100 posts categorized "Travel" Feed

At Least 3 Countries Warn Their Citizens About Travel To The USA

After several mass shooting incidents in the United States, several countries have issued travel warnings for their citizens visiting the United States. Fox 2 Now News in St. Louis reported:

"The Japanese Consul in Detroit on Sunday published an alert that said Japanese nationals "should be aware of the potential for gunfire incidents everywhere in the United States," which it described as "a gun society." Uruguay’s Office of Foreign Ministry issued an advisory Monday saying citizens should "take precaution amid the growing indiscriminatory violence, specifically hate crimes including racism and discrimination" when traveling to the United States. The alert noted that other factors, such as the "indiscriminate possession of firearms by the population" and the "impossibility of authorities to prevent these situations," were among some of the reasons... Uruguay’s warning also suggested avoiding the cities of Detroit, Baltimore and Albuquerque... Venezuela’s Foreign Ministry office also issued a warning to its residents Monday, saying Venezuelans should postpone their travels or exercise caution when traveling as a result of the events in El Paso, Texas, and Dayton, Ohio... The statement from Venezuela cites a Forbes article listing these US cities as places to avoid: "Given all of the above, it is suggested above all to avoid visiting some cities that are among the 20 most dangerous in the world, such as Cleveland, Ohio; Detroit, Michigan; Baltimore, Maryland; St. Louis, Missouri; Oakland, California; Memphis, Tennessee; Birmingham, Alabama; Atlanta Georgia; Stockton, and Buffalo." "

CNN reported:

"In April, the US State Department gave Venezuela its highest travel advisory, Level 4: Do Not Travel, citing crime, civil unrest and the arbitrary arrest and detention of US citizens. Venezuela was ranked as the most dangerous country in the world for the second straight year, according to a Gallup survey in 2018. It is one of 13 countries issued the highest advisory. Uruguay is listed as a Level 2: Exercise Increased Caution on the State Department's travel advisory."

These travel warnings by other countries cannot be good news for the tourism and travel industries in the USA. It makes one wonder how many jobs will be lost, or how many workers will be furloughed, as foreign travelers avoid visits to the USA.

And, this follows a January, 2018 report which found that, "since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors." So, the recent travel warnings are bad news on top of existing bad news.

What are your opinions? If you have heard of another country issuing warnings about travel to the USA, please share that below.


Automated Following: The Technology For Platoons Of Self-Driving Trucks

The MediaPost Connected Thinking blog reported:

"At the Automated Vehicle Symposium in Orlando [in July], one company involved in automated vehicle technology unveiled its vision for using a single driver to drive a pair of vehicles. The approach, named Automated Following, is an advanced platooning system created by Peloton Technology. It uses vehicle-to-vehicle (V2V) technology to let a lead driver control the vehicle and one that is following, in this case large trucks... Platooning works by utilizing V2V communications and radar-based active braking systems, combined with vehicle control algorithms, according to Peloton. The system connects a fully automated follow truck with a driver-controlled lead truck. The V2V link lets the human driven lead truck guide the steering, acceleration and braking of the follow truck..."

To learn more, I visited the Peloton Technology website. The Platoon-Pro section of the site lists the benefits below:

Platooning benefits. Peloton-Pro at Peloton Technology website. July 20, 2019. Click to view larger version

While it's good to read about specific estimates of fuel savings, I was hoping to also read similar estimates about decreased crashes and/or decreased severity of crashes. The page simply listed the safety features.

The site's home page features a "Safety & Platoon" video explaining how a 2-truck platoon might operate. On an interstate highway, both trucks are manned with human drivers. (What happened to the single driver benefit?) The video also shows what happens when a passenger vehicle briefly "cuts" in between a 2-truck platoon:

According to the video, the drivers can vary the distance between two trucks in a platoon. That seems to be a good feature.

The technology raises several questions. First, the video features a "cut in" with a small car. What happens when a larger vehicle, such as a bus, cuts in? What happens when several (large) vehicles cut in between? Second, just because we humans can do something doesn't mean we should do it. 2-truck platoons in the near future could expand to 4- or 5-truck platoons after that. One wonders about the wisdom. Are highways, country roads, and city streets designed to accommodate truck platoons this large?

Third, my impression: a 2-truck platoon sounds like a short train. In the near future, motorists will have to navigate in-between and around platoons of self-driving tractor-trailer trucks. Are motorists ready for this? Historically, auto drivers have had difficulty with traditional railroad crossings. The technology seems to be something which requires plenty of testing.

Another way of asking the question: is this what we want on our streets and highways given existing railroads already designed for trains = long platoons of trucks?

Fourth, security matters. What's being done to prevent the technology being abused? Automated following technology in the hands of bad guys could enable terrorists to deliver platoons of car bombs, or platoons of small boats armed with bombs. So, security (against hacking and against theft) is even more of an issue.

What are your opinions?


CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions

United States Customs and Border Patrol logo A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:

"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."

Reportedly, CBP learned about the breach on May 31. The newspaper also reported:

"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."

A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:

"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."

Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.

First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:

  • When and which executives at the vendor will be reprimanded for this violation?
  • Why did CBP fail to identify the download violation?
  • What changes are underway to prevent future violations?
  • Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
  • What other vendors have violated CBP contracts?

Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?

Thankfully, reporters at the Washington Post continued investigating:

"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."

So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.

Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?

This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.

Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:

  • When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
  • What assistance (e.g., free credit monitoring) will CBP provide affected persons?
  • What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
  • What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
  • Were any data elements encrypted? If not, why not?
  • Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
  • When will fixes be implemented so this doesn't happen again?
  • Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
  • How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
  • Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?

The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.

Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:

"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."

If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:

"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."

Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.


After Pleading Guilty To Continued Pollution And Trying To Hide It, Carnival Corporation Fined An Additional $20 Million Fine

[Editor's note: I'm back from my break. Thanks to readers for your patience. That break included a vacation on a different cruise line sailing from New Zealand to Canada via Polynesia, Tasmania, southern Australia, French Polynesia, and the Hawaiian Islands. So, this news story caught my attention.]

On Monday, Carnival Corporation acknowledged violating its probation terms from a 2016 pollution case. Government prosecutors fined the company an additional $20 million for the continuing violations. The New York Times reported:

"In 2016, Princess Cruise Lines agreed to pay a $40 million penalty for illegally dumping oil-contaminated waste into the sea and acts by employees to try to cover it up. It was the largest criminal penalty ever imposed for intentional vessel pollution... The new violations included discharging plastic into waters in the Bahamas, falsifying records and interfering with court supervision of ships... Vessel pollution is just one of the many human-caused hazards facing ocean life today. Ship traffic and noise can cause the death of sea creatures; marine animals routinely turn up dead with plastic in their stomachs; and rising sea temperatures, stemming from climate change caused by human activity, are destroying the framework of many ocean ecosystems."

Based in Miami, Carnival Corporation operates several cruise lines including Princess Cruises, Carnival Cruise Line, Holland America Line, P&O Cruises (UK), Cunard, Seabourn, AIDA Cruises (Germany), and Costa Cruises (Italy). It's website states a combined fleet of 102 ships with 19 new ships to be delivered between 2017 and 2022. The company employs about 120,000 people worldwide, and 11.5 million guests sail in its ship each year. In 2018, Carnival Corporation generated after-tax profits of $3.15 billion on revenues of $18.88 billion.

Government regulators focused upon the company after:

"... Princess agreed, in 2016, to plead guilty to felony charges and pay the hefty $40 million penalty. In that case... the Caribbean Princess ship, had used several means, including a device called a magic pipe, to circumvent water-cleaning mechanisms... Officials said that four other Princess ships had also been found to have engaged in illegal practices to discharge waste. The discharged waste included gray water — water that has been contaminated with food particles, grease and fat — and water found in the ship’s bilge, the bottom part of the ship where oil waste from engines can accumulate. A whistleblower employee alerted the authorities and certain engineers ordered a coverup, including directing subordinates to lie, according to prosecutors."

In an announcement on Monday, the U.S. Department of Justice (DOJ) listed in detail the violations by Carnival Corporation and its executives:

"1. Failing to establish a senior corporate officer as a corporate compliance manager with responsibility and sufficient authority for implementing new environmental measures required during probation;
2. Contacting the Coast Guard seeking to re-define the definition of what constitutes a major non-conformity under the ECP without going through the required process and after the government had rejected the proposal and told the company to file a motion with the court if it wanted to pursue the issue;
3. Deliberately falsifying environmental training records aboard two cruise ships; and
4. Deliberately discharging plastic in Bahamian waters from the Carnival Elation and failing to accurately record the illegal discharges. Prosecutors advised the Court that this particular instance was an example of a more widespread problem, identified by the external audits, in failing to segregate plastic and non-food garbage from waste thrown overboard from numerous cruise ships."

The DOJ announcement also listed the terms of the settlement agreement, which requires Carnival Corporation:

"i) Pay a $20 million criminal penalty;
ii) Issue a statement to all employees in which Carnival’s CEO accepts management’s responsibility for the probation violations;
iii) Restructure the company’s corporate compliance efforts, including appointing a new chief Corporate Compliance Officer, creating an Executive Compliance Committee across all cruise lines, adding a new member to the Board of Directors with corporate compliance expertise, and train its Board of Directors;
iv) Pay up to $10 million per day if it does not meet deadlines for submitting and implementing needed changes to its corporate structure;
v) Pay for 15 additional independent audits per year conducted by the third-party auditor and Court Appointed Monitor (on top of approximately 31 ship audits and 6 shore-side audits currently performed annually);
vi) Comply with new reporting requirements, including notifying the government and court of all future violations, and specifically identifying foreign violations and the country impacted; and
vii) Make major changes in how the company uses and disposes of plastic and other non-food waste to urgently address a problem on multiple vessels concerning illegal discharges of plastic mixed with other garbage."

Plus, Princess Cruise Line will remain on probation for three more years. The third-party auditor suggests that the court doesn't trust the company and its executives to accurately report progress and corrective actions toward the deadlines. That's good given the light fines (as a percentage of the company's profits).

Cruise customers have already shared their views. According to the Cruise Critic website:

"... SO DISAPPOINTED IN Carnival/Princess... NOT acceptable!!! I just went on a 12 day cruise on the Star Princess last month. I feel betrayed reading this. I had such a great time too. To intentionally break pollution laws means no integrity and shoddy business practice. I want to slap someone."
-- Marykay8

" Well now we know why they have increased some pricing, including some drink packages by 40%. Got to get more from the passengers to pay their fine. The customer always pays more in these scenarios."
-- KYwildcatfanone

"Let's hope this will finally get Carnival Corp. to ensure all of its ships adhere to environmental regulations. But in the big scheme of things, $20 million is just a minuscule amount on a company that had $3.2 billion in net income."
-- GeoHerb

More discussion by customers is available here. Clearly, cruise customers want the pollution stopped, executives held accountable, and the company to change its behavior.

A search of both the Carnival Corporation and Princess Cruises websites at press time failed to find any press releases or mention of the latest fine. The Miami Herald published a brief statement by Arnold Donald, the company's Chief Executive Officer, who appeared in court:

"Donald spoke on behalf of Carnival Corp. "I sincerely regret this case," he said. "In my role as CEO I do take responsibility for the problems we have. I am extremely disappointed that we’ve had them. I know you have reservations about our commitment and who we are. I want you to know we are fully committed." Donald was the only executive who spoke at the hearing."

Fully committed? The proof will be in the company's future actions -- not words -- to fully, consistently, and faithfully comply with the latest settlement agreement and clean up its pollution mess. Will it? What action will the board of directors take? Which executives will be disciplined? Which senior executives will resign? Will more whistle blowers come forward? Lots more news to come.


Popular iOS Apps Record All In-App Activity Causing Privacy, Data Security, And Other Issues

As the internet has evolved, the user testing and market research practices have also evolved. This may surprise consumers. TechCrunch reported that many popular Apple mobile apps record everything customers do with the apps:

"Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers."

So, customers' entire app sessions and activities have been recorded. Of course, marketers need to understand their customers' needs, and how users interact with their mobile apps, to build better products, services, and apps. However, in doing so some apps have security vulnerabilities:

"The App Analyst... recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles."

Not good for a couple reasons. First, sensitive data like payment information (e.g., credit/debit card numbers, passport numbers, bank account numbers, etc.) should be masked. Second, when sensitive information isn't masked, more data security problems arise. How long is this app usage data archived? What employees, contractors, and business partners have access to the archive? What security methods are used to protect the archive from abuse?

In short, unauthorized persons may have access to the archives and the sensitive information contained. For example, market researchers probably have little or no need to specific customers' payment information. Sensitive information in these archives should be encrypted, to provide the best protection from abuse and from data breaches.

Sadly, there is more bad news:

"Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen... Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either."

So, the app session recordings were done covertly... without explicit language to provide meaningful and clear notice to consumers. I encourage everyone to read the entire TechCrunch article, which also includes responses by some of the companies mentioned. In my opinion, most of the responses fell far short with lame, boilerplate statements.

All of this is very troubling. And, there is more.

The TechCrunch article didn't discuss it, but historically companies hired testing firms to recruit user test participants -- usually current and prospective customers. Test participants were paid for their time. (I know because as a former user experience professional I conducted such in-person test sessions where clients paid test participants.) Things have changed. Not only has user testing and research migrated online, but companies use automated tools to perform perpetual, unannounced user testing -- all without compensating test participants.

While change is inevitable, not all change is good. Plus, things can be done in better ways. If the test information is that valuable, then pay test participants. Otherwise, this seems like another example of corporate greed at consumers' expense. And, it's especially egregious if data transmissions of the recorded app sessions to developers' servers use up cellular data plan capacity consumers paid for. Some consumers (e.g., elders, children, the poor) cannot afford the costs of unlimited cellular data plans.

After this TechCrunch report, Apple notified developers to either stop or disclose screen recording:

"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity... We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary..."

Good. That's a start. Still, user testing and market research is not a free pass for developers to ignore or skip data security best practices. Given these covert recorded app sessions, mobile apps must be continually tested. Otherwise, some ethically-challenged companies may re-introduce covert screen recording features. What are your opinions?


Marriott Lowered The Number Of Guests Affected By Its Data Breach. Class Action Lawsuits Filed

Marriott International logo Important updates about the gigantic Marriott-Starwood data breach. The incident received more attention after security experts said that China's intelligence agencies may have been behind the cyberattack, which also targeted healthcare insurance companies.

Earlier this month, Marriott announced a lower number of guests affected:

"Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure... Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated [in November, 2018]. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved...

The announcement also said that fewer than 383 million different persons were affected because its database contained multiple records for the same guests. The announcement also stated that about:

"... 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers... Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018..."

This is mixed news. Fewer breach victims is good news. The bad news: multiple database records for the same guests, and unencrypted passport numbers. Better, stronger data security always includes encrypting sensitive information. The announcement did not explain why some data was encrypted and some wasn't.

The hotel chain said that it will terminate its Starwood reservations database at the end of the year, and continue its post-breach investigation:

"While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests."

Also, the hotel chain admitted during its January 4th announcement that it still wasn't fully ready to help affected guests:

"Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) when it has this capability in place."

In related news, about 150 former guests have sued Marriott. Vox reported that a class-action lawsuit:

"... was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, “failed to provide timely, accurate, and adequate notice” to guests whose information may have been obtained by hackers... According to the suit, Marriott’s purchase of the Starwood properties is part of the problem. “This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood,” Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox... According to a December report by the Wall Street Journal, Marriott could have caught the breach years earlier."

At least one other class-action lawsuit has been filed by breach victims.


Gigantic Data Breach At Marriott International Affects 500 Million Customers. Plenty Of Questions Remain

Marriott International logo A gigantic data breach at Marriott International affects about 500 million customers who have stayed at its Starwood network of hotels in the United States, Canada, and the United Kingdom. Marriott International announced the data breach on Friday, November 30th, and set up a website for affected Starwood guests.

According to its breach announcement, an "internal security tool" discovered the breach on September 8, 2018. The initial data breach investigation determined that unauthorized persons accessed its registration database as far back as 2014, and had both copied and encrypted information before removing it. Marriott engaged security experts, the information was partially decrypted on November 19, 2018, and the global hotel chain determined that the information was from its Starwood guest reservation database.

Starwood Preferred Guest logo The Starwood hotels network includes brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, and more. Marriott has not finished decrypting all information, so there may be future updates from the breach investigation.

For 327 million guests, the personal data items stolen included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some guests, the information stolen also included payment card numbers and payment card expiration dates. While Marriott said the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), its warned that it doesn't yet know if the encryption keys (needed to decrypt payment information) were also stolen.

For 173 million guests, fewer personal data items were stolen included, "name and sometimes other data such as mailing address, email address, or other information." Marriott International said its Marriott-branded hotels were not affected since they use a different reservations database on a different server.

Marriott said it has notified law enforcement, is working with law enforcement, and has begun to notify affected guests via email. The hotel chain will offer affected guests in select countries one year of free enrollment in the WebWatcher program which, "monitors internet sites where personal information is shared and  an alert to the consumer if evidence of the consumer’s personal information is found." WebWatcher will not be offered to all affected guests. Eligible guests should read the fine print, which the Starwood breach site summarized:

"Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. For residents of the United States, enrolling in WebWatcher also provides you with two additional benefits: (1) a Fraud Loss Reimbursement benefit, which reimburses you for out-of-pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event. All coverage is subject to the conditions and exclusions in the policy; and (2) unlimited access to consultation with a Kroll fraud specialist. Consultation support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used..."

The seriousness of this data breach cannot be overstated. First, it went undetected for a very long time. Marriott needs to explain that and the changes it will implement with an improved "internal security tool" so this doesn't happen again. Second, 500 million is an awful lot of affected customers. An awful lot. Third, breach CNN Business reported:

"Because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation (GDPR). Mark Thompson, the global lead for consulting company KPMG's Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company. "The size and scale of this thing is huge," he said, adding that it's going to take several months for (EU) regulators to investigate the breach."

Fourth, the data items stolen are sufficient to cause plenty of damage. Security experts advise affected customers to change their Starwood passwords, check the answers.Kroll.com breach site next week to see if their information was compromised/stolen, sign up for credit monitoring (if they don't already have it), watch their payment or bank accounts for fraudulent entries, and consider an early renewal if your passport number was compromised/stolen. Fifth, companies usually arrange free credit monitoring for breach victims for one or two years. So far, Marriott hasn't done this. Maybe it will. If not, Marriott needs to explain why.

Sixth, breach notification of affected guests via email seems sketchy... like Marriott is trying to cut corners and costs. History is littered with numerous examples of skilled spammers and cybercriminals using faked or spoofed email to trick consumers into revealing sensitive personal and payment information. It will be interesting to see how Marriott's breach notification via email works and manages this threat.

Seventh, lawsuits and other investigations have already begun. ZDNet reported:

"... two Oregon men sued international hotel chain Marriott for exposing their data. Their lawsuit was followed hours later by another one filed in the state of Maryland. Both lawsuits seek class-action status. While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses. his should equate to $25 for each of the 500 million users who had their personal data stolen from Marriott's serv ers... The Maryland lawsuit was filed by Baltimore law firm Murphy, Falcon & Murphy..."

Bloomberg BNA announced:

"The Massachusetts, New York and Illinois state attorneys general quickly announced they would examine the hack. Connecticut George Jepsen (D) is also looking into the matter, a spokesman told Bloomberg Law."

Eighth, the breach site's website address unnecessarily vague: answers.kroll.com. Frankly, a website address like "starwood-breach.kroll.com" or "marriott-breach.kroll.com" would have been better. (The combination of email notification and vague website name seems eerily similar to the post-breach clusterf--k by Equifax's poorly implemented breach site.) Maybe this vague address was a temporary quick fix, and Marriott will host a comprehensive breach-status site later on one of its servers. That would be better and clearer for affected customers, who probably are unfamiliar with Kroll. Readers of this blog probably first encountered Kroll after IBM Inc. contracted it to help implement IBM's post-breach response in 2007.

The Starwood breach notice appears within the news section of Marriott.com site. Also, Marriott's post-breach notice included overlays on both the home page and the Starwood landing page within the Marriott.com site. This is a good start, but a better implementation would insert a link directly into the webpages, since the overlays don't render well in all browsers on all devices. (Marriott: you did test this before deployment?) Example: people with pop-up blockers may miss the breach notice in the overlays. And, a better implementation would link to the news story's detail page within the Marriott.com site -- not directly to the vague answers.kroll.com site.

Last, some questions remain about the post-breach response:

  • Why email notices to breach victims? Hopefully, there are more reasons than simply saving postal mailing costs.
  • Why no credit monitoring offers to breach victims?
  • What data in the Starwood reservations database was altered by the attackers? That data was encrypted by the attackers suggests that the attackers had sufficient time, resources, and skills to modify or alter database records. Marriott needs to explain what it is doing about this.
  • When will Marriott host a breach site on one of its servers? No doubt, there will be follow-up news, more questions by breach victims, and breach investigation updates. A dedicated breach site on one of its servers seems best. Leaning too much on Kroll is not good.
  • Why did the intrusion go undetected for so long? Marriott needs to explain this and the post-breach fix so guests are reassured it won't happen again.
  • Is the main Marriott reservations database also vulnerable? Guests for other brands weren't affected since a separate reservations database was used. Maybe this is because the main Marriott reservations database and server are better protected, or cybercriminals haven't attacked it (yet). Guests deserve comprehensive answers.
  • Why the website overlaps/pop-ups and not static links?
  • What changes (e.g., software upgrades, breach detection tools, employee training, etc.) will be implemented so this doesn't happen again?

Having blogged about data breaches for 11+ years, these types of questions often arise. None are unreasonable questions. Answers will help guests feel comfortable with using Starwood hotels. Plus, Marriott has an obligation to fully inform guests directly at its website, and not lean on Kroll. What do you think?


When Fatal Crashes Can't Be Avoided, Who Should Self-Driving Cars Save? Or Sacrifice? Results From A Global Survey May Surprise You

Experts predict that there will be 10 million self-driving cars on the roads by 2020. Any outstanding issues need to be resolved before then. One outstanding issue is the "trolley problem" - a situation where a fatal vehicle crash can not be avoided and the self-driving car must decide whether to save the passenger or a nearby pedestrian. Ethical issues with self-driving cars are not new. There are related issues, and some experts have called for a code of ethics.

Like it or not, the software in self-driving cars must be programmed to make decisions like this. Which person in a "trolley problem" should the self-driving car save? In other words, the software must be programmed with moral preferences which dictate which person to sacrifice.

The answer is tricky. You might assume: always save the driver, since nobody would buy self-driving car which would kill their owners. What if the pedestrian is crossing against a 'do not cross' signal within a crosswalk? Does the answer change if there are multiple pedestrians in the crosswalk? What if the pedestrians are children, elders, or pregnant? Or a doctor? Does it matter if the passenger is older than the pedestrians?

To understand what the public wants -- expects -- in self-driving cars, also known as autonomous vehicles (AV), researchers from MIT asked consumers in a massive, online global survey. The survey included 2 million people from 233 countries. The survey included 13 accident scenarios with nine varying factors:

  1. "Sparing people versus pets/animals,
  2. Staying on course versus swerving,
  3. Sparing passengers versus pedestrians,
  4. Sparing more lives versus fewer lives,
  5. Sparing men versus women,
  6. Sparing the young versus the elderly,
  7. Sparing pedestrians who cross legally versus jaywalking,
  8. Sparing the fit versus the less fit, and
  9. Sparing those with higher social status versus lower social status."

Besides recording the accident choices, the researchers also collected demographic information (e.g., gender, age, income, education, attitudes about religion and politics, geo-location) about the survey participants, in order to identify clusters: groups, areas, countries, territories, or regions containing people with similar "moral preferences."

Newsweek reported:

"The study is basically trying to understand the kinds of moral decisions that driverless cars might have to resort to," Edmond Awad, lead author of the study from the MIT Media Lab, said in a statement. "We don't know yet how they should do that."

And the overall findings:

"First, human lives should be spared over those of animals; many people should be saved over a few; and younger people should be preserved ahead of the elderly."

These have implications for policymakers. The researchers noted:

"... given the strong preference for sparing children, policymakers must be aware of a dual challenge if they decide not to give a special status to children: the challenge of explaining the rationale for such a decision, and the challenge of handling the strong backlash that will inevitably occur the day an autonomous vehicle sacrifices children in a dilemma situation."

The researchers found regional differences about who should be saved:

"The first cluster (which we label the Western cluster) contains North America as well as many European countries of Protestant, Catholic, and Orthodox Christian cultural groups. The internal structure within this cluster also exhibits notable face validity, with a sub-cluster containing Scandinavian countries, and a sub-cluster containing Commonwealth countries.

The second cluster (which we call the Eastern cluster) contains many far eastern countries such as Japan and Taiwan that belong to the Confucianist cultural group, and Islamic countries such as Indonesia, Pakistan and Saudi Arabia.

The third cluster (a broadly Southern cluster) consists of the Latin American countries of Central and South America, in addition to some countries that are characterized in part by French influence (for example, metropolitan France, French overseas territories, and territories that were at some point under French leadership). Latin American countries are cleanly separated in their own sub-cluster within the Southern cluster."

The researchers also observed:

"... systematic differences between individualistic cultures and collectivistic cultures. Participants from individualistic cultures, which emphasize the distinctive value of each individual, show a stronger preference for sparing the greater number of characters. Furthermore, participants from collectivistic cultures, which emphasize the respect that is due to older members of the community, show a weaker preference for sparing younger characters... prosperity (as indexed by GDP per capita) and the quality of rules and institutions (as indexed by the Rule of Law) correlate with a greater preference against pedestrians who cross illegally. In other words, participants from countries that are poorer and suffer from weaker institutions are more tolerant of pedestrians who cross illegally, presumably because of their experience of lower rule compliance and weaker punishment of rule deviation... higher country-level economic inequality (as indexed by the country’s Gini coefficient) corresponds to how unequally characters of different social status are treated. Those from countries with less economic equality between the rich and poor also treat the rich and poor less equally... In nearly all countries, participants showed a preference for female characters; however, this preference was stronger in nations with better health and survival prospects for women. In other words, in places where there is less devaluation of women’s lives in health and at birth, males are seen as more expendable..."

This is huge. It makes one question the wisdom of a one-size-fits-all programming approach by AV makers wishing to sell cars globally. Citizens in clusters may resent an AV maker forcing its moral preferences upon them. Some clusters or countries may demand vehicles matching their moral preferences.

The researchers concluded (emphasis added):

"Never in the history of humanity have we allowed a machine to autonomously decide who should live and who should die, in a fraction of a second, without real-time supervision. We are going to cross that bridge any time now, and it will not happen in a distant theatre of military operations; it will happen in that most mundane aspect of our lives, everyday transportation. Before we allow our cars to make ethical decisions, we need to have a global conversation to express our preferences to the companies that will design moral algorithms, and to the policymakers that will regulate them... Our data helped us to identify three strong preferences that can serve as building blocks for discussions of universal machine ethics, even if they are not ultimately endorsed by policymakers: the preference for sparing human lives, the preference for sparing more lives, and the preference for sparing young lives. Some preferences based on gender or social status vary considerably across countries, and appear to reflect underlying societal-level preferences..."

And the researchers advised caution, given this study's limitations (emphasis added):

"Even with a sample size as large as ours, we could not do justice to all of the complexity of autonomous vehicle dilemmas. For example, we did not introduce uncertainty about the fates of the characters, and we did not introduce any uncertainty about the classification of these characters. In our scenarios, characters were recognized as adults, children, and so on with 100% certainty, and life-and-death outcomes were predicted with 100% certainty. These assumptions are technologically unrealistic, but they were necessary... Similarly, we did not manipulate the hypothetical relationship between respondents and characters (for example, relatives or spouses)... Indeed, we can embrace the challenges of machine ethics as a unique opportunity to decide, as a community, what we believe to be right or wrong; and to make sure that machines, unlike humans, unerringly follow these moral preferences. We might not reach universal agreement: even the strongest preferences expressed through the [survey] showed substantial cultural variations..."

Several important limitations to remember. And, there are more. It didn't address self-driving trucks. Should an AV tractor-trailer semi  -- often called a robotruck -- carrying $2 million worth of goods sacrifice its load (and passenger) to save one or more pedestrians? What about one or more drivers on the highway? Does it matter if the other drivers are motorcyclists, school buses, or ambulances?

What about autonomous freighters? Should an AV cargo ship be programed to sacrifice its $80 million load to save a pleasure craft? Does the size (e.g., number of passengers) of the pleasure craft matter? What if the other craft is a cabin cruiser with five persons? Or a cruise ship with 2,000 passengers and a crew of 800? What happens in international waters between AV ships from different countries programmed with different moral preferences?

Regardless, this MIT research seems invaluable. It's a good start. AV makers (e.g., autos, ships, trucks) need to explicitly state what their vehicles will (and won't do). Don't hide behind legalese similar to what exists today in too many online terms-of-use and privacy policies.

Hopefully, corporate executives and government policymakers will listen, consider the limitations, demand follow-up research, and not dive headlong into the AV pool without looking first. After reading this study, it struck me that similar research would have been wise before building a global social media service, since people in different countries or regions having varying preferences with online privacy, sharing information, and corporate surveillance. What are your opinions?


Uber To Pay $148 Million To Settle Lawsuits And Coverup From Its 2016 Data Breach

Uber logo California-based Uber Technologies, Inc. has agreed to pay $148 million to settle lawsuits by several states' attorneys general regarding the ride-sharing service's massive data breach in 2016 where hackers stole information about 57 million Uber customers and drivers worldwide, including 600,000 U.S. driver's license numbers. The breach problems were compounded by allegations that Uber paid the hackers $100,000 for their silence, and by the company's failure to notify both state agencies and affected consumers about the breach.

Josh Shapiro, the Attorney General (AG) for the State of Pennsylvania, announced on the Wednesday the settlement agreement including a coalition of 51 state AGs:

"In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence... Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017."

13,500 Uber drivers in Pennsylvania were affected by the breach. Pennsylvania's share of the total payment is $5.7 million. Each Uber driver in Pennsylvania will receive $100.

48 states have data breach notification laws requiring various levels of notifications to both state officials and affected consumers, who need notice in order to take action to protect themselves and their sensitive personal and payment information.

Massachusetts' share of the total payment is $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses. Massachusetts AG Maura Healey said:

"Uber failed to immediately report this data breach and tried to pay hush money to hackers. This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised."

California's share of the total payment is $26 million. California AG  Xavier Becerra said:

"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

San Francisco District Attorney George Gascon said:

"We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California."

Terms of the settlement agreement require Uber and its executives to:

"1. Implement and maintain robust data security practices.
2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
5. Report any data security incidents to states on a quarterly basis for two years.
6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training".

Uber and its executives have a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit describing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool.

This breach settlement is another reminder that Uber and its executives deserve close monitoring and supervision.


San Diego Police Widely Share Data From License Plate Database

Images of ALPR device mounted on a patrol car. Click to view larger version Many police departments use automated license plate reader (ALPR or LPR) technology to monitor the movements of drivers and their vehicles. The surveillance has several implications beyond the extensive data collection.

The Voice of San Diego reported that the San Diego Police Departments shares its database of ALPR data with many other agencies:

"SDPD shares that database with the San Diego sector of Border Patrol – and with another 600 agencies across the country, including other agencies within the Department of Homeland Security. The nationwide database is enabled by Vigilant Solutions, a private company that provides data management and software services to agencies across the country for ALPR systems... A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data..."

San Diego's ALPR database is fed by a network of cameras which record images plus the date, time and GPS location of the cars that pass by them. So, the associated metadata for each database record probably includes the license plate number, license plate state, vehicle owner, GPS location, travel direction, date and time, road/street/highway name or number, and the LPR device ID number.

Information about San Diego's ALPR activities became public after a data request from the Electronic Frontier Foundation (EFF), a digital privacy organization. ALPRs are a popular tool, and were used in about 38 states in 2014. Typically, the surveillance collects data about both criminals and innocent drivers.

Images of ALPR devices mounted on unmarked patrol cars. Click to view larger version There are several valid applications: find stolen vehicles, find stolen license plates, find wanted vehicles (e.g., abductions), execute search warrants, find parolees, and find wanted parolees. Some ALPR devices are stationary (e.g., mounted on street lights), while others are mounted on (marked and unmarked) patrol cars. Both deployments scan moving vehicles, while the latter also facilitates the scanning of parked vehicles.

Earlier this year, the EFF issued hundreds of similar requests across the country to learn how law enforcement currently uses ALPR technology. The ALPR training manual for the Elk Grove, Illinois PD listed the data archival policies for several states: New Jersey - 5 years, Vermont - 18 months, Utah - 9 months,  Minnesota - 48 hours, Arkansas - 150 days, New Hampshire - not allowed, and California - no set time. The document also stated that more than "50 million captures" are added each month to the Vigilant database. And, the Elk Grove PD seems to broadly share its ALPR data with other police departments and agencies.

The SDPD website includes a "License Plate Recognition: Procedures" document (Adobe PDF), dated May 2015, which describes its ALPR usage and policies:

"The legitimate law enforcement purposes of LPR systems include the following: 1) Locating stolen, wanted, or subject of investigation vehicles; 2) Locating witnesses and victims of a violent crime; 3) Locating missing or abducted children and at risk individuals.

LPR Strategies: 1) LPR equipped vehicles should be deployed as frequently as possible to maximize the utilization of the system; 2) Regular operation of LPR should be considered as a force multiplying extension of an officer’s regular patrol efforts to observe and detect vehicles of interest and specific wanted vehicles; 3) LPR may be legitimately used to collect data that is within public view, but should not be used to gather intelligence of First Amendment activities; 4) Reasonable suspicion or probable cause is not required for the operation of LPR equipment; 5) Use of LPR equipped cars to conduct license plate canvasses and grid searches is encouraged, particularly for major crimes or incidents as well as areas that are experiencing any type of crime series... LPR data will be retained for a period of one year from the time the LPR record was captured by the LPR device..."

The document does not describe its data security methods to protect this sensitive information from breaches, hacks, and unauthorized access. Perhaps most importantly, the 2015 SDPD document describes the data sharing policy:

"Law enforcement officers shall not share LPR data with commercial or private entities or individuals. However, law enforcement officers may disseminate LPR data to government entities with an authorized law enforcement or public safety purpose for access to such data."

However, the Voice of San Diego reported:

"A memorandum of understanding between SDPD and Vigilant stipulates that each agency retains ownership of its data, and can take steps to determine who sees it. A Vigilant Solutions user manual spells out in detail how agencies can limit access to their data... SDPD’s sharing doesn’t stop at Border Patrol. The list of agencies with near immediate access to the travel habits of San Diegans includes law enforcement partners you might expect, like the Carlsbad Police Department – with which SDPD has for years shared license plate reader data, through a countywide arrangement overseen by SANDAG – but also obscure agencies like the police department in Meigs, Georgia, population 1,038, and a private group that is not itself a police department, the Missouri Police Chiefs Association..."

So, the accuracy of the 2015 document is questionable, it it isn't already obsolete. Moreover, what's really critical are the data retention and sharing policies by Vigilant and other agencies.


Report: Software Failure In Fatal Accident With Self-Driving Uber Car

TechCrunch reported:

"The cause of the fatal crash of an Uber self-driving car appears to have been at the software level, specifically a function that determines which objects to ignore and which to attend to, The Information reported. This puts the fault squarely on Uber’s doorstep, though there was never much reason to think it belonged anywhere else.

Given the multiplicity of vision systems and backups on board any given autonomous vehicle, it seemed impossible that any one of them failing could have prevented the car’s systems from perceiving Elaine Herzberg, who was crossing the street directly in front of the lidar and front-facing cameras. Yet the car didn’t even touch the brakes or sound an alarm. Combined with an inattentive safety driver, this failure resulted in Herzberg’s death."

The TechCrunch story provides details about which software subsystem the report said failed.

Not good.

So, the autonomous or self-driving cars are only as good as the software they're programmed with (including maintenance). Anyone who has used computers during the last couple decades probably has experienced software glitches, bugs, and failures. It happens.

This latest incident suggests self-driving cars aren't yet ready. what do you think?


Airlines Want To Extend 'Dynamic Pricing' Capabilities To Set Ticket Prices By Each Person

In the near future, what you post on social media sites (e.g., Facebook, Instagram, Pinterest, etc.) could affect the price you pay for airline tickets. How's that?

First, airlines already use what the travel industry calls "dynamic pricing" to vary prices by date, time of day, and season. We've all seen higher ticket prices during the holidays and peak travel times. The Telegraph UK reported that airlines want to extend dynamic pricing to set fares by person:

"... the advent of setting fares by the person, rather than the flight, are fast approaching. According to John McBride, director of product management for PROS, a software provider that works with airlines including Lufthansa, Emirates and Southwest, a number of operators have already introduced dynamic pricing on some ticket searches. "2018 will be a very phenomenal year in terms of traction," he told Travel Weekly..."

And, there was a preliminary industry study about how to do it:

" "The introduction of a Dynamic Pricing Engine will allow an airline to take a base published fare that has already been calculated based on journey characteristics and broad segmentation, and further adjust the fare after evaluating details about the travelers and current market conditions," explains a white paper on pricing written by the Airline Tariff Publishing Company (ATPCO), which counts British Airways, Delta and KLM among its 430 airline customers... An ATPCO working group met [in late February] to discuss dynamic pricing, but it is likely that any roll out to its customers would be incremental."

What's "incremental" mean? Experts say first step would be to vary ticket prices in search results at the airline's site, or at an intermediary's site. There's virtually no way for each traveler to know they'd see a personal price that's higher (or lower) from prices presented to others.

With dynamic pricing per person, business travelers would pay more. And, an airline could automatically bundle several fees (e.g., priority boarding, luggage, meals, etc.) for its loyalty program members into each person's ticket price, obscuring transparency and avoiding fairness. Of course, airlines would pitch this as convenience, but alert consumers know that any convenience always has its price.

Thankfully, some politicians in the United States are paying attention. The Shear Social Media Law & Technology blog summarized the situation very well:

"[Dynamic pricing by person] demonstrates why technology companies and the data collection industry needs greater regulation to protect the personal privacy and free speech rights of Americans. Until Silicon Valley and data brokers are properly regulated Americans will continue to be discriminated against based upon the information that technology companies are collecting about us."

Just because something can be done with technology, doesn't mean it should be done. What do you think?


The United States Has A Problem: Declining Foreign Visitors

Visit-usa-coalition-figure1
The United States has a problem: the number of international visitors is declining. What are companies doing to counter this, lost revenues, and other negative impacts? Bloomberg reported (bold emphasis added):

"... 10 business associations, including the U.S. Chamber of Commerce and the National Restaurant Association, have created a travel industry group aimed at reversing the growing unpopularity of the U.S. as a vacation destination. So [last week], some of its biggest players unveiled the "Visit U.S. Coalition" to spur the Trump administration into enacting friendlier visa and border-security policies at a time when federal agencies are doing the opposite... Since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors, a time when other nations such as Australia, Canada, China and the United Kingdom have marked sizable gains..."

Visit-usa-coaltion-figure3Foreign visitors spend their travel money here, which helps businesses in the USA. The amount of the travel decline is measurable:

"... the Commerce Department reported a 3.3 percent drop in traveler spending for last year, through November, the equivalent of $4.6 billion in losses and 40,000 jobs. The U.S. share of international long-haul travel fell to 11.9 percent last year, from 13.6 percent in 2015, according to the U.S. Travel Association, a slippage the group said equates to 7.4 million visitors and $32.2 billion in spending."

According to its website, the Visit U.S. Coalition includes the following founding members: American Gaming Association, American Hotel & Lodging Association, American Society of Association Executives, Asian American Hotel Owners Association, International Association of Exhibitions and Events, National Restaurant Association, National Retail Federation, Society of Independent Show Organizers, the U.S. Chamber of Commerce, and the U.S. Travel Association.

What does this mean? What might the consequences be?

First, if the foreign tourism decline continues, experience tells us that after prolonged revenue losses, affected industries (e.g., hotels, transportation, restaurants, retail shopping, etc.) and companies will layoff or terminate workers. Not good for workers. Not good for the United States economy.

Second, it's great that several companies have organized together into groups... trade associations for several industries; and then several trade associations organized into a coalition... what you might call an uber-trade association... to highlight their concerns, remain competitive, and advocate for their interests. You'd expect any administration which promised to be pro-business would listen these concerns.

Third, the freedom to organize is an important part of a democracy, and a competitive marketplace. Workers want this freedom, too. Sadly, too many corporate executives and politicians deny workers the same freedoms they want their businesses to enjoy. You've probably heard the claim: "corporations are people, my friend." I guess they are a special class of people with more freedom than flesh-and-blood persons.

What do you think of the foreign visitor travel decline?


Royal Caribbean Cruise Line And CPP-The Myers-Briggs Offer Travel Personality Quiz

Inc. Magazine warned in 2016, "ready or not, companies will soon be tracking your emotions." Most Facebook users already knows this. Also in 2016, the social networking site expanded several reaction buttons beyond its (in)famous "Like" button to cover several emotions (e.g., "Love," "Haha," "Wow," "Sad," "Angry"):

Facebook-emotions-buttons

Maybe you have used these reaction buttons. Companies do this because effective marketing appeals to emotions instead of reason.

Now, a popular cruise line has taken things a step further. Cruise Critic, a popular travel site, announced:

"... Royal Caribbean has teamed up with CPP-The Myers-Briggs Company to launch a quiz that offers cruise recommendations based on your personality type. The assessment tool, found on MyAdventurePersonality.com, asks users 13 questions as they pertain to personal behavior and preferences... Once the results are calculated, users will be designated a travel personality type, such as Expert Adventure Planner, Laidback Wanderer and Spontaneous Sightseer. They also will receive an itinerary recommendation best suited for their type, with planning tips."

What is the Myers'Briggs assessment tool? The Myers-Briggs Foundation site explains:

"The purpose of the Myers-Briggs Type Indicator® (MBTI®) personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. The essence of the theory is that much seemingly random variation in the behavior is actually quite orderly and consistent, being due to basic differences in the ways individuals prefer to use their perception and judgment... In developing the Myers-Briggs Type Indicator [instrument], the aim of Isabel Briggs Myers, and her mother, Katharine Briggs, was to make the insights of type theory accessible to individuals and groups... The identification of basic preferences of each of the four dichotomies specified or implicit in Jung's theory. The identification and description of the 16 distinctive personality types that result from the interactions among the preferences."

Indeed, this assessment tool became very accessible. The Seattle Times reported in 2013:

"Chances are you’ve taken the Myers-Briggs Type Indicator (MBTI), or will. Roughly 2 million people a year do. It has become the gold standard of psychological assessments, used in businesses, government agencies and educational institutions... More than 10,000 companies, 2,500 colleges and universities and 200 government agencies in the United States use the test... It’s estimated that 50 million people have taken the Myers-Briggs personality test since the Educational Testing Service first added the research to its portfolio in 1962... Organizations administer the MBTI assessment to employees in one of two ways. They either pay for someone in their human-resources department to become certified, then pay the materials costs each time employees take the test. Or, they contract with certified, independent training consultants or leadership coaches."

Selected questions from the MyAdventurePersonality site. Click to view larger version The travel quiz uses different and fewer (13 versus ~ 88) forced-choice questions than the MBTI. Plus, the travel quiz categorizes consumers into four travel personality types (versus 16 types by the MBTI). And, the MBTI tool is administered by certified professionals in an ethical manner. So, consumers shouldn't assume that the travel quiz is as rigorous as the MBTI. Admittedly, MyAdventurePersonality may add more questions and/or types in the future.

If you are considering the travel quiz, wise consumers always read the fine print, first. The MyAdventurePersonality site uses the same legal and privacy policies as the core Royal Caribbean cruise line site. So, consumers should know that whatever they submit to the travel quiz will probably be freely shared with other entities, since the Royal Caribbean Privacy Policy does not state any limitations.

The MyAdventurePersonality site may be a marketing gimmick to attract new customers and/or better target e-mail marketing campaigns to current and prospective cruise travelers.

Me? After 28 cruise ship vacations (with many on Royal Caribbean ships) to many areas of the planet, I know my travel needs and preferences very well. So, I doubt the quiz will tell me something I don't already know.

What do you think? Should companies uses these types of quizzes?


Uber's Ripley Program To Thwart Law Enforcement

Uber logo Uber is in the news again, and not in a good way. TechCrunch reported:

"Between spring 2015 until late 2016 the ride-hailing giant routinely used a system designed to thwart police raids in foreign countries, according to Bloomberg, citing three people with knowledge of the system. It reports that Uber’s San Francisco office used the protocol — which apparently came to be referred to internally as ‘Ripley’ — at least two dozen times. The system enabled staff to remotely change passwords and “otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices”, it reports. We’ve also been told — via our own sources — about multiple programs at Uber intended to prevent company data from being accessed by oversight authorities... according to Bloomberg Uber created the system in response to raids on its offices in Europe: Specifically following a March 2015 raid on its Brussel’s office in which police gained access to its payments system and financial documents as well as driver and employee information; and after a raid on its Paris office in the same week."

In November of last year, reports emerged that the popular ride-sharing service experienced a data breach affecting 57 million users. Regulators said then that Uber tried to cover it up.

In March of last year, reports surfaced about Greyball, a worldwide program within Uber to thwart code enforcement inspections by governments. TechCrunch also described uLocker:

"We’ve also heard of the existence of a program at Uber called uLocker, although one source with knowledge of the program told us that the intention was to utilize a ransomware cryptolocker exploit and randomize the tokens — with the idea being that if Uber got raided it would cryptolocker its own devices in order to render data inaccessible to oversight authorities. The source said uLocker was being written in-house by Uber’s eng-sec and Marketplace Analytics divisions..."

Geez. First Greyball. Then Reipley and uLocker. And these are the known programs. This raises the question: how many programs are there?

Earlier today, Wired reported:

"The engineer at the heart of the upcoming Waymo vs Uber trial is facing dramatic new allegations of commercial wrongdoing, this time from a former nanny. Erika Wong, who says she cared for Anthony Levandowski’s two children from December 2016 to June 2017, filed a lawsuit in California this month accusing him of breaking a long list of employment laws. The complaint alleges the failure to pay wages, labor and health code violations... In her complaint, Wong alleges that Levandowski was paying a Tesla engineer for updates on its electric truck program, selling microchips abroad, and creating new startups using stolen trade secrets. Her complaint also describes Levandowski reacting to the arrival of the Waymo lawsuit against Uber, strategizing with then-Uber CEO Travis Kalanick, and discussing fleeing to Canada to escape prosecution... Levandowski’s outside dealings while employed at Google and Uber have been central themes in Waymo’s trade secrets case. Waymo says that Levandowski took 14,000 technical files related to laser-ranging lidar and other self-driving technologies with him when he left Google to work at Uber..."

Is this a corporation or organized crime? It seems difficult to tell the difference. What do you think?


Report: Air Travel Globally During 2017 Was The Safest Year On Record

The Independent UK newspaper reported:

"The Dutch-based aviation consultancy, To70, has released its Civil Aviation Safety Review for 2017. It reports only two fatal accidents, both involving small turbo-prop aircraft, with a total of 13 lives lost. No jets crashed in passenger service anywhere in the world... The chances of a plane being involved in a fatal accident is now one in 16 million, according to the lead researcher, Adrian Young... The report warns that electronic devices in checked-in bags pose a growing potential danger: “The increasing use of lithium-ion batteries in electronics creates a fire risk on board aeroplanes as such batteries are difficult to extinguish if they catch fire... The UK has the best air-safety record of any major country. No fatal accidents involving a British airline have happened since the 1980s. The last was on 10 January 1989... In contrast, sub-Saharan Africa has an accident rate 44 per cent worse than the global average, according to the International Air Transport Association (IATA)..."

Read the full 2017 aviation safety report by To70. Below is a chart from the report.

Accident Data Chart from To70 Air Safety Review for 2017. Click to view larger version


Uber: Data Breach Affected 57 Million Users. Some Say A Post Breach Coverup, Too

Uber logo Uber is in the news again. And not in a good way. The popular ride-sharing service experienced a data breach affecting 57 million users. While many companies experience data breaches, regulators say Uber went further and tried to cover it up.

First, details about the data breach. Bloomberg reported:

"Hackers stole the personal data of 57 million customers and drivers... Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers..."

Second, details about the coverup:

"... the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers... At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet."

Geez. Not tell regulators about a breach? Not tell affected users? 48 states have data breach notification laws requiring various levels of notifications. Consumers need notice in order to take action to protect themselves and their sensitive personal and payment information.

Third, Uber executives learned about the breach soon thereafter:

"Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack."

Reportedly, breach victims with stolen drivers license information will be offered free credit monitoring and identity theft services. Uber said that no Social Security numbers and credit card information was stolen during the breach, but one wonders if Uber and its executives can be trusted.

The company has a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit descrbing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool. TechCrunch reported that Uber:

"... reached a settlement with [New York State Attorney General] Schneiderman’s office in January 2016 over its abuse of private data in a rider-tracking system known as “God View” and its failure to disclose a previous data breach that took place in September 2014 in a timely manner."

Several regulators are investigating Uber's latest breach and alleged coverup. CNet reported:

"The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says... In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach."

The Financial Times reported that the U.K. Information Commissioner's Office is investigating the incident, along with the National Crime Agency and the National Cyber Security Centre. New data protection rules will go into effect in May, 2018 which will require companies to notify regulators within 72 hours of a cyber attack, or incur fines of up to 20 million Euro-dollars or 4 percent of annual global revenues.

Let's summarize the incident. It seems that a few months after settling a lawsuit about a data breach and its data security practices, the company had another data breach, paid the hackers to keep quiet about the breach and what they stole, and then allegedly chose not to tell affected users nor regulators about it, as required by prior settlement agreements, breach laws in most states, and breach laws in some international areas. Geez. What chutzpah!

What are your opinions of the incident? Can Uber and its executives be trusted?


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


Bungled Software Update Renders Customers' Smart Door Locks Inoperable

Image of Lockstate RemoteLock 6i device. Click to view larger version A bungled software update by Lockstate, maker of WiFi-enabled door locks, rendered many customers' locks inoperable -- or "bricked." Lockstate notified affected customers in this letter:

"Dear Lockstate Customer,
We notified you earlier today of a potential issue with your LS6i lock. We are sorry to inform you about some unfortunate news. Your lock is among a small subset of locks that had a fatal error rendering it inoperable. After a software update was sent to your lock, it failed to reconnect to our web service making a remote fix impossible...

Many AirBnb operators use smart locks by Lockstate to secure their properties. In its website, Lockstate promotes the LS6i lock as:

"... perfect for your rental property, home or office use. This robust WiFi enabled door lock allows users to lock or unlock doors remotely, know when people unlock your door, and even receive text alerts when codes are used. Issue new codes or delete codes from your computer or phone. Even give temporary codes to guests or office personnel."

Reportedly, about 200 Airbnb customers were affected. The company said 500 locks were affected. ArsTechnica explained how the bungled software update happened:

"The failure occurred last Monday when LockState mistakenly sent some 6i lock models a firmware update developed for 7i locks. The update left earlier 6i models unable to be locked and no longer able to receive over-the-air updates."

Some affected customers shared their frustrations on the company's Twitter page. Lockstate said the affected locks can still be operated with physical keys. While that is helpful, it isn't a solution since customers rely upon the remote features. Affected customers have two repair options: 1) return the back portion of the lock (repair time about 5 to 7 days), or 2) request a replace (response time about 14 to 18 days).

The whole situation seems to be another reminder of the limitations when companies design smart devices with security updates delivered via firmware. And, a better disclosure letter by Lockstate would have explained corrections to internal systems and managerial processes, so this doesn't happen again during another software update.

What are your opinions?


Google And Massachusetts Transportation Department Provide GPS Signals In Tunnels

Smartphone users love their phones. That includes Global Positioning System (GPS) navigation services for driving directions. However, those driving directions don't work in tunnels where phones can't get GPS signals. That is changing.

Google and the Massachusetts Department of Transportation (MassDOT) have entered a partnership to provide GPS navigation services for drivers inside tunnels. If you've familiar with Boston, then you know that portions of both Interstate 93 and the Massachusetts Turnpike include tunnels. The ABC affiliate in Boston, WCVB reported last month that the partnership, part of the Connected Citizens Program, will:

"... install beacons inside Boston's tunnels to help GPS connection stay strong underground. Around 850 beacons are being installed, free of charge, as a part of an ongoing partnership between the state and the traffic app... Installation is scheduled to be complete by the end of July... The beacons are not limited to improving their own app's signal. As long as you are using Bluetooth, they are able to help improve any traffic app's connection."

For those unfamiliar with the technology, beacons are low-powered transmitters which, in this particular application, are installed in the tunnels' walls and provide geographic location information usable by drivers' (or passengers') smartphones passing by (assuming the phones' Bluetooth features are enabled).

Bluetooth beacons are used in a variety of applications and locations. The Privacy SOS blog explained:

"... They’re useful in places where precise location information is necessary but difficult to acquire via satellite. For that reason, they’ve been field tested in museums such as New York’s Metropolitan Museum of Art and airports like London Gatwick. At Gatwick, beacons deliver turn-by-turn directions to users’ phones to help them navigate the airport terminals..."

Within large airports such as Gatwick, the technology can present more precise geolocation data of nearby dining and shopping venues to travelers. According to Bluetooth SIG, Inc., the community of 30,000 companies that use the technology:

"The proliferation and near universal availability of Bluetooth® technology is opening up new markets at all ends of the spectrum. Beacons or iBeacons—small objects transmitting location information to smartphones and powered by Bluetooth with low energy—make the promise of a mobile wallet, mobile couponing, and location-based services possible... The retail space is the first to envision a future for beacons using for everything from in-store analytics to proximity marketing, indoor navigation and contactless payments. Think about a customer who is looking at a new TV and he/she gets a text with a 25 percent off coupon for that same TV and then pays automatically using an online account..."

iBeacons are the version for Apple branded mobile devices. All 12 major automobile makers offer hands-free phone calling systems using the technology. And, social network giant Facebook has developed its own proprietary Bluetooth module for an undisclosed upcoming consumer electronics device.

So, the technology provides new marketing and revenue opportunities to advertisers. TechCrunch explained:

"The Beacons program isn’t looking to get help from individual-driver Wazers in this case, but is looking for cities and tunnel owners who might be fans of the service to step up and apply to its program. The program is powered by Eddystone, a Bluetooth Low Energy beacon profile created by Google that works with cheap, battery-powered BLE Waze Beacon hardware to be installed in participating tunnels. These beacons would be configured to transmit signals to Bluetooth-enabled smartphones... There is a cost to participate — each beacon is $28.50, Waze notes, and a typical installation requires around 42 beacons per mile of tunnel. But for municipalities and tunnel operators, this would actually be a service they can provide drivers, which might actually eliminate frustration and traffic..."

There are several key takeaways here:

  1. GPS navigation services can perform better in previously unavailable areas,
  2. Companies can collect (and share) more precise geolocation data about consumers and our movements,
  3. Consumers' GPS data can now be collected in previously unattainable locations,
  4. What matters aren't the transmissions by beacons, but rather the GPS and related data collected by your phone and the apps you use, which are transmitted back to the apps' developers, and then shared by developers with their business partners (e.g., mobile service providers, smartphone operating system developers, advertisers, and affiliates
  5. You don't have to be a Google user for Google to collect GPS data about you, and
  6. Consumers can expect a coming proliferation of Bluetooth modules in a variety of locations, retail stores, and devices.

So, now you know more about how Google and other companies collect GPS data about you. After analyzing the geolocation data collected, they know not only when and where you go, but also your patterns in the physical world: where you go on certain days and times, how long you stay, where and what you've done before (and after), who you associate with, and more.

Don't like the more precise tracking? Then, don't use the Waze app or Google Maps, delete the blabbermouth apps, or turn off the Bluetooth feature on your phone.

A noted economist once said, "There is no free lunch." And that applies to GPS navigation in tunnels. The price for "free," convenient navigation services means mobile users allow companies to collect and analyze mountains of data about their movements in the physical world.

What are your opinions of GPS navigation services in tunnels? If the city or town where you live has tunnels, have beacons been installed?