthcare.gov Users

On Friday, the Centers For Medicare and Medicaid Services (CMS) announced a data breach at a computer system which interacts with the Healthcare.gov site. Files for about 75,000 users -- agents and brokers -- were accessed by unauthorized persons. The announcement stated:

"Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE... CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled."

CMS has notified and is working with Federal law enforcement. It expects to restore the Direct Enrollment pathway for agents and brokers within the next 7 days, before the start of the sign-up period on November 1st for health care coverage under the Affordable Care Act.

CMS Administrator Seema Verma said:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

Sadly, data breaches happen -- all too often within government agencies and corporations. It should be noted that this breach was detected quickly -- within 3 days. Other data breaches have gone undetected for weeks or months; and too many corporate data breaches affected millions.

 


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


NPR Podcast: 'The Weaponization Of Social Media'

Any technology can be used for good, or for bad. Social media is no exception. A recent data breach study in Australia listed the vulnerabilities of social media. A study in 2016 found, "social media attractive to vulnerable narcissists."

How have social media sites and mobile apps been used as weapons? The podcast below features an interview of P.W. Singer and Emerson Brooking, authors of a new book, "LikeWar: The Weaponization of Social Media." The authors cite real-world examples of how social media sites and mobile apps have been used during conflicts and demonstrations around the globe -- and continue to be used.

A Kirkus book review stated:

"... Singer and Brooking sagely note the intensity of interpersonal squabbling online as a moral equivalent of actual combat, and they also discuss how "humans as a species are uniquely ill-equipped to handle both the instantaneity and the immensity of information that defines the social media age." The United States seems especially ill-suited, since in the Wild West of the internet, our libertarian tendencies have led us to resist what other nations have put in place, including public notices when external disinformation campaigns are uncovered and “legal action to limit the effect of poisonous super-spreaders.” Information literacy, by this account, becomes a “national security imperative,” one in which the U.S. is badly lagging..."

The new book "LikeWar" is available at several online bookstores, including Barnes and Noble, Powell's, and Amazon. Now, watch the podcast:


Uber To Pay $148 Million To Settle Lawsuits And Coverup From Its 2016 Data Breach

Uber logo California-based Uber Technologies, Inc. has agreed to pay $148 million to settle lawsuits by several states' attorneys general regarding the ride-sharing service's massive data breach in 2016 where hackers stole information about 57 million Uber customers and drivers worldwide, including 600,000 U.S. driver's license numbers. The breach problems were compounded by allegations that Uber paid the hackers $100,000 for their silence, and by the company's failure to notify both state agencies and affected consumers about the breach.

Josh Shapiro, the Attorney General (AG) for the State of Pennsylvania, announced on the Wednesday the settlement agreement including a coalition of 51 state AGs:

"In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence... Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017."

13,500 Uber drivers in Pennsylvania were affected by the breach. Pennsylvania's share of the total payment is $5.7 million. Each Uber driver in Pennsylvania will receive $100.

48 states have data breach notification laws requiring various levels of notifications to both state officials and affected consumers, who need notice in order to take action to protect themselves and their sensitive personal and payment information.

Massachusetts' share of the total payment is $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses. Massachusetts AG Maura Healey said:

"Uber failed to immediately report this data breach and tried to pay hush money to hackers. This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised."

California's share of the total payment is $26 million. California AG  Xavier Becerra said:

"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

San Francisco District Attorney George Gascon said:

"We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California."

Terms of the settlement agreement require Uber and its executives to:

"1. Implement and maintain robust data security practices.
2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
5. Report any data security incidents to states on a quarterly basis for two years.
6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training".

Uber and its executives have a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit describing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool.

This breach settlement is another reminder that Uber and its executives deserve close monitoring and supervision.


Voting in America Is NUTS. Here’s How to Plan Ahead.

[Editor's note: during the last two years, the voting process has changed in many areas in the United States. Today's guest post by reporters at ProPublica explains the changes, and provides advice for voters. It is reprinted with permission.]

By Cynthia Gordy Giwa, ProPublica

Hi, welcome back! Since last time, you’ve learned how online political advertising gets targeted to you, and you had a peek at ads aimed at other people (or ads that campaigns don’t want you to see).

This week, let’s get you ready to vote. There are three key questions you should ask:

  1. Are you registered to vote?
  2. Do you know where your polling place is?
  3. Do you know what you need to bring with you?

The answers aren’t as straightforward as you might think. With 50 states and more than 10,000 voting jurisdictions that run elections different ways, answering even these basic questions can get tricky. Oh, and since the 2016 election, state legislatures have enacted more than 500 new voting laws. This means almost every state has changed something about its voting process. Our patchwork voting system isn’t just confusing for you, the voter. It also makes it hard to keep track of how well our elections are actually being run.

Welcome to Electionland

(Hey, now — no Electionland slander on my watch! I promise, this’ll be a good time.)

Electionland, a coalition of hundreds of newsrooms around the country, is working to change this. Its reporters monitor problems that can stop voters from casting their ballots, like changed voting locations, flyers with false information, voter purges, broken machines and hacking. Led by ProPublica, Electionland uses data and technology to track problems, in real time, at every stage of the voting process.

We’ll talk more about what those problems look like and what they might mean for your community. In the meantime, let’s make sure you’re set for November.

So, Are You Registered?

You’ve still got time to make this voting thing official! If you’re not registered to vote, you can learn more about how to fix that through your state’s elections website.

Even if you’re pretty sure you’ve handled it already, take a moment to get 100 percent certain. On the morning of New York’s primary elections in September, we saw a whole frenzy of tweets like this...

And this...

As WNYC’s Gothamist, an Electionland partner, reported, an untold number of voters arrived at their polling sites only to find their names mysteriously missing from the rolls, or their registration transferred to new districts. Election officials regularly clean up their voter rolls to get rid of inactive voters who have died or moved and forgotten to update their information. But mistakes are often made, and active voters can get swept off the rolls too.

Vote.org has a handy tool that lets you verify your voter registration in seconds.

Absentee Voting

If you’re an out-of-state college student, you can register to vote either in your home state or where you attend college. If you decide to register in your home state, you’ll need to request an absentee ballot, which you receive by mail before the election.

Also called mail-in voting, absentee voting trips up a lot of students. In a recent study, 23 percent of students cited not getting an absentee ballot in time as their reason for not voting. Don’t let this be you!

Absentee voting isn’t just for college students, though. You may also need mail-in voting if you:

  • are out of your county on Election Day
  • are sick or have a physical disability that makes it hard to get to the polls
  • are active duty in the U.S. military
  • work a required shift that coincides with polling hours

The rules for absentee ballots, and who is allowed to use them, vary based on where you live. (That patchwork voting system strikes again!)

  • 20 states require you to give them a good reason for voting absentee
  • 27 states and the District of Columbia let you do it without giving an excuse.
  • And, fun fact: in Colorado, Oregon and Washington, everyone votes by mail.

If you want to request an absentee ballot, you should request it early — election offices are slammed in the weeks before Election Day. Your secretary of state’s website has more details about the local rules and deadlines.

There are also 37 states that offer some kind of early voting. Again, your secretary of state’s website has more details about the local rules and deadlines.

Where to Go on Election Day…

Next, you should look up your polling place. Even if you’ve voted recently, polling locations change, so just showing up wherever you voted the last time might not work out. Double check on the official site of your secretary of state.

When you actually hit the polls, you might face long lines — sometimes as a sign of problems at your location, sometimes as a sign of voter enthusiasm. In Maricopa County, Arizona, where some voters waited in lines up to two hours during this year’s primaries, the Arizona Republic (an Electionland partner) found that it was a little of both. Be prepared!

… And What to Bring

If you’re a first-time voter, you are required to show identification at the polls. And in some states, all voters have to present ID. But what you’ll need to bring varies by state. Sometimes drastically.

Strict Photo ID

Some states require voters to show government-issued photo identification, like a driver’s license or U.S. passport.

Strict Non-Photo ID

In some states, non-photo ID with your name and address, such as a utility bill or bank statement, is required.

Non-Strict Voter ID

Then there are the states that request either of these forms of ID, but it’s not required for you to vote.

Under this category, you can still vote through alternative options like signing an identity affidavit, having election officials vouch for your identity or voting on a provisional ballot that is double-checked by your local election officials. (But, like all things on Nov. 6, options come down to the state.)

No Document Required to Vote

Finally, in some states, you don’t have to show any ID at all! Unless you’re a first-time voter. Then you do. 🙃

You can learn more about the nuances of your state’s special brand of voter ID requirements at your secretary of state’s site.

To Recap:

Homework and Additional Reading

Don’t forget, Electionland is monitoring the voting experience nationwide, and we’re inviting you to help. If you had problems completing any of the steps in this guide, we want to hear about it.

From now through Election Day, you can tell us about voting problems in your area. In 2016, nearly 4,000 voters reported problems they experienced or saw to Electionland, from names incorrectly missing from the voter rolls to shady information shared online. We’re listening!

Check out a few of Electionland’s latest investigations:

We’re getting off to a great start. Next week’s topic: what your current representatives actually stand for. I can’t wait to share more with you then!

Cynthia Gordy Giwa Proud ProPublican

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


The Overlooked Weak Link in Election Security

[Editor's note: today's guest post, by reporters at ProPublica, discusses voting and elections security within the United States. It is reprinted with permission.]

By Jack Gillum and Jessica Huseman, ProPublica

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information.

A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password — potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. “This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

The email vulnerabilities emerged in ProPublica’s survey of election security in 27 counties encompassing all or part of roughly 40 congressional districts that the Cook Political Report has said are toss-ups. These contests could determine if Democrats take control the U.S. House of Representatives, where the party needs to pick up about two dozen seats to flip the current Republican majority. Of the 12 districts in counties with less protected email systems, Republicans are seeking re-election in 10. The other two are open seats where incumbents are stepping down.

Much attention has focused on the potential to hack voting machines. In the “Voting Village” at the Def Con security conference this summer in Las Vegas, hackers sought to compromise a handful of machines. But lax protections for internet-connected systems like email servers may pose just as serious a threat.

The lack of two-factor verification may have helped Russian hackers ultimately gain access to the Democratic National Committee’s network in April 2016, according to a federal indictment. Prosecutors say a Democratic campaign employee unwittingly put her password into a spearphishing email – a targeted message meant to dupe users into sharing their login information. Russian hackers also tricked John Podesta, Hillary Clinton’s campaign chairman, into handing over his password, enabling an embarrassing leak of his emails weeks before the election.

Even a program created by the Kansas secretary of state’s office to prevent voter fraud was vulnerable to snooping, ProPublica reported last year. The program, Crosscheck, sought to identify voters casting ballots in more than one state by comparing the rolls across states. But its files were hosted on an insecure server, and program officials regularly shared user names and passwords—many of them overly simplistic—for the site by email as late as 2017. Crosscheck paused operations in 2018 because of concerns about security and accuracy, and it is unclear when it will begin matching rolls again. The Kansas Secretary of State’s office did not return a request for comment.

A different kind of cyber-attack in 2016 manipulated the software code behind Illinois’ voter-registration system to expose the personal details of thousands of people. Matt Dietrich, a spokesman for the state board of elections, said the flaws that allowed the penetration have been fixed. Special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials said was very likely the attack on the voter registration database.

“This wasn’t about to steal votes, but to create havoc,” Dietrich said. “If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: That the United States can’t run a competent election.”

Using a checklist developed by Harvard’s Belfer Center for Science and International Affairs, ProPublica asked county election officials about their email systems, as well as about cybersecurity protections for voting machines and computers that check in voters at polling sites. Voter registration is generally handled at the state level, while counties administer elections and are responsible for protecting voting machines and verifying end-of-night vote tallies that determine winners.

Funded by local taxes, counties are generally run by elected commissioners and often have centralized IT staff overseeing email services for departments ranging from the medical examiner to public works. As a result, elections officials have to compete for IT resources and attention.

Most of the counties interviewed said they had bulletproofed their computer systems and voting equipment. Joel Miller, an election official in Linn County, Iowa, said the county has recently put in place two-factor authentication requirements for its email systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The counties with vulnerable email systems ranged in population from Orange County, California, with 3.1 million people to Olmsted County, Minnesota, with 155,000. Orange County elections director Neal Kelley said he’d prefer to have two-factor authentication. It hasn’t been implemented yet, but is “on the short horizon,” he said. There are two toss-up House races in Orange County.

Noah Praetz, the director of elections for Cook County, Illinois, except the city of Chicago, said his office “lacks a little bit of control” when it comes to changing IT systems because the county-run network serves more than 24,000 employees. He said the county government doesn’t require two-factor authentication for employees to log into emails.

One county reported two problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its electronic voting machines don’t produce a separate paper trail for voters to verify their choices. Nor does it use two-factor authentication on its email system. Fayette, one of the state’s largest counties, is home to a chunk of Kentucky’s 6th congressional district, where a once-safe Republican incumbent is facing an unexpectedly competitive challenger.

Don Blevins, the Fayette elections chief, told ProPublica his county is not at risk for an email hack that would affect voting or registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the counties without two-factor authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; King County, Washington; and Harris County, Texas.

Some counties have secured their emails but had other shortcomings. Shawnee County, Kansas, said it doesn’t yet have countermeasures to stop hackers from bringing down its website by overloading it with malicious traffic. If such a denial-of-service attack takes the site offline, election commissioner Andrew Howell said, officials would instead publish election results on social media.

Five of the 27 counties surveyed did not respond to multiple emails or phone calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. law enforcement officials and cybersecurity experts have been working with states in the months leading up to the November midterms to improve election security. States are using some of the $380 million in newly earmarked federal funds to test for vulnerabilities and recruit and train IT staff, according to congressional testimony from the National Association of Secretaries of State.

Fixing technical problems isn’t cheap, and county governments have had to make hard choices when prioritizing spending. Tammy Patrick, a former election administrator in Arizona and now a senior adviser at the nonprofit Democracy Fund, said counties may consider it more urgent to replace outdated voting machines than to fix email systems.

That said, even short-lived IT security problems may have a corrosive effect on public trust in the accuracy of ballot results. “The last thing you want to do on Election Day is face problems you could have easily dealt with before then,” Hall, the technologist, said. “Officials will dismissively say, ‘It hasn’t happened to us.’ But with that attitude, you’re building a castle on sand.”

Ally Levine, Lilia Chang and Blake Paterson contributed to this report.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


How the Trump Administration Went Easy on Small-Town Police Abuses

[Editor's note: today's guest post, by reporters at ProPublica, explores allegations of inequities in law enforcement in the United States. It is reprinted with permission.]

By Ian MacDougall, ProPublica

On a chilly morning in December 2016, 12-year-old Bobby Lewis found himself sitting in a little room at the police station in Ville Platte, a town of 7,300 in southern Louisiana. He wasn’t sure exactly how long it had been, but the detective grilling him had been at it for some time. Bobby was a middle school student — a skinny kid with a polite demeanor — and though he got in trouble at school from time to time, he wasn’t used to getting treated like this. He was alone, facing the detective without a parent or a lawyer.

A blank piece of paper sat on the table in front of Bobby. He and his friends were thieves, the detective insisted. They sold drugs. They trafficked guns. The detective brushed off Bobby’s denials. She knew what he was up to, and if he didn’t write it all down — inform on his friends and confess to his crimes — she’d charge him. She’d confiscate his dog, Cinnamon, she told him. She’d throw his mother in jail. Bobby was nothing but a “B” and an “MF,” as he later relayed the detective’s words to me, sheepish about repeating them. When his mother finally turned up at the station house, it seemed only to enrage the detective further. “Wipe that fucking smile off your face, and sit up in that fucking chair,” Bobby and his mother recall the detective barking at him.

Earlier that day, Bobby told me, he had been walking home from a friend’s house when a police cruiser pulled up alongside him. He recognized one of the officers. Her name was Jessica LaBorde, but like most people in Ville Platte, Bobby knew her only as Scrappy. The sobriquet was too fitting not to stick. Profanity prone in the extreme, LaBorde was known for her tinderbox temper and hostile disposition. She styled herself like a Marine drill sergeant — fastidiously pressed police blues, jet-black hair pulled back tight — and she would become Bobby’s interrogator. (LaBorde did not respond to calls or a detailed list of questions about the incident.)

Somebody had put a rock through a window in one of the abandoned houses that litter Ville Platte, and a neighbor had seen three boys taking shelter from the rain under a carport nearby. But, the neighbor later told Bobby’s mother, Charlotte Lewis, he didn’t know which of the boys had thrown the rock. Bobby admitted he had been there but insisted he wasn’t the culprit.

Police need probable cause — evidence sufficient to show there’s a fair likelihood that a person committed a crime — to take someone into custody. Generally, an officer can’t detain somebody just because that person was near the scene of a crime. “Mere propinquity,” the U.S. Supreme Court has written, “does not, without more, give rise to probable cause.” Whether LaBorde didn’t know that or didn’t care, she ordered Bobby into the back of her squad car.

LaBorde didn’t call Bobby’s mother to tell her that her 12-year-old was in custody, according to a complaint Lewis later filed with the police department. But eventually another officer did. Lewis says she told the officer not to let anybody question her son until she got there. She had to wait out a morning downpour before she could walk to the station house.

Lewis was familiar with LaBorde’s rough reputation. Still, she told me, she was shocked by how her son was treated. “She cussed him out like he’s a stray dog,” she said. “It’s like my child is a convict or a criminal.” After two hours of pressing Bobby fruitlessly, LaBorde finally let him go — but not before charging him with criminal mischief, police records show. (A judge later dismissed the charge, Lewis told me; a friend admitted throwing the rock.)

Two weeks later, on Dec. 19, the U.S. Department of Justice issued a scathing report on policing in Ville Platte and surrounding Evangeline Parish. The investigation found that, for decades, the city Police Department and the parish Sheriff’s Office maintained an unwritten policy of jailing people without probable cause — for days and even weeks at a time — to pressure them to cooperate with law enforcement. These “investigative holds” ensnared anybody who might know something about criminal activity, from a suspect to a potential witness to a suspect’s relatives. As the Justice Department report put it, “Literally anyone in Evangeline Parish or Ville Platte could be arrested and placed ‘on hold’ at any time.” Many were. From 2012 to 2014 alone, the police unlawfully held at least 700 people in Ville Platte — close to a tenth of the town’s residents.

That, the report concluded, amounted to “a pattern or practice of unconstitutional conduct.” To end this cycle of abuses, the report prescribed an array of institutional changes to eliminate investigative holds, such as imposing new department protocols and overhauling training regimens.

The case wasn’t merely about Ville Platte. The Justice Department lawyers viewed it as a template. Similar policing practices exist in scores of towns and villages across the country, and Justice Department officials selected Ville Platte precisely because it was a pure embodiment of a widespread problem. They hoped it would provide a model for reform at other police departments.

Justice Department officials planned to negotiate a consent decree — a long-term reform plan supervised by a federal judge — with local officials. Systemic police reform was a defining feature of the Obama-era Justice Department, which considered judicial oversight key to dislodging unlawful practices as firmly entrenched as investigative holds were in Ville Platte.

But Jeff Sessions, who took office as attorney general just months after the Justice Department report, has a different view. He considers his predecessors’ reform efforts, particularly via consent decree, to be gross federal overreach that denigrates and demoralizes police. Sessions all but declared that the Justice Department was getting out of the business of meaningful police reform. There would be no consent decree in Ville Platte. Instead, the result is what former Justice Department officials say is an anemic reform plan, announced in June, that largely leaves the future of policing there to the police.

There’s little reason, they say, to expect that this plan will induce law enforcement in Ville Platte to change its ways. The town’s policing culture is defined by arbitrary arrest and detention — and it has been for a long time. It’s a culture that’s proven intensely resistant to change. “You do what you know,” one former Ville Platte police official told me. “And that’s all they know.”

When Neal Lartigue joined the Ville Platte Police Department in 1991, investigative holds were part of his training. “I’ve been here 27 years, and that was going on before I started,” he told me when I visited Ville Platte early this year. The practice was never enshrined in any manual, but it was as good as official policy at both the department and the Evangeline Parish Sheriff’s Office, which is headquartered in Ville Platte. (For its part, the Sheriff’s Office didn’t have a policy manual at all until last year.)

Lartigue rose to become the Police Department’s narcotics officer, and in that role, he was a regular practitioner of investigative holds, according to a former police official who worked with him during that time. Lartigue would “put people in jail” — people he thought might be drug users or small-time dealers — “and he’d make them sit there, and say: ‘You gonna tell me something? I know you ain’t got the drugs, but you’re getting them from somebody. Who you getting them from?’” the former police official told me.

It was an unnerving experience. Lartigue is an intimidating figure — a stern, laconic man with a shaved head and a stout frame. If his detainee pleaded ignorance, the former official said, Lartigue’s response was inevitably, “Well, then you’re gonna sit in jail till you decide you want to talk.” (Lartigue did not respond to requests for comment on his practices as an officer.)

Nothing had changed by 2006, when Lartigue was elected chief of police, a position he holds today. Investigative holds remained a basic policing tool in Ville Platte, like dusting for fingerprints or mapping a crime scene. According to the Justice Department report and former local law enforcement officials, the purpose of most investigative holds was to obtain information from a reticent subject: a confession from a suspect, details from a potential witness, denunciations from a prospective informant. On occasion, the point was simpler: to keep a suspect from getting in the way while a detective gathered enough evidence to support an arrest warrant, the probable cause needed to arrest the suspect in the first place. Age was no limiting factor. The Justice Department found more than two dozen instances in which juveniles were subjected to investigative holds.

Detainees — even those suspected of no wrongdoing — were strip-searched, booked and thrown in a jail cell, without access to a phone or a lawyer. The intermittent interrogations that followed, the Justice Department noted in its report, carried out “under the threat of continued, secret, indefinite detention,” raised the specter of “coerced statements or false confessions” and, worse, “improper criminal convictions.”

In 1991, the year Lartigue became a patrolman, the Supreme Court held that if police make an arrest without a warrant, they have to get a judge to verify that the arrest was based on probable cause “as soon as is reasonably feasible, but in no event later than 48 hours after arrest.” Police are not allowed, the high court said, to delay going to a judge “for the purpose of gathering additional evidence to justify the arrest.” Yet, investigative holds were unilateral in Ville Platte; judges were never asked to determine whether each arrest and detention was in line with the law.

Local officials maintain that the holds were an innocent outgrowth of parochialism. “We never intended to violate anyone’s constitutional rights,” Lartigue told local media after the Justice Department issued its 2016 report. The prevailing belief in Ville Platte, the Justice Department found, was that law enforcement could legally jail anybody for up to 72 hours without probable cause — a view of the law that had been wrong for more than half a century.

Ville Platte is a deeply isolated place. It sits on the upper edge of the Cajun Prairie, a plain of humid farmland flecked with palmettos, crawfish ponds and live oak that sprawls north from the marshy cane fields nearer to the Gulf of Mexico. In French, the words “ville platte” mean “flat town,” a name that, legend has it, was conferred by one of Napoleon’s former officers. Passing through in the 1850s, the landscape architect Frederick Law Olmsted lamented the tedium of the region’s “immense moist plain.”

The construction of Interstate 49, in the mid-1980s, bypassed Ville Platte and left it all the more sequestered. Apart from a few annual events, such as the summer Festival de la Viande Boucanée (the Festival of Smoked Meat), Ville Platte has few attractions to draw outsiders. It retains a distinctive sense of place. Gas stations still advertise boudin, cracklin and tasso. It’s not uncommon to run into some locals who speak the regional French dialect.

The other side of Ville Platte’s isolation is its poverty. Little gabled houses of shingle and clapboard are left abandoned to rot and collapse in the Woods, south of Main Street. In Crosstown, on the north side, the Parkview Shopping Center sits nearly tenantless, its vast, empty parking lot a reminder of all the spending power there’s not in Ville Platte. This May, an article in USA Today declared the town the poorest in Louisiana. Its median household income is about $18,700, compared with roughly $59,000 for the U.S. as a whole.

Ville Platte doesn’t have an organized civil rights community or a legal aid group to investigate policing practices, or any money to fund them. Local criminal defense attorneys might be expected to raise legal challenges to investigative holds, but they, too, thought a person could be held without probable cause for up to 72 hours, former Justice Department officials told me.

Some scoff at the notion that the problem was ignorance alone. There has always been an element within the local law enforcement apparatus, particularly in its upper ranks, that didn’t care what courts and statutes required, say five current and former local law enforcement officials. For that set, the guiding principle was convenience. “We call it the Sovereign State of Evangeline,” one parish resident told me. “Our officials don’t follow the law. They make their own law, and we have to follow it.”

In fact, those officials even flouted their own mistaken view of the law: the 72 hours they believed to be the legal limit on holds. The Justice Department documented “several dozen investigate holds” at the Ville Platte Police Department that “extended for at least a full week.”

In 2014, attorneys at the Justice Department’s Civil Rights Division, which handles police reform cases, received a call from an FBI agent named Steve Krueger. Krueger had been assisting a murder investigation in Ville Platte when he’d learned about investigative holds. The FBI agent had been shocked by the patent illegality of the practice, people familiar with the episode said. He met with Lartigue and his detectives to explain that the holds were unconstitutional. The police chief shrugged off Krueger’s entreaties, according to the Justice Department’s 2016 report.

Krueger saw firsthand the harm investigative holds did to public safety in Ville Platte. People with information about his murder case had proved uncommonly hesitant to talk to him, he told colleagues. Citizens worried about getting thrown in jail if the police thought they knew anything of value. As the Justice Department’s report put it, decades of arbitrary detention had bred “deep community mistrust and fear of law enforcement.”

Police reform cases rely primarily on a Clinton-era law that Civil Rights Division attorneys often call 14141, for its original designation in the U.S. Code. The law empowers the Justice Department to investigate and sue law enforcement agencies when they “engage in a pattern or practice of conduct” that deprives people of their civil rights.

In 2009, Tom Perez took the helm at the Civil Rights Division and began to breathe new life into 14141, several former Justice Department officials say. (Perez is now chairman of the Democratic National Committee.) The Bush administration had largely sidelined police reform, favoring out-of-court settlement agreements when they entered into agreements at all. The federal government, Bush said, shouldn’t be “a separate internal affairs division.”

After studying earlier cases, Perez’s team became convinced that a court-enforceable consent decree was far more likely to produce meaningful change in most instances. Given the time reform can take, “you need to have a sustained effort, and that needs to be supported and backed up by a judge, a federal judge who’s got the authority to force people to comply with their obligations,” said Jonathan Smith, who led the section that handles police reform from 2010 to 2015.

A consent decree contains a set of institutional changes a police department has agreed to make, after negotiations with the Justice Department. A judge approves the agreement and oversees the reform process, usually assisted by an independent monitoring team. Intransigent police officials risk being held in contempt of court or even prosecuted. The judge lifts the consent decree only after the department has restructured its practices and ended its abuses. This typically occurs several years after the decree was put in place.

A growing (albeit not unanimous) body of empirical evidence suggests consent decrees measurably improve police practices. But nobody argues they’re a panacea. “Consent decrees don’t turn departments into A+ departments,” said Christy Lopez, the supervisor for the Civil Rights Division’s police-reform attorneys during the Obama administration. But, she added, “if, after a consent decree, a department is still a C-, it sure makes a big difference for the people who were living with an F department.”

Perez and his successor, Vanita Gupta, had an ambitious vision for what 14141 could achieve. They targeted common types of police misconduct and designed consent decrees to be templates for reform at other departments. “They became models for a set of best practices across the field,” Gupta told me. Another innovation was bringing local communities into the reform process. It was their rights police had violated, and they would be the ones to hold police accountable after a consent decree was lifted.

By the time Krueger placed his call to Washington, in 2014, the small group of attorneys handling 14141 cases had their hands full. In all, the Obama Justice Department would enter into 14 consent decrees, more than twice as many as the Bush and Clinton administrations combined.

But Ville Platte struck supervisors as worth the time commitment. Moving law enforcement there away from investigative holds — an egregious example of a fairly widespread policing practice — could guide improvements at other police forces that used such tactics.

Lawyers at the Civil Rights Division had received reports of similar practices throughout Louisiana, Mississippi and Alabama, as well as parts of Florida. “The problem in Ville Platte is very common throughout the South,” Smith said. Indeed, court records showed the problem extended across the U.S., from Texas to Michigan and Georgia to Montana. “You would constantly see judges dropping footnotes: ‘I’m not really sure about the constitutionality of this practice, but nobody raised it,’” a former Justice Department official told me. “So, we need to raise it.”

In April 2015, the Justice Department announced an investigation into whether the use of investigative holds in Ville Platte amounted to a pattern or practice of unconstitutional police conduct. In the meantime, the FBI’s Krueger had continued to examine policing practices in the town.

In response to the attention from the FBI, Lartigue told me, he told his officers and detectives that they couldn’t use investigative holds any longer. Instead, there was a new procedure: Before they booked anybody, they needed to write up a statement of probable cause, have it notarized and prepare it to be sent to a judge. In December 2014, the Police Department began to require that its detectives and officers become notaries public. That, Lartigue said, would reduce the time it took after an arrest to get a statement of probable cause notarized and sent to a judge for review. “That was our only issue — the holds — and we quickly, swiftly got rid of it,” he told me. (The Sheriff’s Office instituted similar changes.)

But what Justice Department attorneys found over the next 20 months indicated that serious problems remained. Local detectives still maintained that all they needed to jail somebody was a “hunch,” a “gut instinct” or “a pretty good feeling” that a person knew something about a crime.

Many less senior members of the Ville Platte Police Department acknowledged to Justice Department attorneys that they knew little about proper police procedure. “You haven’t had anybody tell you the right way to do things,” said Jonathon Sparks, a former officer who began working at the Ville Platte Police Department in 2009, when he was 19. “It was only later in life I realized these people’s civil rights were being violated.”

There were no beds, toilets, or running water in Ville Platte’s jail cells. Cut off from the outside world, a person on hold spent nights sleeping on a metal bench or on the concrete floor. A woman named Shawana Deville told the attorneys from Washington about the time police had held her overnight as a potential witness to a shooting. Jail guards ordered her to remove her tampon, and she spent the night sleeping on the floor without one. Lartigue confirmed her detention to Justice Department officials. “I just cried the whole time,” Deville would later tell a local television station.

Deville is white, but the vast majority of people put on hold were black, former Justice Department officials told me. It wasn’t a simple story of racist white cops, though. Two thirds of Ville Platte’s residents are black, and the local power structure has given ground in recent years to black officials, including the mayor and Lartigue.

But that hasn’t uprooted the old dynamic between power and race. “When we were growing up, there was nothing but white cops, and we thought it was bad,” one black Ville Platte resident, Raymond Anderson, told me. “But when the blacks came in, that didn’t make it easier.” (Anderson’s son is in prison — wrongfully, Anderson contends — for the murder that led police to hold Deville.)

Local residents, as Krueger had seen, feared what law enforcement would do to them if they spoke out. Nevertheless, at a community meeting in September 2015, about 150 people turned up to share their experiences with the Justice Department attorneys. “When you speak up, you are looked at as a trouble maker,” one of them told a local reporter after the meeting. But optimism overcame fear of police retaliation. If they shared their stories, the Justice Department might bring its power and resources to bear on police misconduct in Ville Platte.

As the investigation proceeded, Lartigue told me, he made a few more changes aimed at satisfying the Justice Department — “very few,” he added, to underscore his view that he’d already done all he needed to do. In March 2016, the Police Department revised its policy manual to prohibit detaining witnesses. “Unfortunately,” the policy stated, though the practice is “convenient and effective,” it “can result in civil liability.”

Despite such steps, the legal peril for law enforcement in Ville Platte seemed to be rising as 2016 progressed. The feds weren’t the only ones circling; Louisiana state prosecutors had begun their own investigation. Krueger had retired from the FBI in 2015 — and promptly teamed up with the Louisiana State Inspector General, people familiar with the case said. They eventually brought a case to Jeff Landry, the state’s newly elected attorney general. Landry agreed to open a criminal investigation, with assistance from the FBI, into unlawful detention in Ville Platte.

In mid-November 2016, Donald Trump announced that he would nominate Sessions to be his attorney general. The choice didn’t bode well for the Justice Department’s plans in Ville Platte. As a senator, Sessions had made no secret of his antipathy for consent decrees and Obama-era police reform. Critics argued that the Justice Department deployed them too aggressively.

Sessions’ concern, however, wasn’t that police reform by consent decree was overused or ineffective. His problem was with the very premise. He saw consent decrees as unconstitutional federal intrusions into state and local affairs. They “undermine the respect for police officers,” he testified at his January 2017 confirmation hearing, “and create an impression that the entire department is not doing their work consistent with fidelity to law and fairness.”

In its December 2016 report, the Justice Department laid out the changes it anticipated requiring of the Ville Platte Police Department and Evangeline Parish Sheriff’s Office: They would need to overhaul policies, training procedures, recordkeeping systems and internal accountability mechanisms. The plan was to implement those reforms through a consent decree, former Justice Department officials said, and in early March 2017, Civil Rights Division attorneys traveled to Ville Platte to discuss reforms with community members and local officials.

But on March 31, Sessions issued what many lawyers for the Justice Department saw as the coup de grâce to its police reform efforts. “It is not the responsibility of the federal government to manage non-federal law enforcement agencies,” the attorney general wrote in an agency-wide memorandum, which ordered a review of contemplated consent decrees. He expanded on his thinking in an Op-Ed in USA Today: “We will not sign consent decrees for political expediency that will cost more lives by handcuffing the police instead of the criminals.”

In April 2017, the Justice Department made its first endeavor to translate policy into practice — an 11th-hour attempt to scuttle a consent decree with Baltimore’s embattled police department. A judge in Maryland swatted it away. Meanwhile, in Ville Platte, the Justice Department went silent.

In an interview with a local newspaper right after the Justice Department report was issued, Lartigue compared investigative holds to an old family recipe for boudin sausage. He meant to highlight the lost provenance of the practice. But the analogy was apt in another sense, too. In Ville Platte, the police were used to making their sausage in particular ways, and they wouldn’t be easy to give up. Even townspeople who’d suffered under the holds saw them as a kind of local custom. “Dat just how dey do,” was the refrain I heard, in patois laced with resignation.

In one sense, Lartigue was right that law enforcement in Ville Platte had stopped using investigative holds. There was no longer an open policy of jailing local residents without probable cause. But that didn’t mean local law enforcement had stopped using arbitrary arrest and detention. They hadn’t. As one law enforcement official in Ville Platte put it, “They’re just finding another way.” (“It’s very common,” a former Justice Department official told me, to see unlawful policing practices, in the face of federal scrutiny, “simply morph and take on new forms that are harder to ferret out.”)

On May 15, 2017, Robert Wilson and three friends walked into the Ville Platte police station, a squat, salmon-colored bunker that sits just behind City Hall, at the center of town. Three weeks earlier, a stray bullet had killed a bystander down the street from a housing project where Wilson — who is 22 and goes by his middle name, Marquez — and several friends had been wiling away a Sunday evening. A couple days after the shooting, Marquez’s 19-year-old brother, Tieberrious, was arrested on murder charges.

Now, Marquez had gotten word that detectives wanted to talk to him. At the police station, Marquez was ushered into the office of the chief detective, Steve Deville. A heavyset man with a dark goatee and a low, soft drawl, Deville turned on a tape recorder and asked Marquez to sign a form to confirm he understood his Miranda rights. Marquez panicked when he saw where Deville was asking him to sign. “Why you — why you got it as ‘suspect’?” he asked Deville. “I’m a suspect?” Deville assured him that was just how the form is designed.

Marquez walked Deville through what had happened the night of the shooting, according to a police transcript of the interview. His account largely lined up with what Tieberrious had told detectives the previous month. Marquez had gotten into an argument on the street with a contemporary of his named Santiago Thomas. Afterward, Marquez, Tieberrious, and their companions had gone to a friend’s house to avoid further conflict. Ten or fifteen minutes later, they heard gunshots and ran outside to see Thomas’ car careening down the street.

Deville wasn’t buying it. “I’m not saying that you are lying,” he told Marquez. “But if you are, I want to just explain something to you, okay? If you are, then there’s nothing that we can do to help later on.” Marquez insisted he was telling the truth.

After 14 minutes, Deville turned off his tape recorder. But, according to Marquez, the interrogation didn’t end: “If you lie to me again, I’m going to lock you up,” Deville told him. Marquez again insisted that he wasn’t lying. “All right,” Deville said. “We’re gonna see if you’re lying.”

Deville led him to a holding cell. “I was terrified,” Marquez told me. Deville said he’d find out soon enough if Marquez’s story matched the recollections of the friends who’d come with him to the police station. Marquez took a seat on a metal bench and waited. He’d grown up in Beaumont, Texas, and he wasn’t used to how the police operated in Ville Platte. He’d never been to jail before, he told me.

When I later reached Deville by phone, he denied having put Marquez in a jail cell. “After he gave us the recorded statement, we walked him straight back to the front lobby, where he waited for everybody to finish, and they left together,” Deville told me. But the friends who accompanied Marquez to the station house that day recall things differently. One of them, Ebony Soileau, said she doesn’t remember seeing Marquez after he went to be interviewed, and Marquez later told another friend, Shawn Thomas, that “they had him in the back,” Thomas said, a reference to the police station’s jail.

Marquez didn’t know this, but Deville had a reason to lean on him. The detective had next to no evidence against Tieberrious. In three weeks — with a woman dead, Tieberrious in jail and memories growing no sharper — police had collected statements from only two witnesses, according to Deville’s official summary of his investigation. Neither witness had seen Tieberrious fire a gun.

Two hours later, Marquez told me, Deville opened the cell door. Deville had interviewed his friends. His story checked out. He was free to go.

This, three former Ville Platte police officials told me, is one of the tactics that has come to replace investigative holds at the police department. In this case the hold is unofficial and it’s shorter, rarely lasting more than a day. “They would bring them in and make the person think they’re being arrested,” one of the former police officials said. The detainee was never actually booked into the jail, and the absence of a paper trail made it harder to prove that somebody had been illegally detained.

“The longer-term holds — the overnight holds — stopped by 2016,” Jonathon Sparks, one of the former officers, said. After leaving the Ville Platte Police Department in late 2009 and working at other law-enforcement agencies in southwestern Louisiana, he’d returned in 2016, hoping to find that things had changed. They hadn’t, and he left after a few months. “They were still bringing people in during the day,” Sparks said. “They were very much holding them with no charges and no warrants — just smoke and mirrors.” The tactic remained in regular use for several months after the Justice Department issued its report, said another former officer, Natosha Murphy, who worked at the Police Department until summer 2017.

Lartigue disputed these accounts. “That never happened,” he said. (Murphy is suing Lartigue and the department, alleging she was forced to resign after she contacted state and federal authorities to reveal illegal conduct at the department.)

Often, Murphy and Sparks told me, detectives hold their quarries in the station house breakroom, where the surveillance cameras don’t work. Sometimes, as Marquez learned firsthand, detectives transfer them to a jail cell for a few hours to scare them into talking.

To compel reluctant Ville Platte residents to go with police to the station house — without actually arresting them — detectives developed a separate set of dubious tactics. “You say you’re going to arrest them for interfering with an investigation for not talking or you say, ‘We have a warrant on you,’” Murphy told me. “Ninety percent of the time, there’s no warrant.” (Courts let police lie about a lot of things but not about having a warrant.) When I asked Deville, the chief detective, about this practice, he was silent.

At times, police took this method a step further. When a detective didn’t have enough evidence to get a judge to approve an arrest, the three former Ville Platte police officials said, the detective filled out a probable cause affidavit and got another officer to notarize it, but never forwarded it to a judge. To the untrained eye, a notarized affidavit could pass for an arrest warrant. Other times, detectives would flash an official-looking document that had nothing to do with the case. “They’d show it to suspects, pretending it was a warrant,” Murphy told me. “A lot of people can’t read or write.”

When I asked him about notarized affidavits doubling as ersatz warrants, Lartigue grew uncharacteristically animated. “No,” he insisted. “That’s a blatant lie. I guarantee you that’s not the case. No.” Three former Ville Platte police officials, including Murphy and Sparks, told me Lartigue was aware of the practices they described. Those who refused to take part, they said, were threatened with professional reprisal.

Sometimes, instead of faking warrants, detectives faked their way to real warrants. The trick was to write — but never issue — a ticket or citation for a fabricated infraction in the name of whomever a detective wanted to talk to, the three former Ville Platte police officials told me. Detectives could get an arrest warrant on the basis of the un-issued ticket. A popular choice of infraction was fleeing from the police, Murphy and Sparks told me. “The person might not have been doing anything. They might have been at their house,” Sparks said. Lartigue denied the existence of this practice, too. Deville hung up on me when I asked him about it.

By the time Lartigue and I spoke in late February, he hadn’t heard from the Justice Department in nearly a year. He figured that meant the feds were satisfied with what they’d seen when they visited a year earlier. He maintained that he’d gotten his department right with the law a long time ago. “We corrected it, and we’re sticking to it,” he said. “We’re still operating like we were.”

In Washington, meanwhile, Sessions and his team continued to dismantle the Justice Department’s police-reform programs. During the summer of 2017, they achieved in Chicago what they’d failed to accomplish in Baltimore: stop a consent-decree process initiated by the previous administration.

Despite Sessions’ explicit opposition to consent decrees, attorneys in the Civil Rights Division felt strongly enough about the problems in Ville Platte, according to a Justice Department official, that they drafted a consent decree. Their bosses rejected it.

The Evangeline Parish Sheriff’s Office assists the police in Ville Platte, but it chiefly patrols the further-flung parts of the parish, outside its towns. The consensus among residents and those who’ve seen local law enforcement from the inside is that it’s less prone to arbitrary detention than the Ville Platte Police Department. The Justice Department’s report bears that out: It documented about 200 investigative holds at the Sheriff’s Office from 2012 to 2014, compared with about 700 at the Police Department.

Still, unlawful detentions have persisted at the Sheriff’s Office. Detectives and deputies have adapted to the Justice Department probe by holding people by the roadside instead of in the jailhouse, a law enforcement official in Ville Platte told me. “To protect themselves, they strong-arm people on the street,” the official said. It’s relatively easy to avoid documenting a catch-and-release-style street stop.

One Saturday in mid-February, Leeann Fontenot witnessed a friend steal a truck. Later that night, she offered to give a statement to deputies from the Evangeline Parish Sheriff’s Office, but they weren’t interested, she told me a few days later.

Fontenot drifts between the homes of friends and relatives. “I’m actually homeless,” she told me. Her warbling Cajun accent betrays hints of a hard Texan “r,” the result of a childhood crisscrossing Texas and Louisiana with her mother. Several run-ins with the law have made it difficult to find steady work, she says. When we spoke, she was staying at a house just outside Ville Platte. Rusted gardening implements and propane tanks cluttered the front porch. Two metal crosses and what looked like part of an animal skull hung beside the front door.

By Sunday evening — the day after the truck theft — the sheriff’s deputies had seemingly changed their minds. Fontenot and a friend had just pulled into the driveway of another house where she sometimes stayed when her friend’s pickup truck filled with pulsing light. Two deputies ordered Fontenot and her friend, Jeff Fontenot, out of the truck. (The pair aren’t related; the surname Fontenot is to Ville Platte what Smith is to the rest of the country.)

One of the deputies took her aside. Fontenot is 26, but she looks a decade younger; she’s barely 5 feet tall and slight. The deputy handcuffed her nevertheless. “Where’s the truck?” he asked. Fontenot said she didn’t know.

As the deputy began searching her pockets, Fontenot says she asked him to stop and call a female officer, but the plea went unheeded. She wasn’t wearing a belt, and as the deputy shoved his hands into her pockets, she told me, her shorts began to slide down her thigh. When she asked the deputy to pull them back up, he told her to wait. The deputy went through her cell phone, Fontenot says, without her permission. (Under a 2013 Supreme Court decision, police need a warrant or permission for such a search.)

Fontenot was perplexed. The deputy, whose name she didn’t catch, had seen her the night before. “Why y’all doing all this?” she asked. “Y’all saw me last night.” The deputy called her a liar. “It happens all the time,” Fontenot told me later — law enforcement stopping her on the street for no reason other than to press her for information.

In the meantime, the other sheriff’s deputy, Eric Frugé, had taken Jeff behind his police cruiser. Frugé patted him down but didn’t cuff him. When the deputy searched Jeff’s truck, he found a small amount of marijuana. Fontenot admitted it was hers.

The deputies ordered her to come in the following morning, a Monday, and tell them where the stolen truck was. Otherwise, they’d charge her with marijuana possession and grand theft auto. The second charge confused her; it was her friend who’d stolen the truck. (Jeff corroborated key details of Fontenot’s account but was standing a squad car’s length away from her, so he didn’t know whether the deputy had searched Fontenot’s phone or threatened to charge her. The Sheriff’s Office did not respond to a detailed set of questions. In response to questions sent to Frugé via Facebook, the deputy responded with an emoji of an angry face.)

Fontenot didn’t go to the sheriff’s office that Monday. She didn’t know where the truck was, but more to the point, she was afraid of what might happen to her. She’d been subjected to an investigative hold before, she told me. “I don’t want them to put me on another hold.”

On Feb. 27, 2018, after nearly a year of silence, a lawyer from the Justice Department’s Civil Rights Division sent an email to Eric LaFleur, a powerful state senator who moonlights as the Ville Platte city attorney. The Justice Department, the attorney wrote, had “prepared a proposal to address the findings” in its December 2016 report.

Arthur Sampson, arguably the only civil rights activist in Ville Platte, had been a key community liaison. But he was caught by surprise when I told him I’d learned Justice Department attorneys were coming to town in March. The Trump administration had eliminated from the discussions the local community whose rights its police-reform work was meant to protect. “How can they know what we need when they’re not meeting with the community?” Sampson said. (A Civil Rights Division official said community input obtained earlier in the process “played an important role.”)

It wasn’t initially a happy moment for local officials, either. I called Lartigue in March to ask about the negotiations. “You’ll have to ask the Justice Department,” he said curtly, before hanging up on me.

The tenor would soon change. When I spoke with LaFleur a couple of weeks later, he was evasive about the details of the agreement. But he chuckled and said: “We’re happy with what they’re recommending.”

By June 4, it was official: There would be no consent decree and no federal judge to ensure compliance. Instead, the Justice Department announced a pair of out-of-court settlement agreements with the Ville Platte Police Department and the Evangeline Parish Sheriff’s Office.

“This is a way to basically allow these departments to go forward just as they were before,” said Roy Austin, who oversaw the department’s police-reform docket from 2010 to 2014. Austin was troubled by the lack of a local independent monitor, a regular feature of Obama-era reform agreements. Combined with the lack of judicial oversight, that meant “there’s no one to hold them accountable in any formal way,” Austin said. “It’s very hard to hide things from a true monitoring team, as compared to hiding things from someone who can’t be there all the time.”

The Justice Department disagreed, calling the agreements “stringent.” “The Justice Department monitors and assesses the compliance” of the Police Department and Sheriff’s Office “on a basis similar to an independent monitor team, and reserves the right to take appropriate legal action if we determine that both parties are not in substantial compliance or have not worked in good faith to achieve substantial compliance,” Justice Department spokesperson Kelly Laco said. Laco did not explain what led the department to reject the recommendation of the attorneys working on the case to implement a consent decree.

The Justice Department will superintend reforms from 1,000 miles away in Washington. The difficulty isn’t just distance. Even in the best of circumstances, “these cases are really time intensive and very difficult to do,” Austin said. These weren’t the best of circumstances. The Civil Rights Division’s police-reform group has lost a quarter of its staff attorneys during the Trump administration, and those who remain have told former colleagues they’ve grown more deferential in their dealings with local law enforcement. They don’t believe the political leadership will back them if disputes arise.

The settlement terms themselves mostly retained only a faint outline of what past agreements would have required. For example, there was a section called “Community Engagement,” which in earlier agreements contained detailed requirements for improving and monitoring police-community relations, sometimes even obligating cities to establish civilian oversight bodies. In the Ville Platte agreements, the section consisted of a single short paragraph calling for a “public education effort.” What does that mean in practice? In early August came the apparent answer: The Police Department held its first “Police and Community Together Fun Day,” an event advertised as featuring face painting, a dunking booth and “LoLo the Clown.”

The “outcome assessments” that determine when the agreements are satisfied — usually carried out by an independent monitor under a consent decree — are now self-assessments. “The city is coming up with the metrics, measuring its own compliance with the metrics, and then the parties are deciding on that basis whether the police get out of the agreement,” a former Justice Department official said. “It undermines the whole purpose of the agreement.”

Lartigue seemed content with the settlement. As he told a local publication, it amounts to “just a few more documents.” Indeed, the types of reforms the agreements emphasize — “clear policy guidance”; “thorough documentation” of arrests, detentions and interrogations; “supervisory oversight” — amount to just a few more documents if nobody’s making sure they amount to more than that.

Policy, for example, is easily flouted. What happened to Leeann Fontenot, Bobby Lewis and Marquez Wilson was already forbidden by policy. It happened anyway. (This year, after a judge ordered Marquez’s brother released from jail for lack of evidence, prosecutors charged Marquez in his place. He has pleaded not guilty, and it’s unclear whether the evidence is any less shaky this time around.) And supervisory oversight is of dubious value if the supervisors themselves — the detectives — are the chief perpetrators of the misconduct.

The settlement agreements did change at least one thing in Ville Platte: It raised the likelihood that no police official will be held individually accountable for illegally detaining the town’s citizens. For more than two years, the Louisiana attorney general’s office and the FBI had been collecting evidence of criminal wrongdoing by officials at the Ville Platte Police Department, according to several people familiar with the case. “Their file is like this,” said one person who had spoken repeatedly with investigators, gesturing to indicate a stack of documents a foot high.

All of that fizzled after the Justice Department unveiled its deal. The press release announcing the agreements lauded police officials: they had “cooperated fully throughout this matter, and we are eager to continue to work together,” it read. Investigators saw the agreement as lenient, according to people who have spoken with them.

The Louisiana attorney general’s office felt it was untenable to recommend the indictment of officials at a police department the Justice Department had publicly praised and, in the view of investigators, had let off the hook with a lax settlement agreement. That, two people familiar with the decision say, led the office to conclude that it had to close the criminal investigation. (The attorney general’s office and FBI declined to comment. The Justice Department’s Laco said the agreement “does not in any way preclude or prevent any law enforcement agency from taking criminal action against an individual under any other law.”)

In Ville Platte, as news of the agreements spread, a familiar fatalism settled on the town. Residents had taken risks sharing their stories because the federal government had promised change. Nobody from the Justice Department had come to explain what the agreements purported to do — another past practice jettisoned — but locals had a pretty good idea that the federal government wasn’t living up to its side of the bargain. After talk of a lawsuit and a federal judge, they got watered-down agreements brokered in secret. “A lot of people stuck their necks out on the promise that the Justice Department was going to do something and that change was coming,” said a former official there who had been involved in the case. “And then they didn’t do anything — they soft-shoed it instead.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.