165 posts categorized "Internet Access" Feed

Cloud Services Security Vendor Disclosed a 'Security Incident'

Imperva logo Imperva, a cloud-services security company, announced on Tuesday a data breach involving its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula. The August 27th announcement stated:

"... this data exposure is limited to our Cloud WAF product. Here is what we know about the situation today: 1) On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017; 2) Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses, hashed and salted passwords; 3) And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates..."

Imperva provides firewall and security services to block cyberattacks by bad actors. These security services protect the information its clients (and clients' customers) store in cloud-storage databases. The home page of Imperva's site promotes the following clients: AARP, General Electric, Siemens, Xoom (A PayPal service), and Zillow. Many consumers use these clients' sites and service to store sensitive personal and payment information.

Imperva has informed the appropriate global regulatory agencies, hired forensic experts to help with the breach investigation, reset affected clients' passwords, and is informing affected clients. Security experts quickly weighed in about the data breach. The Krebs On Security blog reported:

"Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers... an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites. At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings... A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker."

So, this breach and the data elements accessed by hackers were serious. It is another example indicating that hackers are persistent and attack where the money is.

Security experts said the cause of the breach is not yet known. Imperva is based in Redwood Shores, California.


Google Claims Blocking Cookies Is Bad For Privacy. Researchers: Nope. That Is 'Privacy Gaslighting'

Google logo The announcement by Google last week included some dubious claims, which received a fair amount of attention among privacy experts. First, a Senior Product Manager of User Privacy and Trust wrote in a post:

"Ads play a major role in sustaining the free and open web. They underwrite the great content and services that people enjoy... But the ad-supported web is at risk if digital advertising practices don’t evolve to reflect people’s changing expectations around how data is collected and used. The mission is clear: we need to ensure that people all around the world can continue to access ad supported content on the web while also feeling confident that their privacy is protected. As we shared in May, we believe the path to making this happen is also clear: increase transparency into how digital advertising works, offer users additional controls, and ensure that people’s choices about the use of their data are respected."

Okay, that is a fair assessment of today's internet. And, more transparency is good. Google executives are entitled to their opinions. The post also stated:

"The web ecosystem is complex... We’ve seen that approaches that don’t account for the whole ecosystem—or that aren’t supported by the whole ecosystem—will not succeed. For example, efforts by individual browsers to block cookies used for ads personalization without suitable, broadly accepted alternatives have fallen down on two accounts. First, blocking cookies materially reduces publisher revenue... Second, broad cookie restrictions have led some industry participants to use workarounds like fingerprinting, an opaque tracking technique that bypasses user choice and doesn’t allow reasonable transparency or control. Adoption of such workarounds represents a step back for user privacy, not a step forward."

So, Google claims that blocking cookies is bad for privacy. With a statement like that, the "User Privacy and Trust" title seems like an oxymoron. Maybe, that's the best one can expect from a company that gets 87 percent of its revenues from advertising.

Also on August 22nd, the Director of Chrome Engineering repeated this claim and proposed new internet privacy standards (bold emphasis added):

... we are announcing a new initiative to develop a set of open standards to fundamentally enhance privacy on the web. We’re calling this a Privacy Sandbox. Technology that publishers and advertisers use to make advertising even more relevant to people is now being used far beyond its original design intent... some other browsers have attempted to address this problem, but without an agreed upon set of standards, attempts to improve user privacy are having unintended consequences. First, large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected... Second, blocking cookies without another way to deliver relevant ads significantly reduces publishers’ primary means of funding, which jeopardizes the future of the vibrant web..."

Yes, fingerprinting is a nasty, privacy-busting technology. No argument with that. But, blocking cookies is bad for privacy? Really? Come on, let's be honest.

This dubious claim ignores corporate responsibility... that some advertisers and website operators made choices -- conscious decisions to use more invasive technologies like fingerprinting to do an end-run around users' needs, desires, and actions to regain online privacy. Sites and advertisers made those invasive-tech choices when other options were available, such as using subscription services to pay for their content.

Plus, Google's claim also ignores the push by corporate internet service providers (ISPs) which resulted in the repeal of online privacy protections for consumers thanks to a compliant, GOP-led Federal Communications Commission (FCC), which seems happy to tilt the playing field further towards corporations and against consumers. So, users are simply trying to regain online privacy.

During the past few years, both privacy-friendly web browsers (e.g., Brave, Firefox) and search engines (e.g., DuckDuckGo) have emerged to meet consumers' online privacy needs. (Well, it's not only consumers that need online privacy. Attorneys and businesses need it, too, to protect their intellectual property and proprietary business methods.) Online users demanded choice, something advertisers need to remember and value.

Privacy experts weighed in about Google's blocking-cookies-is-bad-for-privacy claim. Jonathan Mayer and Arvind Narayanan explained:

That’s the new disingenuous argument from Google, trying to justify why Chrome is so far behind Safari and Firefox in offering privacy protections. As researchers who have spent over a decade studying web tracking and online advertising, we want to set the record straight. Our high-level points are: 1) Cookie blocking does not undermine web privacy. Google’s claim to the contrary is privacy gaslighting; 2) There is little trustworthy evidence on the comparative value of tracking-based advertising; 3) Google has not devised an innovative way to balance privacy and advertising; it is latching onto prior approaches that it previously disclaimed as impractical; and 4) Google is attempting a punt to the web standardization process, which will at best result in years of delay."

The researchers debunked Google's claim with more details:

"Google is trying to thread a needle here, implying that some level of tracking is consistent with both the original design intent for web technology and user privacy expectations. Neither is true. If the benchmark is original design intent, let’s be clear: cookies were not supposed to enable third-party tracking, and browsers were supposed to block third-party cookies. We know this because the authors of the original cookie technical specification said so (RFC 2109, Section 4.3.5). Similarly, if the benchmark is user privacy expectations, let’s be clear: study after study has demonstrated that users don’t understand and don’t want the pervasive web tracking that occurs today."

Moreover:

"... there are several things wrong with Google’s argument. First, while fingerprinting is indeed a privacy invasion, that’s an argument for taking additional steps to protect users from it, rather than throwing up our hands in the air. Indeed, Apple and Mozilla have already taken steps to mitigate fingerprinting, and they are continuing to develop anti-fingerprinting protections. Second, protecting consumer privacy is not like protecting security—just because a clever circumvention is technically possible does not mean it will be widely deployed. Firms face immense reputational and legal pressures against circumventing cookie blocking. Google’s own privacy fumble in 2012 offers a perfect illustration of our point: Google implemented a workaround for Safari’s cookie blocking; it was spotted (in part by one of us), and it had to settle enforcement actions with the Federal Trade Commission and state attorneys general."

Gaslighting, indeed. Online privacy is important. So, too, are consumers' choices and desires. Thanks to Mr. Mayer and Mr. Narayanan for the comprehensive response.

What are your opinions of cookie blocking? Of Google's claims?


ExpressVPN Survey Indicates Americans Care About Privacy. Some Have Already Taken Action

ExpressVPN published the results of its privacy survey. The survey, commissioned by ExpressVPN and conducted by Propeller Insights, included a representative sample of about 1,000 adults in the United States.

Overall, 29.3% of survey respondents said they already use had used a virtual private network (VPN) or a proxy network. Survey respondents cited three broad reasons for using a VPN service: 1) to avoid surveillance, 2) to access content, and 3) to stay safe online. Detailed survey results about surveillance concerns:

"The most popular reasons to use a VPN are related to surveillance, with 41.7% of respondents aiming to protect against sites seeing their IP, 26.4% to prevent their internet service provider (ISP) from gathering information, and 16.6% to shield against their local government."

Who performs the surveillance matters to consumers. People are more concerned with surveillance by companies than by law enforcement agencies within the U.S. government:

"Among the respondents, 15.9% say they fear the FBI surveillance, and only 6.4% fear the NSA spying on them. People are by far most worried about information gathering by ISPs (23.2%) and Facebook (20.5%). Google spying is more of a worry for people (5.9%) than snooping by employers (2.6%) or family members (5.1%).

Concerns with internet service providers (ISPs) are not surprising since these telecommunications company enjoy a unique position enabling them to track all online activities by consumers. Concerns about Facebook are not surprising since it tracks both users and non-users, similar to advertising networks. The "protect against sites seeing their IP" suggests that consumers, or at least VPN users, want to protect themselves and their devices against advertisers, advertising networks, and privacy-busting mobile apps which track their geo-location.

Detailed survey results about content access concerns:

"... 26.7% use [a VPN service] to access their corporate or academic network, 19.9% to access content otherwise not available in their region, and 16.9% to circumvent censorship."

The survey also found that consumers generally trust their mobile devices:

" Only 30.5% of Android users are “not at all” or “not very” confident in their devices. iOS fares slightly better, with 27.4% of users expressing a lack of confidence."

The survey uncovered views about government intervention and policies:

"Net neutrality continues to be popular (70% more respondents support it rather then don’t), but 51.4% say they don’t know enough about it to form an opinion... 82.9% also believe Congress should enact laws to require tech companies to get permission before collecting personal data. Even more, 85.2% believe there should be fines for companies that lose users’ data, and 90.2% believe there should be further fines if the data is misused. Of the respondents, 47.4% believe Congress should go as far as breaking up Facebook and Google."

The survey found views about smart devices (e.g., door bells, voice assistants, smart speakers) installed in many consumers' homes, since these devices are equipped with always-on cameras and/or microphones:

"... 85% of survey respondents say they are extremely (24.7%), very (23.4%), or somewhat (28.0%) concerned about smart devices monitoring their personal habits... Almost a quarter (24.8%) of survey respondents do not own any smart devices at all, while almost as many (24.4%) always turn off their devices’ microphones if they are not using them. However, one-fifth (21.2%) say they always leave the microphone on. The numbers are similar for camera use..."

There are more statistics and findings in the entire survey report by ExpressVPN. I encourage everyone to read it.


Researcher Uncovers Several Browser Extensions That Track Users' Online Activity And Share Data

Many consumers use web browsers since websites contain full content and functionality, versus pieces of websites in mobile apps. A researcher has found that as many as four million consumers have been affected by browser extensions, the optional functionality for web browsers, which collected sensitive personal and financial information.

Ars Technica reported about DataSpii, the name of the online privacy issue:

"The term DataSpii was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue. Jadali intended for the DataSpii name to capture the unseen collection of both internal corporate data and personally identifiable information (PII).... DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics..."

At first glance, this may not sound important, but it is. Why? First, the data collected included the most sensitive and personal information:

"Home and business surveillance videos hosted on Nest and other security services; tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services; vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers; patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services; travel itineraries hosted on Priceline, Booking.com, and airline websites; Facebook Messenger attachments..."

I'll bet you thought your Facebook Messenger stuff was truly private. Second, because:

"... the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies..."

Ars Technica also reported:

"Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. Ars, however, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links. The privacy policies for the browser extensions do give fair warning that some sort of data collection will occur..."

So, the data collection may be legal, but is it ethical -- especially if the anonymization is partial? After the researcher's report went public, many of the suspect browser extensions were deleted from online stores. However, extensions already installed locally on users' browsers can still collect data:

"Beginning on July 3—about 24 hours after Jadali reported the data collection to Google—Fairshare Unlock, SpeakIt!, Hover Zoom, PanelMeasurement, Branded Surveys, and Panel Community Surveys were no longer available in the Chrome Web Store... While the notices say the extensions violate the Chrome Web Store policy, they make no mention of data collection nor of the publishing of data by Nacho Analytics. The toggle button in the bottom-right of the notice allows users to "force enable" the extension. Doing so causes browsing data to be collected just as it was before... In response to follow-up questions from Ars, a Google representative didn't explain why these technical changes failed to detect or prevent the data collection they were designed to stop... But removing an extension from an online marketplace doesn't necessarily stop the problems. Even after the removals of Super Zoom in February or March, Jadali said, code already installed by the Chrome and Firefox versions of the extension continued to collect visited URL information..."

Since browser developers haven't remotely disabled leaky browser extensions, the burden is on consumers. The Ars Technica report lists the leaky browser extensions by name. Since online stores can't seem to consistently police browser extensions for privacy compliance, again the burden falls upon consumers.

The bottom line: browser extensions can easily compromise your online privacy and security. That means like any other software, wise consumers: read independent online reviews first, read the developer's terms of use and privacy policy before installing the browser extension, and use a privacy-focused web browser.

Consumer Reports advises consumers to, a) install browser extensions only from companies you trust, and b) uninstall browser extensions you don't need nor use. For consumers that don't know how, the Consumer Reports article also lists step-by-step instructions to uninstall browser extensions in Google Chrome, Firefox, Safari, and Internet Explorer branded web browsers.


EFF Filed Lawsuit In California Against AT&T To Stop Sales Of Wireless Customers' Realtime Geolocations

The Electronic Frontier Foundation (EFF) announced on July 16th that it had filed:

"... a class action lawsuit on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities—including bounty hunters, car dealerships, landlords, and stalkers—to access wireless customers’ real-time locations without authorization. An investigation by Motherboard earlier this year revealed that any cellphone user’s precise, real-time location could be bought for just $300. The report showed that carriers, including AT&T, were making this data available to hundreds of third parties without first verifying that users had authorized such access. AT&T not only failed to obtain its customers’ express consent, making matters worse, it created an active marketplace that trades on its customers’ real-time location data..."

The lawsuit, Scott, et al. v. AT&T Inc., et al., was filed in the U.S. District Court of the Northern District of California. The suit seeks money damages and an injunction against AT&T and the named location data aggregators: LocationSmart and Zumigo. The suit alleges AT&T violated the Federal Communications Act and engaged in deceptive practices under California’s unfair competition law. It also alleges that AT&T, LocationSmart, and Zumigo have violated California’s constitutional, statutory, and common law rights to privacy. The EFF is represented by Pierce Bainbridge Beck Price & Hecht LLP.


Tech Expert Concluded Google Chrome Browser Operates A Lot Like Spy Software

Many consumers still use web browsers. Which are better for your online privacy? You may be interested in this analysis by a tech expert:

"... I've been investigating the secret life of my data, running experiments to see what technology really gets up to under the cover of privacy policies that nobody reads... My tests of Chrome vs. Firefox [browsers] unearthed a personal data caper of absurd proportions. In a week of Web surfing on my desktop, I discovered 11,189 requests for tracker "cookies" that Chrome would have ushered right onto my computer but were automatically blocked by Firefox... Chrome welcomed trackers even at websites you would think would be private. I watched Aetna and the Federal Student Aid website set cookies for Facebook and Google. They surreptitiously told the data giants every time I pulled up the insurance and loan service's log-in pages."

"And that's not the half of it. Look in the upper right corner of your Chrome browser. See a picture or a name in the circle? If so, you're logged in to the browser, and Google might be tapping into your Web activity to target ads. Don't recall signing in? I didn't, either. Chrome recently started doing that automatically when you use Gmail... I felt hoodwinked when Google quietly began signing Gmail users into Chrome last fall. Google says the Chrome shift didn't cause anybody's browsing history to be "synced" unless they specifically opted in — but I found mine was being sent to Google and don't recall ever asking for extra surveillance..."

Also:

"Google's product managers told me in an interview that Chrome prioritizes privacy choices and controls, and they're working on new ones for cookies. But they also said they have to get the right balance with a "healthy Web ecosystem" (read: ad business). Firefox's product managers told me they don't see privacy as an "option" relegated to controls. They've launched a war on surveillance, starting last month with "enhanced tracking protection" that blocks nosy cookies by default on new Firefox installations..."

This tech expert concluded:

"It turns out, having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop. It made me decide to ditch Chrome for a new version of nonprofit Mozilla's Firefox, which has default privacy protections. Switching involved less inconvenience than you might imagine."

Regular readers of this blog are aware of how Google tracks consumers online purchases, the worst mobile apps for privacy, and privacy alternatives such the Brave web browser, the DuckDuckGo search engine, virtual private network (VPN) software, and more. Yes, you can use the Firefox browser on your Apple iPhone. I do.

Me? I've used the Firefox browser since about 2010 on my (Windows) laptop, and the DuckDuckGo search engine since 2013. I stopped using Bing, Yahoo, and Google search engines in 2013. While Firefox installs with Google as the default search engine, you can easily switch it to DuckDuckGo. I did. I am very happy with the results.

Which web browser and search engine do you use? What do you do to protect your online privacy?


How Google Tracks All Of Your Online Purchases. Its Reasons Are Unclear

Google tracks all of your online purchases. How? ExpressVPN reported:

"Initially stumbled across by a CNBC reporter, a "Google Purchases" page keeps track of all digital receipts sent to your Gmail account from as far back as 2012. The page is not limited to purchases made directly from Google, either. From flight tickets to Amazon purchases to food delivery services, if the receipt went to your Gmail, it’s on the list. Google takes the name, date, and other specifics surrounding the purchase and records them in a list on the page."

The tracking is a reminder of the special place Internet service providers (ISPs) enjoy with access to all of users' online activities. Consumers' purchase receipts can include very sensitive information such as foods, medicine, and medical devices -- for parents and/or their children; or bookings for upcoming travel indicating when a home will be vacant; or purchases of medical marijuana, D-I-Y guns, and/or internet-connected adult toys. The bottom line: some consumers may not want their purchase data collected (nor shared with other companies by Google).

Now that you're aware of the tracking, something to consider the next time a cashier at a brick-and-mortar retail store asks: paper or email receipt? I always choose paper. You might, too.

To view your Google Purchase page, visit http://myaccount.google.com/purchases and sign in. Only you can view your purchases page.

Privacy solutions appear ugly. One option is to switch to an email provider that doesn't track you. If you decide to stay with Gmail, the only fix is a manual process which will cost you several hours or days to wade through your archive and delete emails:

"... the only way to remove a purchase from the list is to find and manually delete the email that contains the original receipt. Worse still, you can’t turn off tracking, and there’s no way to delete the list en masse. This process is incredibly tedious... Even more perplexing is that there’s no clear purpose for the collection of this data... the logic behind this reasoning is strange, the info is hiding in Google’s Account page, and it’s not exactly easy to access for users who want to “view and keep track of purchases.” And seeing as this page isn’t really being promoted to its users..."

Google said it is doing more for its customers regarding privacy. Last month, The Washington Post reported:

"... One executive after another at Google’s I/O conference in its hometown of Mountain View, California emphasized new privacy settings in products like search, maps, thermostats and updated mobile phone software. "We strongly believe that privacy and security are for everyone, not just a few," Google CEO Sundar Pichai said.

Said product manager Stephanie Cuthbertson, who introduced a new version of the Android mobile operating system: "You should always be in control of what you share and who you share it with."... Google also committed to improved privacy controls of its Nest-connected home devices, including the ability of users to delete their audio files. Some users have reported having hackers eavesdropping through their Nest devices."

Hmmm. It seems more privacy and control does not extend to Gmail users' purchase data. What are your opinions?

[Editor's note: this page was revised Monday evening to fix a typo and to include the link the Google Purchases page.]


How To Do Online Banking Safely And Securely

Most people love the convenience of online banking via their smartphone or other mobile device. However, it is important to do it safely and securely. How? NordVPN listed four items:

"1. Don't lose your phone: The biggest security threat of your mobile phone is also its greatest asset – its size. Phones are small, handy, beautiful, and easy to lose..."

So, keep your phone in your hand. Never place it on a table out of sight. Of course, you should lock your phone with a strong password. NordVPN commented about other locking options:

"Facial recognition: convenient but not secure, since it can sometimes be bypassed with a photograph... Fingerprints: low false-acceptance rates, perfect if you don’t often wear gloves."

More advice:

"2. Use the official banking app, not the browser... If you aren’t careful, you could download a fake banking app created by scammers to break into your account. Make sure your bank created or approves of the app you are downloading. Get it from their website. Moreover, do not use mobile browsers to log in to your bank account – they are less secure than bank-sanctioned apps..."

Obviously, you should sign out of the mobile app when when finished with your online banking session. Otherwise, a thief with your stolen phone has direct access to your money and accounts. NordVPN advises consumers to do your homework first: read app ratings and reviews before downloading any mobile apps.

Readers of this blog are probably familiar with the next item:

"4. Don’t use mobile banking on public Wi-Fi: Anyone on a public Wi-Fi network is in danger of a security breach. Most of these networks lack basic security measures and have poor router configurations and weak passwords..."

Popular places with public Wi-Fi includes coffee shops, fast food restaurants, supermarkets, airports, libraries, and hotels. If you must do online banking in a public place, NordVPN advised:

"... use your cellular network instead. It’s not perfect, but it’s better than public Wi-Fi. Better yet, turn on a virtual private network (VPN) and then use public Wi-Fi..."

There you have it. Read the entire online banking article by NordVPN. Ignore this advice at your own peril.


Brave Alerts FTC On Threats From Business Practices With Big Data

The U.S. Federal Trade Commission (FTC) held a "Privacy, Big Data, And Competition" hearing on November 6-8, 2018 as part of its "Competition And Consumer Protection in the 21st Century" series of discussions. During that session, the FTC asked for input on several topics:

  1. "What is “big data”? Is there an important technical or policy distinction to be drawn between data and big data?
  2. How have developments involving data – data resources, analytic tools, technology, and business models – changed the understanding and use of personal or commercial information or sensitive data?
  3. Does the importance of data – or large, complex data sets comprising personal or commercial information – in a firm’s ordinary course operations change how the FTC should analyze mergers or firm conduct? If so, how? Does data differ in importance from other assets in assessing firm or industry conduct?
  4. What structural, behavioral or conduct remedies should the FTC consider when remedying antitrust harm in a market or industry where data or personal or commercial information are a significant product or a key competitive input?
  5. Are there policy recommendations that would facilitate competition in markets involving data or personal or commercial information that the FTC should consider?
  6. Do the presence of personal information or privacy concerns inform or change competition analysis?
  7. How do state, federal, and international privacy laws and regulations, adopted to protect data and consumers, affect competition, innovation, and product offerings in the United States and abroad?"

Brave, the developer of a web browser, submitted comments to the FTC which highlighted two concerns:

"First, big tech companies “cross-use” user data from one part of their business to prop up others. This stifles competition, and hurts innovation and consumer choice. Brave suggests that FTC should investigate. Second, the GDPR is emerging as a de facto international standard. Whether this helps or harms United States firms will be determined by whether the United States enacts and actively enforces robust federal privacy laws."

A letter by Dr. Johnny Ryan, the Chief Policy & Industry Relations Officer at Brave, described in detail the company's concerns:

"The cross-use and offensive leveraging of personal information from one line of business to another is likely to have anti-competitive effects. Indeed anti-competitive practices may be inevitable when companies with Google’s degree of market dominance update their privacy policies to include the cross-use of personal information. The result is that a company can leverage all the personal information accumulated from its users in one line of business to dominate other lines of business too. Rather than competing on the merits, the company can enjoy the unfair advantage of massive network effects... The result is that nascent and potential competitors will be stifled, and consumer choice will be limited... The cross-use of data between different lines of business is analogous to the tying of two products. Indeed, tying and cross-use of data can occur at the same time, as Google Chrome’s latest “auto sign in to everything” controversy illustrates..."

Historically, Google let Chrome web browser users decide whether or not to sign in for cross-device usage. The Chrome 69 update forced auto sign-in, but a Chrome 70 update restored users' choice after numerous complaints and criticism.

Regarding topic #7 by the FTC, Brave's response said:

"A de facto international standard appears to be emerging, based on the European Union’s General Data Protection Regulation (GDPR)... the application of GDPR-like laws for commercial use of consumers’ personal data in the EU, Britain (post EU), Japan, India, Brazil, South Korea, Malaysia, Argentina, and China bring more than half of global GDP under a common standard. Whether this emerging standard helps or harms United States firms will be determined by whether the United States enacts and actively enforces robust federal privacy laws. Unless there is a federal GDPR-like law in the United States, there may be a degree of friction and the potential of isolation for United States companies... there is an opportunity in this trend. The United States can assume the global lead by adopting the emerging GDPR standard, and by investing in world-leading regulation that pursues test cases, and defines practical standards..."

Currently, companies collect, archive, share, and sell consumers' personal information at will -- often without notice nor consent. While all 50 states and territories have breach notification laws, most states have not upgraded their breach notification laws to include biometric and passport data. While the Health Insurance Portability and Accountability Act (HIPAA) is the federal law which governs healthcare data and related breaches, many consumers share health data with social media sites -- robbing themselves of HIPAA protections.

Moreover, it's an unregulated free-for-all of data collection, archiving, and sharing by telecommunications companies after the revoking in 2017 of broadband privacy protections for consumers in the USA. Plus, laws have historically focused upon "declared data" (e.g., the data users upload or submit into websites or apps) while ignoring "inferred data" -- which is arguably just as sensitive and revealing.

Regarding future federal privacy legislation, Brave added:

"... The GDPR is compatible with a United States view of consumer protection and privacy principles. Indeed, the FTC has proposed important privacy protections to legislators in 2009, and again in 2012 and 2014, which ended up being incorporated in the GDPR. The high-level principles of the GDPR are closely aligned, and often identical to, the United States’ privacy principles... The GDPR also incorporates principles endorsed by the U.S. in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and the principles endorsed by the United States this year, in Article 19.8 (3) of the new United States-Mexico-Canada Agreement."

"The GDPR differs from established United States privacy principles in its explicit reference to “proportionality” as a precondition of data use, and in its more robust approach to data minimization and to purpose specification. In our view, a federal law should incorporate these elements too. We also recommend that federal law should adopt the GDPR definitions of concepts such as “personal data”, “legal basis” including opt-in “consent”, “processing”, “special category personal data”, ”profiling”, “data controller”, “automated decision making”, “purpose limitation”, and so forth, and tools such as data protection impact assessments, breach notification, and records of processing activities."

"In keeping with the fair information practice principles (FIPPs) of the 1974 US Privacy Act, Brave recommends that a federal law should require that the collection of personal information is subject to purpose specification. This means that personal information shall only be collected for specific and explicit purposes. Personal information should not used beyond those purposes without consent, unless a further purpose is poses no risk of harm and is compatible with the initial purpose, in which case the data subject should have the opportunity to opt-out."

Submissions by Brave and others are available to the public at the FTC website in the "Public Comments" section.


Study: Privacy Concerns Have Caused Consumers To Change How They Use The Internet

Facebook commissioned a study by the Economist Intelligence Unit (EIU) to understand "internet inclusion" globally, or how people use the Internet, the benefits received, and the obstacles experienced. The latest survey included 5,069 respondents from 100 countries in Asia-Pacific, the Americas, Europe, the Middle East, North Africa and Sub-Saharan Africa.

Overall findings in the report cited:

"... cause for both optimism and concern. We are seeing steady progress in the number and percentage of households connected to the Internet, narrowing the gender gap and improving accessibility for people with disabilities. The Internet also has become a crucial tool for employment and obtaining job-related skills. On the other hand, growth in Internet connections is slowing, especially among the lowest income countries, and efforts to close the digital divide are stalling..."

The EIU describes itself as, "the world leader in global business intelligence, to help companies, governments and banks understand changes in the world is changing, seize opportunities created by those changes, and manage associated risks. So, any provider of social media services globally would greatly value the EIU's services.

The chart below highlights some of the benefits mentioned by survey respondents:

Chart-internet-benefits-eiu-2019

Other benefits respondents said: almost three-quarters (74.4%) said the Internet is more effective than other methods for finding jobs; 70.5% said their job prospects have improved due to the Internet; and more. So, job seekers and employers both benefit.

Key findings regarding online privacy (emphasis added):

"... More than half (52.2%) of [survey] respondents say they are not confident about their online privacy, hardly changed from 51.5% in the 2018 survey... Most respondents are changing the way they use the Internet because they believe some information may not remain private. For example, 55.8% of respondents say they limit how much financial information they share online because of privacy concerns. This is relatively consistent across different age groups and household income levels... 42.6% say they limit how much personal health and medical information they share. Only 7.5% of respondents say privacy concerns have not changed the way they use the Internet."

So, the lack of online privacy affects how people use the internet -- for business and pleasure. The chart below highlights the types of online changes:

Chart-internet-usage-eiu-2019

Findings regarding privacy and online shopping:

"Despite lingering privacy concerns, people are increasingly shopping online. Whether this continues in the future may hinge on attitudes toward online safety and security... A majority of respondents say that making online purchases is safe and secure, but, at 58.8% it was slightly lower than the 62.1% recorded in the 2018 survey."

So, the percentage of respondents who said online purchases as safe and secure went in the wrong direction -- down. Not good. There were regional differences, too, about online privacy:

"In Europe, the share of respondents confident about their online privacy increased by 8 percentage points from the 2018 survey, probably because of the General Data Protection Regulation (GDPR), the EU’s comprehensive data privacy rules that came into force in May 2018. However, the Middle East and North Africa region saw a decline of 9 percentage points compared with the 2018 survey."

So, sensible legislation to protect consumers' online privacy can have positive impacts. There were other regional differences:

"Trust in online sources of information remained relatively stable, except in the West. Political turbulence in the US and UK may have played a role in causing the share of respondents in North America and Europe who say they trust information on government websites and apps to retreat by 10 percentage points and 6 percentage points, respectively, compared with the 2018 survey."

So, stability is important. The report's authors concluded:

"The survey also reflects anxiety about online privacy and a decline in trust in some sources of information. Indeed, trust in government information has fallen since last year in Europe and North America. The growth and importance of the digital economy will mean that alleviating these anxieties should be a priority of companies, governments, regulators and developers."

Addressing those anxieties is critical, if governments in the West are serious about facilitating business growth via consumer confidence and internet usage. Download the Inclusive Internet Index 2019 Executive Summary (Adobe PDF) report.


After Promises To Stop, Mobile Providers Continued Sales Of Location Data About Consumers. What You Can Do To Protect Your Privacy

Sadly, history repeats itself. First, the history: after getting caught selling consumers' real-time GPS location data without notice nor consumers' consent, in 2018 mobile providers promised to stop the practice. The Ars Technica blog reported in June, 2018:

"Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users. Senator Ron Wyden (D-Ore.) recently urged all four major carriers to stop the practice, and today he published responses he received from Verizon, AT&T, T-Mobile USA, and SprintWyden's statement praised Verizon for "taking quick action to protect its customers' privacy and security," but he criticized the other carriers for not making the same promise... AT&T changed its stance shortly after Wyden's statement... Senator Wyden recognized AT&T's change on Twitter and called on T-Mobile and Sprint to follow suit."

Kudos to Senator Wyden. The other mobile providers soon complied... sort of.

Second, some background: real-time location data is very valuable stuff. It indicates where you are as you (with your phone or other mobile devices) move about the physical world in your daily routine. No delays. No lag. Yes, there are appropriate uses for real-time GPS location data -- such as by law enforcement to quickly find a kidnapped person or child before further harm happens. But, do any and all advertisers need real-time location data about consumers? Data brokers? Others?

I think not. Domestic violence and stalking victims probably would not want their, nor their children's, real-time location data resold publicly. Most parents would not want their children's location data resold publicly. Most patients probably would not want their location data broadcast every time they visit their physician, specialist, rehab, or a hospital. Corporate executives, government officials, and attorneys conducting sensitive negotiations probably wouldn't want their location data collected and resold, either.

So, most consumers probably don't want their real-time location data resold publicly. Well, some of you make location-specific announcements via posts on social media. That's your choice, but I conclude that most people don't. Consumers want control over their location information so they can decide if, when, and with whom to share it. The mass collection and sales of consumers' real-time location data by mobile providers prevents choice -- and it violates persons' privacy.

Third, fast forward seven months from 2018. TechCrunch reported on January 9th:

"... new reporting by Motherboard shows that while [reseller] LocationSmart faced the brunt of the criticism [in 2018], few focused on the other big player in the location-tracking business, Zumigo. A payment of $300 and a phone number was enough for a bounty hunter to track down the participating reporter by obtaining his location using Zumigo’s location data, which was continuing to pay for access from most of the carriers. Worse, Zumigo sold that data on — like LocationSmart did with Securus — to other companies, like Microbilt, a Georgia-based credit reporting company, which in turn sells that data on to other firms that want that data. In this case, it was a bail bond company, whose bounty hunter was paid by Motherboard to track down the reporter — with his permission."

"Everyone seemed to drop the ball. Microbilt said the bounty hunter shouldn’t have used the location data to track the Motherboard reporter. Zumigo said it didn’t mind location data ending up in the hands of the bounty hunter, but still cut Microbilt’s access. But nobody quite dropped the ball like the carriers, which said they would not to share location data again."

The TechCrunch article rightly held offending mobile providers accountable. Example: T-Mobile's chief executive tweeted last year:

Then, Legere tweeted last week:

The right way? In my view, real-time location never should have been collected and resold. Almost a year after reports first surfaced, T-Mobile is finally getting around to stopping the practice and terminating its relationships with location data resellers -- two months from now. Why not announce this slow wind-down last year when the issue first surfaced? "Emergency assistance" is the reason we are supposed to believe. Yeah, right.

The TechCrunch article rightly took AT&T and Verizon to task, too. Good. I strongly encourage everyone to read the entire TechCrunch article.

What can consumers make of this? There seem to be several takeaways:

  1. Transparency is needed, since corporate privacy policies don't list all (or often any) business partners. This lack of transparency provides an easy way for mobile providers to resume location data sales without notice to anyone and without consumers' consent,
  2. Corporate executives will say anything in tweets/social media. A healthy dose of skepticism by consumers and regulators is wise,
  3. Consumers can't trust mobile providers. They are happy to make money selling consumers' real-time location data, regardless of consumers' desires not for our data to be collected and sold,
  4. Data brokers and credit reporting agencies want consumers' location data,
  5. To ensure privacy, consumers also must take action: adjust the privacy settings on your phones to limit or deny mobile apps access to your location data. I did. It's not hard. Do it today, and
  6. Oversight is needed, since a) mobile providers have, at best, sloppy to minimal oversight and internal processes to prevent location data sales; and b) data brokers and others are readily available to enable and facilitate location data transactions.

I cannot over-emphasize #5 above. What issues or takeaways do you see? What are your opinions about real-time location data?


Senator Wyden Introduces Bill To Help Consumers Regain Online Privacy And Control Over Sensitive Data

Late last week, Senator Ron Wyden (Dem - Oregon) introduced a "discussion draft" of legislation to help consumers recover online privacy and control over their sensitive personal data. Senator Wyden said:

"Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared... It’s time for some sunshine on this shadowy network of information sharing. My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”

The press release by Senator Wyden's office explained the need for new legislation:

"The government has failed to respond to these new threats: a) Information about consumers’ activities, including their location information and the websites they visit is tracked, sold and monetized without their knowledge by many entities; b) Corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships has resulted in major data breaches and the misuse of Americans’ personal data; c) Consumers have no effective way to control companies’ use and sharing of their data."

Consumers in the United States lost both control and privacy protections when the U.S. Federal Communications Commission (FCC), led by President Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some internet service providers (ISPs).

With the repealed broadband privacy, ISPs are free to collect and archive as much data about consumers as desired without having to notify and get consumers' approval of the collection nor of who they share archived data with. That's 100 percent freedom for ISPs and zero freedom for consumers.

By repealing online privacy and net neutrality protections for consumers, the FCC essentially punted responsibility to the U.S. Federal Trade Commission (FTC). According to Senator Wyden's press release:

"The FTC, the nation’s main privacy and data security regulator, currently lacks the authority and resources to address and prevent threats to consumers’ privacy: 1) The FTC cannot fine first-time corporate offenders. Fines for subsequent violations of the law are tiny, and not a credible deterrent; 2) The FTC does not have the power to punish companies unless they lie to consumers about how much they protect their privacy or the companies’ harmful behavior costs consumers money; 3) The FTC does not have the power to set minimum cybersecurity standards for products that process consumer data, nor does any federal regulator; and 4) The FTC does not have enough staff, especially skilled technology experts. Currently about 50 people at the FTC police the entire technology sector and credit agencies."

This means consumers have no protections nor legal options unless the company, or website, violates its published terms-of-conditions and privacy policies. To solves the above gaps, Senator Wyden's new legislation, titled the Consumer Data Privacy Act (CDPA), contains several new and stronger protections. It:

"... allows consumers to control the sale and sharing of their data, gives the FTC the authority to be an effective cop on the beat, and will spur a new market for privacy-protecting services. The bill empowers the FTC to: i) Establish minimum privacy and cybersecurity standards; ii) Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives; iii) Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized; iv) Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it; v) Hire 175 more staff to police the largely unregulated market for private data; and vi) Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security."

Permitting companies to charge consumers who opt out of data collection and sharing is a good thing. Why? Monthly payments by consumers are leverage -- a strong incentive for companies to provide better cybersecurity.

Business as usual -- cybersecurity methods by corporate executives and government enforcement -- isn't enough. The tsunami of data breaches is an indication. During October alone:

A few notable breach events from earlier this year:

The status quo, or business as usual, is unacceptable. Executives' behavior won't change without stronger consequences like jail time, since companies perform cost-benefit analyses regarding how much to spend on cybersecurity versus the probability of breaches and fines. Opt-outs of data collection and sharing by consumers, steeper fines, and criminal penalties could change those cost-benefit calculations.

Four former chief technologists at the FCC support Senator Wyden's legislation. Gabriel Weinberg, the Chief Executive Officer of DuckDuckGo also supports it:

"Senator Wyden’s proposed consumer privacy bill creates needed privacy protections for consumers, mandating easy opt-outs from hidden tracking. By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field."

Regular readers of this blog know that the DuckDuckGo search engine (unlike Google, Bing and Yahoo search engines) doesn't track users, doesn't collect nor archive data about users and their devices, and doesn't collect nor store users' search criteria. So, DuckDuckGo users can search knowing their data isn't being sold to advertisers, data brokers, and others.

Lastly, Wyden's proposed legislation includes several key definitions (emphasis added):

"... The term "automated decision system" means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers... The term "automated decision system impact assessment" means a study evaluating an automated decision system and the automated decision system’s development process, including the design and training data of the automated decision 14 system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes... The term "data protection impact assessment" means a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes... "

The draft legislation requires companies to perform both automated data impact assessments and data protection impact assessments; and requires the FTC to set the frequency and conditions for both. A copy of the CDPA draft is also available here (Adobe PDF; 67.7 k bytes).

This is a good start. It is important... critical... to hold accountable both corporate executives and the automated decision systems their approve and deploy. Based upon history, outsourcing has been one corporate tactic to manage liability by shifting it to providers. Good to close any loopholes now where executives could abuse artificial intelligence and related technologies to avoid responsibility.

What are your thoughts, opinions of the proposed legislation?


Survey: Most Home Users Satisfied With Voice-Controlled Assistants. Tech Adoption Barriers Exist

Recent survey results reported by MediaPost:

"Amazon Alexa and Google Assistant have the highest satisfaction levels among mobile users, each with an 85% satisfaction rating, followed by Siri and Bixby at 78% and Microsoft’s Cortana at 77%... As found in other studies, virtual assistants are being used for a range of things, including looking up things on the internet (51%), listening to music (48%), getting weather information (46%) and setting a timer (35%)... Smart speaker usage varies, with 31% of Amazon device owners using their speaker at least a few times a week, Google Home owners 25% and Apple HomePod 18%."

Additional survey results are available at Digital Trends and Experian. PWC found:

"Only 10% of surveyed respondents were not familiar with voice-enabled products and devices. Of the 90% who were, the majority have used a voice assistant (72%). Adoption is being driven by younger consumers, households with children, and households with an income of >$100k... Despite being accessible everywhere, three out of every four consumers (74%) are using their mobile voice assistants at home..."

Consumers seem to want privacy when using voice assistants, so usage tends to occur at home and not in public places. Also:

"... the bulk of consumers have yet to graduate to more advanced activities like shopping or controlling other smart devices in the home... 50% of respondents have made a purchase using their voice assistant, and an additional 25% would consider doing so in the future. The majority of items purchased are small and quick.. Usage will continue to increase but consistency must improve for wider adoption... Some consumers see voice assistants as a privacy risk... When forced to choose, 57% of consumers said they would rather watch an ad in the middle of a TV show than listen to an ad spoken by their voice assistant..."

Consumers want control over the presentation of advertisements by voice assistants. Control options desired include skip, select, never while listening to music, only at pre-approved times, customized based upon interests, seamless integration, and match to preferred brands. 38 percent of survey respondents said that they, "don't want something 'listening in' on my life all the time."

What are your preferences with voice assistants? Any privacy concerns?


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


Verizon Throttled Mobile Services Of First Responders Fighting California Wildfires

Verizon logo Fighting fires is difficult, dangerous work. Recently, that was made worse by an internet service provider (ISP). Ars Technica reported:

"Verizon Wireless' throttling of a fire department that uses its data services has been submitted as evidence in a lawsuit that seeks to reinstate federal net neutrality rules. "County Fire has experienced throttling by its ISP, Verizon," Santa Clara County Fire Chief Anthony Bowden wrote in a declaration. "This throttling has had a significant impact on our ability to provide emergency services. Verizon imposed these limitations despite being informed that throttling was actively impeding County Fire's ability to provide crisis-response and essential emergency services." Bowden's declaration was submitted in an addendum to a brief filed by 22 state attorneys general, the District of Columbia, Santa Clara County, Santa Clara County Central Fire Protection District, and the California Public Utilities Commission. The government agencies are seeking to overturn the recent repeal of net neutrality rules in a lawsuit they filed against the Federal Communications Commission in the US Court of Appeals for the District of Columbia Circuit."

Reportedly, Verizon replied with a statement that the throttling, "was a customer service error." Huh? This is how Verizon treats first-responders? This is how an ISP treats first-responders during a major emergency and natural disaster? The wildfires have claimed 12 deaths, destroyed at least 1,200 homes, and wiped out the state's emergency fund. Smoke from the massive wildfires has caused extensive pollution and health warnings in Northwest areas including Portland, Oregon and Seattle, Washington. The thick smoke could be seen from space.

Ars Technica reported in an August 21 update:

"Santa Clara County disputed Verizon's characterization of the problem in a press release last night. "Verizon's throttling has everything to do with net neutrality—it shows that the ISPs will act in their economic interests, even at the expense of public safety," County Counsel James Williams said on behalf of the county and fire department. "That is exactly what the Trump Administration's repeal of net neutrality allows and encourages." "

In 2017, President Trump appointed Ajit Pai, a former Verizon attorney, as Chairman of the U.S. Federal Communications Commission. Under Pai's leadership, the FCC revoked both online privacy and net neutrality protections for consumers. This gave ISPs the freedom to do as they want online while consumers lost two key freedoms: a) the freedom to control the data describing their activities online (which are collected and shared with others by ISPs), and b) freedom to use the internet bandwidth purchased as they choose.

If an ISP will throttle and abuse first-responders, think of what it will do it regular consumers. What are your opinions?


T-Mobile Confirmed Data Breach Affecting Millions Of Customers

T-Mobile logo T-Mobile confirmed a data breach which impacted its customers. Last week, the mobile service provider said in a statement:

"On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid)."

Affected customers are being notified. The statement did not disclose the number of affected customers, exactly how criminals breached its systems, nor the specific actions T-Mobile is taking to prevent this type of breach from happening again. The lack of detail is discouraging and does not promote trust.

CBS News reported:

"... the breach affected about 3 percent of T-Mobile's 77 million customers, or 2 million people... In May, researchers detected a bug in the company's website that allowed anyone to access the personal data of customers with just a phone number. The company is waiting for regulatory approval of a proposed $26.5 billion takeover of Sprint, the fourth-largest carrier in the United States."

So, criminals have stolen enough information to do damage: send spam via e-mail or text, and conduct pretexting (e.g., impersonate others to take over online accounts by resetting passwords, and/or gain access to payment data).

If you received a breach notice from T-Mobile, how satisfied are you with the company's response?


Facebook To Remove Onavo VPN App From Apple App Store

Not all Virtual Private Network (VPN) software is created equal. Some do a better job at protecting your privacy than others. Mashable reported that Facebook:

"... plans to remove its Onavo VPN app from the App Store after Apple warned the company that the app was in violation of its policies governing data gathering... For those blissfully unaware, Onavo sold itself as a virtual private network that people could run "to take the worry out of using smartphones and tablets." In reality, Facebook used data about users' internet activity collected by the app to inform acquisitions and product decisions. Essentially, Onavo allowed Facebook to run market research on you and your phone, 24/7. It was spyware, dressed up and neatly packaged with a Facebook-blue bow. Data gleaned from the app, notes the Wall Street Journal, reportedly played into the social media giant's decision to start building a rival to the Houseparty app. Oh, and its decision to buy WhatsApp."

Thanks Apple! We've all heard of the #FakeNews hashtag on social media. Yes, there is a #FakeVPN hashtag, too. So, buyer beware... online user beware.


New York State Tells Charter To Leave Due To 'Persistent Non-Compliance And Failure To Live Up To Promises'

The New York State Public Service Commission (NYPSC) announced on Friday that it has revoked its approval of the 2016 merger agreement between Charter Communications, Inc. and Time Warner Cable, Inc. because:

"... Charter, doing business as Spectrum has — through word and deed — made clear that it has no intention of providing the public benefits upon which the Commission's earlier [merger] approval was conditioned. In addition, the Commission directed Commission counsel to bring an enforcement action in State Supreme Court to seek additional penalties for Charter's past failures and ongoing non-compliance..."

Charter, the largest cable provider in the State, provides digital cable television, broadband internet and VoIP telephone services to more than two million subscribers in in more than 1,150 communities. It provides services to consumers in Buffalo, Rochester, Syracuse, Albany and four boroughs in New York City: Manhattan, Staten Island, Queens and Brooklyn. The planned expansion could have increased to five million subscribers in the state.

Charter provides services in 41 states: Alabama, Arizona, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Wisconsin, and Wyoming.

A unit of the Department of Public Service, the NYPSC site described its mission, "to ensure affordable, safe, secure, and reliable access to electric, gas, steam, telecommunications, and water services for New York State’s residential and business consumers, while protecting the natural environment." Its announcement listed Spectrum's failures and non-compliance:

"1. The company’s repeated failures to meet deadlines;
2. Charter’s attempts to skirt obligations to serve rural communities;
3. Unsafe practices in the field;
4. Its failure to fully commit to its obligations under the 2016 merger agreement; and
5. The company’s purposeful obfuscation of its performance and compliance obligations to the Commission and its customers."

The announcement provided details:

"On Jan. 8, 2016, the Commission approved Charter’s acquisition of Time Warner. To obtain approval, Charter agreed to a number of conditions required by the Commission to advance the public interest, including delivering broadband speed upgrades to 100 Mbps statewide by the end of 2018, and 300 Mbps by the end of 2019, and building out its network to pass an additional 145,000 un-served or under-served homes and businesses in the State's less densely populated areas within four years... Despite missing every network expansion target since the merger was approved in 2016, Charter has falsely claimed in advertisements it is exceeding its commitments to the State and is on track to deliver its network expansion. This led to the NYPSC’s general counsel referring a false advertising claim to the Attorney General’s office for enforcement... By its own admission, Charter has failed to meet its commitment to expand its service network... Its failure to meet its June 18, 2018 target by more than 40 percent is only the most recent example. Rather than accept responsibility Charter has tried to pass the blame for its failure on other companies, such as utility pole owners..."

The NYPSC has already levied $3 million in fines against Charter. The latest action basically boots Charter out of the State:

"Charter is ordered to file within 60 days a plan with the Commission to ensure an orderly transition to a successor provider(s). During the transition process, Charter must continue to comply with all local franchises it holds in New York State and all obligations under the Public Service Law and the NYPSC regulations. Charter must ensure no interruption in service is experienced by customers, and, in the event that Charter does not do so, the NYPSC will take further steps..."

Of course, executives at Charter have a different view of the situation. NBC New York reported:

"In the weeks leading up to an election, rhetoric often becomes politically charged. But the fact is that Spectrum has extended the reach of our advanced broadband network to more than 86,000 New York homes and businesses since our merger agreement with the PSC. Our 11,000 diverse and locally based workers, who serve millions of customers in the state every day, remain focused on delivering faster and better broadband to more New Yorkers, as we promised..."


The Wireless Carrier With At Least 8 'Hidden Spy Hubs' Helping The NSA

AT&T logo During the late 1970s and 1980s, AT&T conducted an iconic “reach out and touch someone” advertising campaign to encourage consumers to call their friends, family, and classmates. Back then, it was old school -- landlines. The campaign ranked #80 on Ad Age's list of the 100 top ad campaigns from the last century.

Now, we learn a little more about how extensive pervasive surveillance activities are at AT&T facilities to help law enforcement reach out and touch persons. Yesterday, the Intercept reported:

"The NSA considers AT&T to be one of its most trusted partners and has lauded the company’s “extreme willingness to help.” It is a collaboration that dates back decades. Little known, however, is that its scope is not restricted to AT&T’s customers. According to the NSA’s documents, it values AT&T not only because it "has access to information that transits the nation," but also because it maintains unique relationships with other phone and internet providers. The NSA exploits these relationships for surveillance purposes, commandeering AT&T’s massive infrastructure and using it as a platform to covertly tap into communications processed by other companies.”

The new report describes in detail the activities at eight AT&T facilities in major cities across the United States. Consumers who use other branded wireless service providers are also affected:

"Because of AT&T’s position as one of the U.S.’s leading telecommunications companies, it has a large network that is frequently used by other providers to transport their customers’ data. Companies that “peer” with AT&T include the American telecommunications giants Sprint, Cogent Communications, and Level 3, as well as foreign companies such as Sweden’s Telia, India’s Tata Communications, Italy’s Telecom Italia, and Germany’s Deutsche Telekom."

It was five years ago this month that the public learned about extensive surveillance by the U.S. National Security Agency (NSA). Back then, the Guardian UK newspaper reported about a court order allowing the NSA to spy on U.S. citizens. The revelations continued, and by 2016 we'd learned about NSA code inserted in Android operating system software, the FISA Court and how it undermines the public's trust, the importance of metadata and how much it reveals about you (despite some politicians' claims otherwise), the unintended consequences from broad NSA surveillance, U.S. government spy agencies' goal to break all encryption methods, warrantless searches of U.S. citizens' phone calls and e-mail messages, the NSA's facial image data collection program, the data collection programs included ordinary (e.g., innocent) citizens besides legal targets, and how  most hi-tech and telecommunications companies assisted the government with its spy programs. We knew before that AT&T was probably the best collaborator, and now we know more about why. 

Content vacuumed up during the surveillance includes consumers' phone calls, text messages, e-mail messages, and internet activity. The latest report by the Intercept also described:

"The messages that the NSA had unlawfully collected were swept up using a method of surveillance known as “upstream,” which the agency still deploys for other surveillance programs authorized under both Section 702 of FISA and Executive Order 12333. The upstream method involves tapping into communications as they are passing across internet networks – precisely the kind of electronic eavesdropping that appears to have taken place at the eight locations identified by The Intercept."

Former NSA contractor Edward Snowden commented on Twitter:


Lawmakers In California Cave To Industry Lobbying, And Backtrack With Weakened Net Neutrality Bill

After the U.S. Federal Communications Commission (FCC) acted last year to repeal net neutrality rules, those protections officially expired on June 11th. Meanwhile, legislators in California have acted to protect their state's residents. In January, State Senator Weiner introduced in January a proposed bill, which was passed by the California Senate three weeks ago.

Since then, some politicians have countered with a modified bill lacking strong protections. C/Net reported:

"The vote on Wednesday in a California Assembly committee hearing advanced a bill that implements some net neutrality protections, but it scaled back all the measures of the bill that had gone beyond the rules outlined in the Federal Communications Commission's 2015 regulation, which was officially taken off the books by the Trump Administration's commission last week. In a surprise move, the vote happened before the hearing officially started,..."

Weiner's original bill was considered the "gold standard" of net neutrality protections for consumers because:

"... it went beyond the FCC's 2015 net neutrality "bright line" rules by including provisions like a ban on zero-rating, a business practice that allows broadband providers like AT&T to exempt their own services from their monthly wireless data caps, while services from competitors are counted against those limits. The result is a market controlled by internet service providers like AT&T, who can shut out the competition by creating an economic disadvantage for those competitors through its wireless service plans."

State Senator Weiner summarized the modified legislation:

"It is, with the amendments, a fake net neutrality bill..."

A key supporter of the modified, weak bill was Assemblyman Miguel Santiago, a Democrat from Los Angeles. Motherboard reported:

"Spearheading the rushed dismantling of the promising law was Committee Chair Miguel Santiago, a routine recipient of AT&T campaign contributions. Santiago’s office failed to respond to numerous requests for comment from Motherboard and numerous other media outlets... Weiner told the San Francisco Chronicle that the AT&T fueled “evisceration” of his proposal was “decidedly unfair.” But that’s historically how AT&T, a company with an almost comical amount of control over state legislatures, tends to operate. The company has so much power in many states, it’s frequently allowed to quite literally write terrible state telecom law..."

Supporters of this weakened bill either forgot or ignored the results from a December 2017 study of 1,077 voters. Most consumers want net neutrality protections:

Do you favor or oppose the proposal to give ISPs the freedom to: a) provide websites the option to give their visitors the ability to download material at a higher speed, for a fee, while providing a slower speed for other websites; b) block access to certain websites; and c) charge their customers an extra fee to gain access to certain websites?
Group Favor Opposed Refused/Don't Know
National 15.5% 82.9% 1.6%
Republicans 21.0% 75.4% 3.6%
Democrats 11.0% 88.5% 0.5%
Independents 14.0% 85.9% 0.1%

Why would politicians pursue weak net neutrality bills with few protections, while constituents want those protections? They are doing the bidding of the corporate internet service providers (ISPs) at the expense of their constituents. Profits before people. These politicians promote the freedom for ISPs to do as they please while restricting consumers' freedoms to use the bandwidth they've purchased however they please.

Broadcasting and Cable reported:

"These California democrats will go down in history as among the worst corporate shills that have ever held elected office," said Evan Greer of net neutrality activist group Fight for the Future. "Californians should rise up and demand that at their Assembly members represent them. The actions of this committee are an attack not just on net neutrality, but on our democracy.” According to Greer, the vote passed 8-0, with Democrats joining Republicans to amend the bill."

According to C/Net, more than 24 states are considering net neutrality legislation to protect their residents:

"... New York, Connecticut, and Maryland, are also considering legislation to reinstate net neutrality rules. Oregon and Washington state have already signed their own net neutrality legislation into law. Governors in several states, including New Jersey and Montana, have signed executive orders requiring ISPs that do business with the state adhere to net neutrality principles."

So, we have AT&T (plus politicians more interested in corporate donors than their constituents, the FCC, President Trump, and probably other telecommunications companies) to thank for this mess. What do you think?