Follow us:
  1. Home
  2. News
  3. Tech News
  4. Privacy

Privacy

Recent Articles

Sort by:

Child advocates call for FTC probe of YouTube

The group says the site is illegally collecting children’s data

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that data to advertise to its youngest users.

The group of advocates, led by the Campaign for a Commercial-Free Childhood, said it wants the Federal Trade Commission to investigate Google -- which owns YouTube -- for violating the Children’s Online Privacy Protection Act (COPPA), which sets strict rules for how companies can collect data about children under the age of 13.

Per COPPA regulations, companies that run websites targeted at children must notify parents and obtain their consent before collecting any personal data.

“Acted duplicitously”

The group says YouTube avoided COPPA requirements by saying in its terms of service that YouTube is only intended to be used by those over 13, even though Google knows YouTube is widely used among kids in the 6-12 age range.

The site even caters to young viewers, the group said, citing content that is specifically aimed at children under 13.

“Google has acted duplicitously by falsely claiming in its terms of service that YouTube is only for those who are age 13 or older, while it deliberately lured young people into an ad-filled digital playground,” said Jeff Chester of the Center for Digital Democracy. “Just like Facebook, Google has focused its huge resources on generating profits instead of protecting privacy.”

Calls for a fine

The group wants YouTube to change how it deals with content for children, pay a fine for allegedly profiting off young viewers, and “assess civil penalties that demonstrate that the FTC will not permit violations of COPPA.”

"Google has made substantial profits from the collection and use of personal data from children on YouTube. Its illegal collection has been going on for many years and involves tens of millions of US children," the complaint reads.

YouTube issued a statement saying that it “will read the complaint thoroughly and evaluate if there are things we can do to improve. Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

This isn’t the first time a complaint has been filed against YouTube for the way it handles children’s privacy. In 2015, advocacy groups said the site was violating FCC laws about advertising to children.

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that d...

The Weekly Hack: Beware of Equifax and aliens

Identity thieves can use the Equifax breach to steal social security benefits and leave victims with the bill, but does it even matter if the entire planet is under attack?

Sure, you never technically asked Equifax to monitor your personal data, but credit checks are a necessary step to securing a home, a loan, or a job. But n...

Belgian judges demand Facebook destroy data it collected on non-users

Facebook, which faces 100 million euros in fines, defended the practice

In Europe, where consumers are protected by tougher privacy and data regulations than they are in the United States, judges have once again ruled that Facebook is breaking the law.

A court in Belgium on Friday ordered Facebook to stop tracking and recording the browsing habits of non-users, “as it does not bring its practices in line with Belgian privacy legislation.”

The Belgium verdict follows a ruling against Facebook in Germany last Monday.  In the latter case, a Berlin judge ruled that eights clauses in Facebook’s terms of service are illegal and that Facebook’s default privacy settings do not give users adequate consent or allow them to easily opt-out.

“Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register,” an attorney with The Federation of German Consumer Organisations,  the organization that brought the lawsuit against Facebook,  said in a statement.

Facebook says they plan to appeal the Berlin court’s decision.

Facebook ordered to publicize judgment

In the Belgian verdict, judges ordered Facebook to destroy data that they determined was “illegally obtained” and publicize the court’s unflattering findings about itself.

The judges not only demanded that Facebook publish “the entire 84-page judgment on its website,” but also stipulated that Facebook publish a portion of the judgement in Dutch-language and French-language Belgian newspapers.  

Facebook, which has so far given no indication that it plans to follow the order, faces fines of 250,000 euros a day or a max-out of 100 million euros for not complying.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” Facebook’s public policy spokesman Richard Allan told TechCrunch in a statement.

“We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

Tracks non-users

Facebook’s use of tracking codes through social plug-ins, commonly known as “cookies,” allows the social media giant to sell targeted advertising. The cookies work by collecting the browsing habits of consumers, even those who do not use the social media site or who have cancelled their accounts.

“This does not only concern Facebook users, but almost all internet users in Belgium and Europe,” Belgium's Privacy Commission, the agency that filed suit against Facebook, explains on its website.

Belgian watchdogs have been fighting the practice since 2015 with a civil suit and subsequent judgement which orders Facebook to stop invisibly tracking consumers or face hefty fines. But Facebook fought the ruling  with the argument that the Belgian courts did not have jurisdiction over its business because Facebook’s Europe office is headquartered in Ireland.

Facebook’s appeals have been repeatedly shot down by the Belgian courts trying to crack down on the company. Much like the recent ruling in Germany, a report commissioned by the Belgian Privacy Commission in 2015 determined that Facebook’s privacy settings do not give users informed consent and that its terms of service violate European consumer privacy laws.

Higher European standards irk companies

While Facebook does allow users to opt-out of the tracking cookies, that this option is only available for people with a Facebook account,  not non--users. “The current practice does not meet the requirements for legally valid consent,” the Belgian Privacy Commission report said.

The European Union considers data protection to be a fundamental right and places broad regulations on the tech, financial, and advertising industries over how they handle data.

But tech giants have bristled at European attempts to regulate data collection and other aspects of their businesses. Last summer, European regulators fined Google a record 2.4 billion euros after finding it was manipulating search results in a manner that promotes its own shopping services over competitors. It was the largest antitrust fine implemented to date by the European Union.

Google responded by offering concessions, such as opening its “shopping” search results to competitors, but it also appealed the ruling in September.

In Europe, where consumers are protected by tougher privacy and data regulations than they are in the United States, judges have once again ruled that Face...

Winter Olympics and cryptocurrency faced hacks last week

The Air Force, meanwhile, underwent an intentional hacking operation

Earlier this month, the Department of Homeland Security warned Americans at the Olympics that the event was vulnerable to hacking. As if on cue, the website that hosted the event went down on opening day, among other notable hacks that took place.

Cryptocurrency

Do you go directly to your country’s government website to get information about what’s going on in your country? That’s adorable. It’s also apparently putting you at risk of becoming a cryptocurrency miner.

A hack that affected thousands of websites, including USCourts.gov, the United Kingdom's information commissioner page and numerous Canadian government sites, caused visitors’ computers to mine cryptocurrency on behalf of hackers last weekend.

It’s not the fault of the government websites themselves, but a popular browser plug-in called Browsealoud, which is used on thousands of web pages. Hackers compromised the code by tweaking it so that any computer that came across it would generate the cryptocurrency called Monero. Motherboard described the breach as the largest cryptocurrency hack to date.

Winter Olympics

On February 9, the day of the Winter Olympics opening ceremony, the event’s web page went down for several hours, impacting visitors’ ability to get tickets or access important event information, among other problems. Officials have not released much information about what happened, but independent experts are piecing it together.

Cyber security experts said a computer virus called the “Olympic Destroyer” was likely used in Friday's attack and was designed to delete critical system files on computers, or essentially knock vulnerable computers offline. Experts also said the hackers appeared to have previously compromised the main IT service provider for the Winter Olympics.

The site CyberScoop is reporting that the same malware behind Friday’s attack had previously hacked other computer systems belonging to the IT firm Atos, which is hosting the Pyeongchang games on its “cloud” infrastructure.

Cryptocurrency (again)

An Italian coin exchange last Friday posted a notice that hackers had stolen 17 million units of its Nano coins.

Air Force (but on purpose)

For the second year in a row, the Air Force has invited hackers to come aboard. The agency on Thursday completed its 20-day Hack the Air Force 2.0 security initiative, a challenge in which security researchers are paid to find vulnerabilities in the agency’s digital assets.

"This is the first time that we've had Department of Defense personnel on site in a live hacking program," one expert told eWEEK. Researchers were paid a total of $103,883 for identifying 106 valid vulnerabilities. Last year, for the inaugural Hack the Air Force program, over $130,000 in cash was doled out.

DNC sued for more information about previous hack

BuzzFeed News is reportedly suing the Democratic National Convention in an attempt to glean more information about the Russian hacking interference that has been the party’s major talking point since Trump was elected into office.

The news organization says in court that the political party has not complied with a subpoena they filed for more information about the infamous DNC hack of 2016, citing privacy concerns.

Earlier this month, the Department of Homeland Security warned Americans at the Olympics that the event was vulnerable to hacking. As if on cue, the websit...

Scans of FedEx customers' passports found on unsecured server

Documents had been collected by Bongo International, now part of FedEx

As many as 119,000 FedEx customers may have been compromised when scans of passports and other documents were left on an unsecured Amazon cloud server.

Researchers from Kromtech Security Center said they discovered the documents on February 5. They said the documents belonged to citizens from a number of countries, including the U.S., Canada, Mexico, China, Kuwait, and Japan.

An analysis revealed that the documents had been collected by Bongo International, a company that supports retailers in North America with international shipping. FedEx bought Bongo International in 2014.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx said in a statement. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”

Kromtech researchers said the documents it found on the server were dated between 2009 and 2012. The company said the data could have been out there for years and that anyone using Bongo's services during that time might have compromised their identities.

Bongo International, now known as FedEx Cross Border, started in 2007 as a package forwarding service for international consumers who wanted to purchase items from U.S.-based websites that did not offer international shipping.

As many as 119,000 FedEx customers may have been compromised when scans of passports and other documents were left on an unsecured Amazon cloud server....

Olympics opening ceremony hit by cyber attack

Officials confirm that there was an attack but won’t reveal who was responsible

Olympic officials have confirmed that a cyber attack took place during the 2018 winter games, Reuters reports.

PyeongChang organizers say that someone compromised services, leading to a temporary shutdown of internet and wifi during the opening ceremony, but they won’t say where the attacks originated.

“All issues were resolved and recovered yesterday morning,” organizing committee spokesman Sung Baik-you told reporters. However, the source of the attack is being kept under wraps.

Officials know the culprit

Sung said that investigators know the cause of the attack but are “not going to reveal the source” after talking to the International Olympics Committee. The attack did not compromise any critical part of Olympic operations, organizers noted.

“Maintaining secure operations is our purpose,” International Olympic Committee (IOC) spokesman Mark Adams said. “We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure.”

In response to whether or not organizers knew who was behind the attack, Adams said, “I certainly don’t know. But best international practice says that you don’t talk about an attack.”

Russia, which has been formally banned from the Winter Olympics over its doping program, has already tried to get ahead of speculation that Russia-based hackers may have been behind the attack.

“We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,” the nation’s foreign ministry said. “Of course, no evidence will be presented to the world.”

Sung says investigators know who was responsible, but have no plans to reveal the source.

“We know the cause of the problem but that kind of issue occurs frequently during the Games. We decided with the IOC we are not going to reveal the source (of the attack),” he said.

Vulnerable to hacking

Cybersecurity experts have warned that PyeongChang is a target for hacking. The Department of Homeland Security issued a warning to Americans in Pyeongchang to be mindful of so-called “cyber activists” and cyber criminals.

“At high-profile events, cyber activists may take advantage of the large audience to spread their message,” the warning says.  “Cyber criminals may attempt to steal personally identifiable information or harvest users’ credentials for financial gain. There is also the possibility that mobile or other communications will be monitored.”

Last month, experts revealed that they found early indications of attacks in the months leading up to the games in the form of malicious emails sent to Olympic officials.

Olympic officials have confirmed that a cyber attack took place during the 2018 winter games, Reuters reports.PyeongChang organizers say that someone c...

Forever 21 confirms 2017 data breach

Payment cards may have been compromised at some stores

Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.

The company said it received a report from a third party in mid-October suggesting there could have been unauthorized access to payment card data at certain stores. The investigation revealed that encryption technology, installed on point-of-sale (POS) devices in 2015, was not always activated at some stores.

Investigators then discovered signs of unauthorized network access and installation of malware on some POS devices. The malware searched for payment card data as it moved through the POS device.

No consistent pattern

Complicating the investigation is the fact that the encryption was not turned off in all stores; it was off for only a few days to several weeks in some stores; and it was off most of the time in other stores.

"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said in a statement. In nearly all cases, potentially compromised transactions occurred between March and October 2017.

Mark Cline, a vice president at Netsurion, a provider of managed security services for multi-location businesses, says there are important lessons to learn here for both consumers and retailers.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals," he told ConsumerAffairs. "They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit."

The costs for companies can be enormous. Cline says a retailer pays on average $172 per stolen record in "clean-up costs."

The challenge for retailers is to stay ahead of the hackers. Cline suggests companies first run a vulnerability scan on their internal networks and then update all operating system and software upgrades and patches immediately.

Consumers inconvenienced

The cost for consumers is mostly in convenience. If promptly reported, consumer liability for fraudulent use of a credit card is limited to $50, and in many cases there is no loss.

If debit card information is stolen, risks may be greater. Policies protecting consumers in these cases tend to vary bank to bank. Needless to say, a thief with a consumer's complete debit card information could clean out the account very quickly.

Consumers using a payment card at a POS terminal are safer paying with a credit card than a debit card. Paying with cash is safer still.

Forever 21 operates more than 815 stores in 57 countries with retailers in the United States and overseas. The company did not provide the number of its stores that may have been affected by the data breach.

Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.The company said it received a report fro...

Forever 21 investigating possible card hack

Company not sure which stores might have been affected

If you used a credit or debit card at Forever 21 between March and October, your card's information may have been compromised.

The fashion retailer, a fixture at malls around the country, says it is investigating a third party report of "unauthorized access" to stored data from debit and credit cards used at some of its stores.

At this point in the investigation, the company says it isn't known which stores may have been affected, but it is evident only certain point of sale systems were compromised.

Mark Cline, a vice president at business security service Netsurion, says hackers have found it easy and profitable to introduce malware to these point of sale terminals, stealing the card data and selling it on the dark web.

"With their millions of customers, large retailers like Forever 21 have typically been the hardest hit," Cline said in an email to ConsumerAffairs. "Companies must pay up to $172 per stolen record in clean-up costs. A major retailer just paid $18.5 million to address the impact of its 2013 hack, which resulted in 41 million stolen credit cards."

Businesses should harden card terminals

Cline says businesses should make it a priority to harden their IT and point of sale security, especially with the holiday shopping season approaching. Forever 21 said that some–but not all–of its point of sale terminals had been encrypted.

Forever 21 urges customers who used credit or debit cards at its stores to closely monitor their statements for unauthorized charges. If you find a charge you did not make, notify your bank or credit card company immediately to limit your liability.

The Federal Trade Commission (FTC) notes that once your report the loss of a card, or evidence of unauthorized use, federal law protects you from further liability. The FTC says you should also follow up a phone call with a letter or email, including your account number, the date and time when you noticed your card was missing, and when you first reported the loss.

It is also a good idea to notify your bank or credit card company that you used the card at Forever 21 between March and October so they can issue a new card.

If you used a credit or debit card at Forever 21 between March and October, your card's information may have been compromised.The fashion retailer, a f...

Equifax provides few details on its credit-freezing tool

Consumers will be able to freeze and unfreeze credit without paying fees

Equifax says consumers concerned about the company's massive data breach will be able to freeze and unfreeze their credit at will and not pay a fee.

In his testimony before a House subcommittee Tuesday, former Equifax CEO Richard Smith listed the new tool among other free remediation tools the company is providing to consumers to help them protect their identity, but he did not elaborate on it.

A credit freeze prevents anyone from accessing a consumer's credit report, so an identity thief who has stolen the victim's Social Security number and other identifying information would be unable to open a fraudulent credit account because the lender would be unable to pull the credit file.

The credit file could only be unfrozen with the consumer's permission, making the credit freeze among the strongest identity theft prevention measures that can be taken. Normally, the consumer pays a fee to freeze the credit file and another fee when it is unfrozen.

Equifax has disclosed few details of the tool, other than to say it hopes to have it available by the end of January. In an email to ConsumerAffairs, a company spokespereson said additional details would be provided closer to the launch date.

Different opinions

Security and identity theft experts have different opinions about whether a simple, easy-to-use tool to freeze and unfreeze credit is a good idea. Some have backed the idea, saying that hackers will have a harder time stealing identities if more consumers are freezing their credit files.

But Eva Valasquez, CEO of the Identity Theft Resource Center (ITRC), thinks the process should not be so simple and quick that it becomes vulnerable to hacks.

"I hope that the solution that industry proposes is not more automated technology," Valasquez told ConsumerAffairs in an interview last month. "Because the process of establishing who you are goes through several steps, and we should appreciate that it's going to take a little longer."

Whatever form the freeze tool takes, it won't be a complete solution. That's because it will only freeze one credit file -- the one managed by Equifax. Consumers also have credit files with the two other credit bureaus, Experian and TransUnion.

There will still be fees to freeze and unfreeze those files. Valasquez says ITRC has launched an online petition urging Experian and TransUnion to also waive fees when consumers freeze and unfreeze their credit reports.

Equifax says consumers concerned about the company's massive data breach will be able to freeze and unfreeze their credit at will and not pay a fee.In...

Equifax ex-CEO to be well-paid in retirement

Richard Smith will reportedly rake in millions as part of his retirement package

Former Equifax CEO Richard Smith, who announced his immediate retirement last week in the wake of the company's data breach, will apparently be well-compensated in his golden years.

Stephen Gandel, who writes Bloomberg News' "Gadfly" column, reports the departing chief executive will receive a stock bonus in early 2018 that is worth an estimated $7.6 million, in addition to other generous benefits in his retirement package. According to Gandel, the stock bonus is part of a long-term incentive plan.

Gandel, who says Equifax has declined to comment on the issue, notes the 143 million consumers exposed in the data breach will likely have to spend their own money for the rest of their lives on measures to prevent identity theft.

Two other top executives at Equifax, both with responsibilities for network security, also retired abruptly last month. The make-up of their retirement packages are unknown.

Not unusual

Equifax is not unusual in providing multi-million dollar bonuses and retirement packages for its top executives. Most major companies do the same, and it never becomes an issue until some negative news or scandal rocks the company.

A year ago, Wells Fargo was in the news when the company revealed that employees had routinely opened new credit card and checking accounts for customers without their knowledge or permission, generating fees for the bank. The company fired 5,000 low-level employees, some of whom said they were pressured by their bosses to meet sales goals.

In the aftermath, Wells Fargo paid $185 million in fines while its CEO and another top executive announced their retirements. Under pressure from Congress and regulators, Wells Fargo eventually "clawed back" as much as $136 million from its former executives' packages.

Pushing for clawbacks

Much of that pressure came from Sen. Elizabeth Warren (D-Mass.), who early on sought to hold top Wells Fargo executives financially accountable. In blistering questioning of the bank's then-CEO during a 2016 Senate Banking Committee hearing

Warren repeatedly pressed John Stumpf to commit to "clawing back" compensation from top executives, something Stumpf, at the time, declined to do. You can view the exchange in the video below.

"You haven’t returned a single nickel of your personal earnings," Warren said at the hearing. "You haven’t fired a single senior executive. Instead, your definition of ‘accountable’ is to push the blame to your low-level employees who don’t have money for a fancy PR firm to defend themselves. It’s gutless leadership.”

Though Wells Fargo eventually clawed back some compensation, Gandel says Equifax is unlikely to do so, unless it specifically finds the departing executives were at fault and reclassifies their retirements as "termination for cause."

Warren, meanwhile, says her office is investigating the Equifax breach and whether the company violated any laws or regulations in its reporting of the incident. In a letter to Securities and Exchange Commission Chairman Jay Clayton, Warren noted that Equifax discovered the data breach on July 29 but did not reveal it to an investors' conference more than two weeks later.

Warren says investors not told of the breach, and who bought Equifax stock, suffered enormous losses when shares plunged after the breach became public.

Former Equifax CEO Richard Smith, who announced his immediate retirement last week in the wake of the company's data breach, will apparently be well-compen...

SEC reveals details of 2016 data breach

The agency said the hack may have led to 'illicit gains'

The Securities and Exchange Commission (SEC) has announced details of a 2016 hack of its computer system that may have led to “illicit gains” from stock trades.

SEC officials learned in August that hackers had breached the agency’s EDGAR online database, which contains many companies’ securities filings and other highly sensitive information. SEC Chairman Jay Clayton issued a statement Wednesday evening explaining that the intrusion was the result of a software vulnerability that was “patched promptly after discovery.”

“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” Clayton said. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

Must step up efforts

Thus far, the SEC has investigated and filed cases against individuals who it alleges placed fake SEC filings connected to the breach. However, the agency’s announcement did not sit well with Senator Mark Warner (D-Virginia).

The lawmaker compared the breach with the recent hacking of credit reporting agency Equifax, which compromised sensitive personal details of 143 million people. Warner indicated that he would be questioning Clayton about the breach in an upcoming Senate Banking Committee meeting, according to the Los Angeles Times.

“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and business entities need to step up their efforts to protect our most sensitive personal and commercial information,” Warner said.

Cybersecurity lapses

This isn’t the first time that the SEC has had to deal with cybersecurity issues. In 2014, an internal review by the agency’s Office of the Inspector General (OIG) found that laptops containing sensitive, private information could not be located.

In another instance, the OIG found that SEC employees had shared nonpublic information through non-secure personal email accounts.

Interactions with outside vendors have been troublesome as well. In his statement, Clayton confirmed that certain vendor systems and software products have provided the means for threat actors to access SEC systems.

Largely due to these incidents, the SEC has adopted an extensive cybersecurity detection, protection, and prevention program. However, Clayton says that the agency’s own limitations will require “additional expertise in this area.”

The Securities and Exchange Commission (SEC) has announced details of a 2016 hack of its computer system that may have led to “illicit gains” from stock tr...

Why your online messages might not be as secure as you think

Researchers say many users don't take advantage of important security options

Many people who use popular messaging services like Facebook Messenger, What’sApp and Viber take for granted that their conversations are private because they are encrypted.

But a recent study from Brigham Young University shows that these messages are still vulnerable to hacking attempts because users don’t take advantage of other important security options. The researchers say that although these three messaging services encrypt messages by default, they also require an “authentication ceremony” to ensure that conversations stay private.

Ph. D. student Elham Vaziripour says that unfortunately many consumers aren’t aware of these ceremonies, which means that “a malicious party or man-in-the middle attacker can eavesdrop on their conversations.”

Guaranteeing privacy

In basic terms, an authentication ceremony allows users to confirm the identity of the person they’re communicating with on one of these messaging services. Those who take advantage of this security option guarantee that no other party – not even the company providing the messaging application – can intercept the messages.

To see which steps typical users took to protect their privacy, the researchers asked a group of people to participate in a multi-phase experiment. In the first phase, the participants were asked to share a credit card number with another person in the study while keeping in mind that information should be kept confidential.

The results showed that only 14% of users successfully authenticated the recipient of the messages, with most resorting to ad-hoc security measures like asking the recipient to reiterate details of a shared experience.

In the second phase, participants were once again asked to share a credit card number, but this time the researchers accentuated how important authentication ceremonies were for maintaining privacy. The results showed that this extra direction led to 79% of participants authenticating their partner. However, the researchers found that completing this extra security step tended to take some time – around 11 minutes on average.

Automatic authentication

While the study shows that many users are able to conduct authentication ceremonies to maintain privacy, it is not necessarily at the forefront of their mind when using these messaging apps. The researchers hope that these services will adapt to make authentication ceremonies more automatic so that consumers don’t leave themselves exposed.

 "If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education," said Vaziripour.

"Security researchers often build systems without finding out what people need and want," added researcher and professor Kent Seamons. "The goal in our labs is to design technology that's simple and usable enough for anyone to use."

Many people who use popular messaging services like Facebook Messenger, What’sApp and Viber take for granted that their conversations are private because t...

FTC settles with lead generation company over misleading and illegal practices

Blue Global, LLC was fined $104 million for selling private information to third parties

The Federal Trade Commission (FTC) announced a $104 million settlement with a lead generation business on Wednesday over charges that it misled consumers and unlawfully shared and sold consumers’ private information.

The original complaint alleged that Blue Global, LLC had consumers fill out loan applications that it then sold to other entities as “leads.” FTC officials said that CEO Christopher Kay ran dozens of websites that operated in this manner and gave no consideration to where the information ultimately ended up.

“Defendants shared loan applications with and sold them to other entities without regard to loan terms, whether the other entity was a lender, or whether the other entity secured the application data in any fashion,” the complaint said.

Selling private information

The FTC further alleged that Blue Global made several false promises to consumers who filled out loan applications. According to the complaint, consumers were told that the information in their loan application would help the company find a loan with the lowest interest rate and other favorable terms, as well as help match applicants to a lender selected from a network of 100 or more loan providers.

Additionally, Blue Global allegedly told applicants that they were “very likely” to receive a loan by completing the online application and that the information they provided would “always be safe and secure” because it was only shared with “trusted lending partners.”

However, the FTC alleged that the company provided the sensitive information to any potential buyer without the knowledge or consent of the applicant. The complaint also says that Kay and his company did nothing to investigate or take preventative actions when confronted by affected consumers.

Settlement terms

Under the terms of the settlement, the defendants are barred from misrepresenting that they can assist consumers with getting favorable loan rates or terms. They must also ensure that personal information collected from consumers is protected and secured in the future.

The defendants must also investigate and verify the identity of businesses that they give consumer information to and obtain consent from consumers before doing so. The $104 million judgment against Blue Global will be suspended based on its inability to pay.

The Federal Trade Commission (FTC) announced a $104 million settlement with a lead generation business on Wednesday over charges that it misled consumers a...

Supreme Court to hear cellphone privacy case

At issue is whether police can obtain cellphone records without a warrant

Many consumers may not give much thought to how much they are being tracked through the use of their cellphones, but privacy advocates think about it a lot.

Now, the U.S. Supreme Court will think about it.

The Justices have agreed to rule whether the police and prosecutors must obtain a search warrant before they can obtain information from cellphone providers about a particular customer's movements, as recorded by their connection to individual cell towers. That kind of data has allowed the police to investigate the validity of a suspect's alibi, for instance, or place them near the scene of a crime.

The case in question resolves around a man charged in connection with a string of robberies at electronics stores in the Detroit area in 2011. The police built their case against the suspect using data obtained from his wireless carrier. It showed the man was in the vicinity of the stores at the time they were robbed.

Unreasonable search?

Since the police did not secure a warrant before obtaining the evidence, his lawyers argue that it constitutes unreasonable search and seizure under the Fourth Amendment to the U.S. Constitution.

The court hearing the robbery case rejected the argument. When the case was appealed to the U.S. Sixth Circuit Court of Appeals, the justices also dismissed the argument, ruling that the authorities do not need to obtain a warrant to receive cell phone records.

So when the Supreme Court agreed Monday to hear the case, civil libertarians celebrated the news.

ACLU reaction

“Because cell phone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” Nathan Freed Wessler, a staff attorney with the ACLU, said  in a statement. “The time has come for the Supreme Court to make clear that the longstanding protections of the Fourth Amendment apply with undiminished force to these kinds of sensitive digital records.”

The ACLU says the cellphone data acquired by law enforcement shows how location data can reveal "extraordinary private details" about an individual's life.

The defendant in the case is being represented before the Supreme Court by ACLU attorneys.

Many consumers may not give much thought to how much they are being tracked through the use of their cellphones, but privacy advocates think about it a lot...

Chipotle identifies locations hit by data breach

Customers paying with plastic between March 24 and April 18 could be affected

If you ate at a Chipotle Mexican Grill or Pizzeria Locale restaurant and paid with plastic between March 24 and April 18 this year, there's a chance hackers have your credit or debit card data.

The company reports the completion of an investigation into the incident, in which hackers breached its payment card network at some, but not all, locations. To find out if a location you visited was affected, go to the bottom of this page for Chipotle Mexican Grills and the top of this page for Pizzeria Locale.

The data breach was first reported April 25, and since then investigators have been trying to learn more about it. They conclude that malware designed to access payment card data from cards used at point-of-sale (POS) locations infiltrated the company's payment networks.

The software looked for track data containing vital information about the cardholder, including card number, expiration data, and internal verification code. It also sometimes included the customer's name.

Customers should remain vigilant

"Customers that used a payment card at an affected location during its at-risk time frame should remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity," Chipotle said in a press release.

It's important to report any unauthorized charges to the card issuer quickly, since cardholders are protected from liability if they report the fraud in a timely manner. Consumers should contact their bank or credit card card company by using the phone number on the back of the card.

Consumers who used a credit or debit card at one of the affected locations should also contact the card issuer's customer service department and report that fact. The company likely will issue a replacement card and cancel the old one.

During its investigation, Chipotle said it removed the malware from its systems and is working on ways to improve its network security.

The data breach is just the latest setback for the popular fast casual restaurant chain. Last year it was hit with an outbreak of E. coli that forced the temporary closing of several of its locations around the country.

If you ate at a Chipotle Mexican Grill or Pizzeria Locale restaurant and paid with plastic between March 24 and April 18 this year, there's a chance hacker...

Civil rights groups fight California bill that exempts students from privacy protections

The bill would allow teachers and school officials to check students' phones without consent

School administrators in California are pulling back on a bill that would allow teachers and principals to search through student cell phones after receiving blowback from civil rights groups, according to Courthouse News.

The proposed Assembly Bill 165 would exempt students from privacy protections guaranteed by the California Electronic Communications Privacy Act (CalECPA), which was passed in 2015. The act prohibits law enforcement officials from tracking or accessing a person’s cell phone or other electronic device without a warrant and provides protections for digital data stored in the cloud.

However, school officials say that it basically ties their hands when it comes to checking students’ phones to see if they are cheating on tests or cyberbullying other students. “We introduced the bill to try and pull schools out of CalECPA, and you might as well have thought that we started World War III,” said Laura Preston, a lobbyist for the school officials.

“The dilemma for us is this: If you take CalECPA to the letter of the law, we have to have a warrant in order to access electronic devices, but the types of things that we’re accessing don’t allow us to get a warrant. So what do we do when a student doesn’t volunteer his phone?”

Harming student privacy?

Preston and the bill’s supporters said they were “stunned” when their 130-word proposal was met by fierce resistance by civil rights groups, including the American Civil Liberties Union (ACLU), the Center for Media Justice, the First Amendment Coalition, and the Council on American-Islamic Relations.

The supporters said that AB 165 is a measure meant to keep students safe and not to invade their privacy, but the groups took umbrage with the bill’s potential implications for student rights.

“If you care about privacy, then CalECPA is one of the best things since sliced bread,” said Electronic Frontier Foundation staff attorney Lee Tien. “Why would anybody want to amputate protection of privacy of students, parents and teachers that work in the school system?”

The groups claim that AB 165 could be particularly harmful to the children of immigrants, since any confidential communications found on students’ phones could be turned over to law enforcement or immigration enforcement officials.

Not dead yet

One of the authors of AB 165, Assemblyman Jim Cooper (D-Elk Grove), has spoken out against CalECPA before. When the bill was originally being proposed, he called it a “one-size-fits-all bill that weakens the ability of law enforcement to effectively investigate child exploitation networks and secure evidence.”

Despite the opposition and their initial pullback on the bill, Cooper and the school administrators have not yet declared AB 165 dead.

“We’re making it a two-year bill, which means it’s not going to be heard next week. But the conversations are going to continue,” said Preston.

School administrators in California are pulling back on a bill that would allow teachers and principals to search through student cell phones after receivi...

GameStop announces investigation of potential data breach

The company said that hackers may have made off with consumers' credit card information

Video game and consumer electronics retailer GameStop may be the latest in a slew of companies to experience a data breach. In a recent statement to computer security expert Brian Krebs, the company admitted that hackers may have infiltrated its website and siphoned off credit card information and customer data.

“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” GameStop said in a statement.

Check your financial statements

Quoting two financial industry sources, Krebs says that GameStop received alerts from a credit card processor which indicated that the company’s website had been compromised between mid-September, 2016 and the beginning of February, 2017.

Compromised information collected by the hackers likely includes customers’ names, addresses, card numbers, expiration dates, and three-digit security codes. In response to the potential hack, the company has stated that it “will continue to work non-stop” on the problem and that it will “take appropriate measures to eradicate any issue that may be identified.”

Additionally, the company offers some good advice to consumers who used the company’s site during the affected period.

“GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”

Video game and consumer electronics retailer GameStop may be the latest in a slew of companies to experience a data breach. In a recent statement to comput...

TRUSTe pays penalty, stiffens standards in agreement with New York

NY's attorney general had charged that TRUSTe failed to adequately check kids' sites

The privacy standards company TRUSTe has agreed to pay $100,000 and adopt new security measures to settle a complaint brought by New York Attorney General Eric T. Schneiderman.

Schneiderman had charged that the company failed to adequately assess its customers' websites, leaving such popular sites as Roblox.com and Hasbro.com vulnerable to illegal tracking of underage visitors, a practice that is prohibited under the federal Children's Online Privacy Protection Act (COPPA). 

“Companies entrusted with protecting children’s privacy online have a responsibility that my office takes seriously – now, more than ever before,” said Attorney General Schneiderman. “TRUSTe failed to meet its obligations to keep children safe from the prying eyes of online trackers and its customers within the parameters of the law.  My office is committed to protecting children online and will continue to hold accountable those who violate this or any other online privacy statute.”  

Safe harbor program

The settlement concerns TRUSTe’s Children’s Privacy Program, a “safe harbor program,” designed to assess website operators’ compliance with COPPA. COPPA encourages operators of children’s websites to participate in such programs by providing a safe harbor from enforcement actions to operators that comply with safe harbor program rules.

As the operator of a COPPA safe harbor program, TRUSTe is required to conduct a comprehensive review of website operators’ policies, practices, and representations at least once per year to assess operators’ compliance with COPPA. The Attorney General’s office found, however, that TRUSTe’s annual reviews failed to adhere to the company’s own policies in several critical respects.

Among other failings, Schneiderman said that although TRUSTe conducted electronic scans of customers’ websites for third-party tracking technology prohibited by COPPA, in many cases TRUSTe omitted most or all of its customers’ children’s webpages from its scans. TRUSTe therefore could not determine whether unexpected third party tracking technologies were present on these customers’ children’s websites.

Also, Schneiderman said that in many cases, TRUSTe failed to provide its customers with relevant results from its electronic scans, including some of the third party tracking technologies that TRUSTe had detected. This deprived TRUSTe’s customers of an opportunity to analyze the results to identify tracking technologies that violate COPPA.

This is the second announcement made in connection with “Operation Child Tracker,” the Attorney General’s ongoing investigation into the illegal tracking of children’s online activity by marketers, advertising companies, and others. 

In September 2016, Schneiderman announced that his office had entered into settlements with four companies that had violated COPPA by allowing illegal third-party tracking technologies on some of the nation’s most popular kids’ websites, including websites for Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, and dozens of others. 

The privacy standards company TRUSTe has agreed to pay $100,000 and adopt new security measures to settle a complaint brought by New York Attorney General...

Comcast pledges to respect customers' privacy

However, it supported the repeal of new FCC privacy rules

This story has been updated to reflect that AT&T and Verizon also claim they do not intend to track users around the Internet.

 

Comcast is seeking to distance itself from the other internet service providers (ISP) that lobbied Congress to roll back internet privacy protections.

While it was supportive of the effort to remove the newly-imposed regulations, Comcast says it has no intention of selling customers' web browsing histories and will continue to protect consumers' privacy.

In a blog posting, Gerard Lewis, Comcast's senior privacy officer, said the company has never sold web browsing histories and doesn't plan to start, even if it's legal to do so.

"Comcast has committed to privacy principles that are consistent with the FTC’s privacy regime which has applied to all entities in the Internet ecosystem for over 20 years and which continues to apply to internet edge companies like Google, Facebook, and Amazon," Lewis wrote. "We believe this commitment is legally enforceable in multiple ways, including by state attorneys general."

Calls current privacy rules 'overreaching'

However, Comcast did join with other ISPs to urge the overturning of the Federal Communications Commission (FCC) privacy rules, which Lewis describes as "overreaching." He says much of the discussion about the Congressional move has been misleading.

"Our privacy commitments to our customers go even beyond this protection of sensitive information that has dominated the dialogue this week," Lewis wrote. "If a customer does not want us to use other, non-sensitive data to send them targeted ads, we offer them the ability to opt out of receiving such targeted ads."

He also said Comcast continues to comply with federal laws protecting privacy, such as the Communications Act, the Children’s Online Privacy Protection Act, and the Electronic Communications Privacy Act.

Privacy concerns

Last week, both the House and Senate approved a measure reversing the Obama administration's internet privacy safeguards, drawing a sharp rebuke from various consumer and privacy organizations.

"The vote in Congress to repeal the broadband privacy rules, allowing internet service providers to spy on their customers and sell their data without consent, is a terrible setback for the American public," said Susan Grant of the Consumer Federation of America. "It does provide an opportunity for President Trump, however. He can show that he is on the side of the people by vetoing this measure."

Trump, however, is expected to sign it. The rules currently in place were drafted to prevent ISPs from recording customers' actions, putting the information in databases, and selling access to marketers and others.

Comcast is seeking to distance itself from the other internet service providers (ISP) that lobbied Congress to roll back internet privacy protections.W...

Saks Fifth Avenue left customer info lying around in plain sight

The unencrypted data was publicly available on the web

The latest consumer privacy slip-up is courtesy of Saks Fifth Avenue, which has left personal information on tens of thousands of its customers basically lying around in plain sight.

The unencrypted, publicly available text information included the email addresses and product codes of items customers had expressed an interest in buying, according to a report in BuzzFeed.

“This is as bad as security gets,” said Robert Graham, a cybersecurity expert and owner of Errata Security, to BuzzFeed News. “Everyone is vulnerable.”

Saks' online shopping site is operated by its corporate parent, Hudson's Bay Company of Canada. The company said it is "taking this matter seriously" and insisted that the unsecure data did not include credit card numbers or passwords.

Hudson's Bay has recently been in takeover talks with Neiman Marcus and Macy's. It is the oldest continually operating retailer in North America, having been founded in 1670.

The latest consumer privacy slip-up is courtesy of Saks Fifth Avenue, which has left personsal information on tens of thousands of its customers basically...

Bill would impose privacy restrictions on drones

Congressmen say consumers are vulnerable to uncontrolled snooping

Privacy advocates have been pushing for protecting consumers from overhead drones, and now a Congressional bill aims to do just that. The Drone Aircraft Privacy and Transparency Act of 2017 was introduced yesterday by Sen. Ed Markey (D-Mass.) and Rep. Peter Welch (D-Vt.).

"Drones flying overhead could collect very sensitive and personally identifiable information about millions of Americans, but right now, we don't have sufficient safeguards in place to protect our privacy," said Markey. The lawmakers introduced similar legislation in the last Congress but no action was taken.

The measure would set standards for informing the public about the location, timing, and ownership of unmanned aerial vehicles. It would also require privacy protection provisions relating to data collection and minimization, disclosure, warrant requirements for law enforcement, and enforcement measures in the licensing and operation of drones.

Privacy & transparency

The FAA estimates that as many as 2,700,000 commercial unmanned aircraft systems will be sold each year in the United States by 2020.

“As the presence of drones in our airspace becomes more commonplace, Americans are rightly growing concerned about their privacy,” said Rep. Welch in a statement. “Drones are a valuable tool for commerce, law enforcement, and public safety as well as a fun hobby. Our statutes must be updated to reflect the emergence of this soon-to-be ubiquitous technology to ensure privacy and transparency in their operation and use.”
 
The measure would: 

  • Prohibit the FAA from issuing drone licenses unless the license application includes a data collection statement that explains who will operate the drone, where the drone will be flown, what kind of data will be collected, how that data will be used, whether the information will be sold to third parties, and the period for which the information will be retained.
  • Require law enforcement agencies and their contractors and subcontractors to include an additional data minimization statement that explains how they will minimize the collection and retention of data unrelated to the investigation of a crime.
  • Require that any surveillance involving drones by law enforcement agencies must be accompanied by a warrant or collected under extreme exigent circumstances.
  • Require the FAA to create a publicly available website that lists all approved licenses and includes the data collection and data minimization statements, any data security breaches suffered by a licensee, and the times and locations of drone flights.
Privacy advocates have been pushing for protecting consumers from overhead drones, and now a Congressional bill aims to do just that. The Drone Aircraft Pr...

WikiLeaks offers to help tech companies block CIA spying

But tech companies appear dubious the problem is real

Among this week's revelations in the release of thousands of purported CIA files is the contention that some flawed computer security software is going unrepaired because U.S. intelligence agencies find them useful.

The files, code-named Vault 7, contend that the CIA knows about various security flaws but hasn't alerted the manufacturers because it wants to keep using them to spy on its targets.

On the heels of the document release, The Daily Mail reports that WikiLeaks director Julian Assange is offering to provide details of the defects to the appropriate companies. The information was redacted from the document release so that it would not be distributed any further among hackers than it already has.

A lot more information

Assange told reporters that he has access to "a lot more information" that he is willing to make available to companies so they can make their consumer products more secure.

"After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have, so that fixes can be developed and pushed out, so people can be secured," Assange said in a video posted on The Daily Mail website. "And then once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring."

The documents published by WikiLeaks claim the CIA has penetrated the operating systems of iPhones and Android devices to intercept messages. Some documents alleged the spy agency is able to use Samsung smart TVs to listen in when the set is believed to be turned off.

Silicon Valley skepticism

But another British newspaper, The Guardian, reports tech companies appear to be in no rush to take Assange up on his offer. In fact, The Guardian quotes Ryan Kalember, a senior executive at Proofpoint, as finding "nothing earthshattering" in the documents. He says some of the systems mentioned in the documents are old and are either no longer used or have been updated.

In other words, he says it really isn't clear how many of the vulnerabilities highlighted in the documents are real. Another anonymous security researcher dismissed the documents as "unimpressive," saying they show a lack of technical sophistication at the CIA.

Writing on Sophos Software's Naked Security blog, John E. Dunn also seems to classify the document dump as old news.

"The significance of Samsung TV hacking is not that the CIA will do this to the average citizen – CIA target lists are tiny – but that they can do that at all," Dunn writes. "As we know from numerous IoT vulnerability stories, these devices have a security problem."

The same is true, he writes, for vulnerable smartphone messaging programs. The big news, he concludes, is the CIA somehow lost control of these documents. If WikiLeaks can get its hands on them, so can a lot of other people.

Among this week's revelations in the release of thousands of purported CIA files is the contention that some flawed computer security software is going unr...

Consumer groups ask FCC not to toss privacy rules for broadband providers

The Trump-era commission has been racing to please the advertising industry

Bring up the subject of privacy and you're liable to get this answer: "Well, I don't do anything I'm ashamed of, so I don't care who knows what I'm doing."

That's fine, but the issue of privacy in the internet era is not so much about others learning your secrets but about marketers and advertisers following your every virtual step and amassing huge data troves that are then used for everything from targeting advertising to you, determining your credit rating, and perhaps influencing your employment prospects.

This is the thinking behind privacy regulations adopted by the Federal Communications Commission under the Obama Administration, regulations that the Trump Administration is preparing to toss. Leading consumer organizations are coming to the defense of the regulations, urging the FCC to retain the privacy rules that limit how much data broadband providers like Comcast and AT&T can gather about you. 

"Before the internet was developed, consumers relied on the law to protect their privacy and the security of their correspondence through the mail, telegram, and telephone. Consumers should not have less privacy and security just because our systems of communication have evolved to include the internet," Consumers Union and the Consumer Federation of America say in papers filed with the FCC late Monday.

Racing to repeal

The Obama-era rules require broadband providers -- or internet service providers, as they are sometimes called -- to obtain consumers' opt-in consent before drawing on their Web-surfing history or app usage data for ad targeting.

New FCC Chairman Ajit Pai, a longtime foe of the regulations, has already managed to delay implementation of a regulation that requires providers to take reasonable security measures to protect consumers' data.

Advertisers and broadband providers say the rules are unfair because they are inconsistent with more permissive Federal Trade Commission rules, which apply to websites but not to broadband providers.

The FTC generally recommends that companies allow consumers to opt out of data collection but doesn't require an opt-in procedure.  

But the Consumers Union and the Consumer Federation of America argue that broadband providers are not comparable to other Web companies.

"Broadband internet access service providers have a unique, sweeping view into consumers’ daily online lives, and should be held to a higher standard than edge providers," the groups said in a letter to the FCC.

Bring up the subject of privacy and you're liable to get this answer: "Well, I don't do anything I'm ashamed of, so I don't care who knows what I'm doing."...

Facebook agrees to stop reading your messages

But consumers who were spied on get nothing

Facebook has agreed to stop mining private messages to generate "likes" and targeted advertising without informing its users, settling a class action lawsuit filed in 2013.

The suit claimed that Facebook routinely scanned private messages, watching for URLs that could be used to generate ads and "likes," alleging that the practice violated the federal Wiretap Act and California's Invasion of Privacy Act.

The settlement will not exactly hit Facebook where it hurts. The two named plaintiffs in the case will get $5,000 each and their lawyers will split $3.23 million, but the millions of other consumers who were spied on will get nothing. 

That's in line with previous settlements of similar cases with Google and Yahoo, which each agreed to modify their email-scanning practices and provide more notice to consumers but paid no damages.

The Facebook case began in 2012 when security researcher Ashkan Soltani reported that Facebook counts in-message links as "likes." Besides spying on message transmissions users thought were private, the practice left lots of room for error -- a consumer could send a URL to a friend as an example of a really stupid idea and it would still be counted as a "like."

As part of the settlement, which must still be approved by U.S. District Court Judge Phyllis Hamilton, Facebook will amend its practices and provide more notification to consumers, something it says it is already doing. She has scheduled a hearing for April 12.

Facebook has agreed to stop mining private messages to generate "likes" and targeted advertising without informing its users, settling a class action lawsu...

Model year 2017 Dutchmen Coleman recreational trailers recalled

The federal identification tag contains incorrect tire and rim size information

Keystone RV Company is recalling 64 model year 2017 Dutchmen Coleman recreational trailers, model 2515RL.

The vehicle's federal identification tag contains incorrect tire and rim size information. As such, these vehicles fail to comply with the requirements of 49 CFR Part 567, "Certification."

Incorrect label information may result in the operator using the wrong rim size for the vehicle, increasing the risk of a crash.

What to do

Keystone will notify owners and will supply a corrected Federal Identification Tag, free of charge. The recall was expected to begin in February 2017.

Owners may contact Keystone customer service at 1-866-425-4369. Keystone's number for this recall is 17-277.

 

 

Keystone RV Company is recalling 64 model year 2017 Dutchmen Coleman recreational trailers, model 2515RL.The vehicle's federal identification tag conta...

A privacy fight is brewing at the FCC

New Chairman Ajit Pai is rolling back an internet privacy rule adopted last year

In its first few weeks in office, the Trump administration has taken aim at a number of its predecessor's policies.

A case in point is the Federal Communications Commission (FCC), whose control passed from Democrats to Republicans with the change in administrations.

Newly appointed FCC Chairman Ajit Pai moved quickly to back away from his predecessor's position on Net Neutrality --the principal that internet service providers (ISP) shouldn't favor one type of content over another.

Pai has argued that companies that own broadband distribution networks need to be free to charge more for data-intensive content, such as movies.

Privacy rule roll-back

Late last week Pai signaled his intention to roll-back another Obama-era policy -- a proposed FCC rule requiring ISPs to gain customers' specific approval before their sensitive information is shared with third parties.

The rule has not yet gone into effect and Pai has said he will block it, arguing that it places an unfair privacy burden on ISPs, one not shared by websites and social media networks.

His move is meeting stiff opposition from privacy advocates in and out of Congress. Sen. Edward Markey (D-Mass.) has been among the most vocal critics in Congress.

He said ISPs should bear heavier responsibilities because they are "gatekeepers." He charged Ajit would give ISPs a green light to ignore best industry practices and put consumers' sensitive data at risk.

“Chairman Pai’s suspension of the data-security rules under the broadband-privacy order shows his clear intention to undermine the broadband-privacy rules in their entirety," said Matt Wood, policy director at Free Press, an advocacy group. "Despite the rules’ passage in a 3–2 vote, Pai has elected to suspend these orders on his own authority, showing his disregard both for agency procedures and for consumers whose private information is left more vulnerable."

Pre-emptive strike

Wood said it is no coincidence that Pai is moving to block proposed rules before they can go into effect. The privacy provisions were scheduled to become active on March 2.

"What he’s doing today with regard to internet users’ privacy protections is a clear signal that he intends to reverse every other protection in due time, if he can," Wood said.

The FCC adopted the privacy rules last year. They required ISPs to get consumers' permission before selling information about them -- such as their web-browsing histories. The rules also required internet providers to tell consumers who is receiving their information.

In its first few weeks in office, the Trump administration has taken aim at a number of its predecessor's policies.A case in point is the Federal Commu...

Big bug leaks lots of data but maybe nobody saw it

Industrial-strength ISP was leaking data for nearly six months before anyone noticed

You may never have heard of Cloudflare, but chances are it has heard of you. It's an internet service provider that handles about 10 percent of the world's web traffic and it's just learned that a "leak" in its system has exposed an unknown quantity of data to public view.

The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but it could have been leaking data since as long ago as September 22, Wired.com reported.

Cloudflare's corporate clients include household names like Uber, Fitbit, and OkCupid, among many others, so there is potentially a lot of personal information at stake -- everything from user IDs and credit card numbrs to health data.

Company officials emphasize that the security flaw wasn't a hack job but rather a bug that allowed some data -- one in every 3.3 million page requests -- to be publicly visible on the web. That doesn't sound like much, but considering the billions of page requests routinely handled by Cloudflare each day, it could be significant.

It's hard to estimate just how serious the problem was, but it illustrates the risks involved in today's massive data storage and transmission systems, where even a well-designed and carefully maintained network can experience small problems that have a potentially big result.

In this case, Cloudflare officials are saying that although the data leaks were real, there's no evidence any of it was misused.

"We think it’s unlikely that someone actually spotted it and did something bad with it,” John Graham-Cumming, Cloudflare’s chief technology officer, said, according to a Wall Street Journal report

What to do

The advice for consumers will sound familiar -- change your passwords. This is easier said than done, of course. Most of us have hundreds of passwords if we actually do what experts recommend, which is to have a separate password for each site we visit.

One consumer we know has a 19-page list of user IDs and passwords. He uses Lastpass to generate and store passwords but still encounters frequent incidents in which a single site -- Google, for example -- may require 20 or more passwords for separate accounts and functions.

It's devilishly hard to keep them all straight and the idea of changing all of them everytime there's another breach, hack, or leak becomes more than a little absurd.

You may never have heard of Cloudflare, but chances are it has heard of you. It's an internet service provider that handles about 10 percent of the world's...

FTC's new head eyes 'harms-based approach' to privacy protection

Trump appointee sees overreach in earlier FTC actions

How will the Trump Administration's Federal Trade Commission (FTC) handle privacy protection? A recent speech by acting FTC Chair Maureen Ohlhausen may yield a few clues.

Speaking at a conference in Atlanta on Feb. 2, Ohlhausen drew a distinction between a "notice-and-choice approach" to privacy protection and a "harms-based approach," an approach one privacy advocate called "outrageous."

The difference? The "notice-and-choice" approach, generally favored by the Obama FTC, basically gives consumers the choice to "opt out" of sharing certain types of information. The "harms-based" approach, on the other hand, seeks to protect consumers only from privacy breaches that are harmful.

As Ohlhausen sees it, consumers are not harmed when their movements on the web are tracked by marketing research companies and used to target advertising and conduct research into consumer behavior.

"The overwhelming majority of consumer benefits emerge from a free and honest market," she said. "Our job, then, is to address unfair and deceptive practices that harm the market process and harm consumers. And we must do so in a way that avoids hindering market-generated consumer benefits."

But Sophia Cope, staff attorney for the Electronic Frontier Foundation, calls the harm-based approach outrageous and says it is "exactly what companies have been hoping for."

"It removes consumer choice and control over their privacy," Cope said in an email to ConsumerAffairs. "Now bureaucrats get to decide that certain data practices are not harmful, even if they include collecting highly sensitive information about people and what they do online, engaging in non-stop online surveillance, monetizing that information for commercial gain, and sharing that information with numerous unknown parties. Consumers deserve better from the FTC."

Should consumers be told?

The harms-based approach is clearly a switch from the philosophy represented by a recent FTC staff report that warned of the privacy risks presented by "cross-device tracking" of consumers -- the practice of tracking consumer actions on desktop devices, on their smartphones, and at ATMs, retail point-of-sale terminals, and elsewhere.

The FTC report recommends that, at the very least, companies that engage in cross-device tracking have an obligation to tell consumers they're doing it and to offer them a chance to opt out. Those who track such sensitive data as health and financial information should be required to seek permission in advance, the report recommends.

While Ohlhausen did not refer to that report specifically, she made it clear that chasing theoretically harmful actions wouldn't be her top priority, saying that the agency's limited resources should be devoted to stopping practices that are clearly harmful.

"The agency should focus on cases with objective, concrete harms such as monetary injury and unwarranted health and safety risks. The agency should not focus on speculative injury, or on subjective types of harm," she said.

Before prosecuting a company, she said, the commission should ask itself: "How were consumers harmed? And how does this action address that harm? 

"This focus on consumer harm is part of our statutory mandate, but it is also good policy. Asking and answering these two questions will focus our limited resources where they can do the most good," she said.

Citing instances of "concrete" consumer harm, she pointed to the Ashley Madison and Eli Lilly cases. In the Ashley Madison case, there was evidence that several consumers committed suicide after their identities were reveled in a hack of the adultery-dating site. The Eli Lilly case involved the exposure of sensitive medical information.

Ohlhausen said the FTC has in the past "ventured onto less sure ground, and into areas where consumer injury is not as well understood." She said one of her major priorities will be "to deepen the FTC's understanding of the economics of privacy."

How will the Trump Administration's Federal Trade Commission (FTC) handle privacy protection? A recent speech by acting FTC Chair Maureen Ohlhausen may yie...

VIZIO settles with regulators over deceptive data collection charges

Officials alleged that the company collected data from consumers and sold it to third parties

The Federal Trade Commission (FTC) and the New Jersey Attorney General’s office have reached a $2.2 million settlement with smart TV manufacturer VIZIO, resolving a complaint that the company collected viewing data on 11 million consumers without their consent.

The complaint states that, as early as February 2014, VIZIO and one of its affiliates manufactured smart TVs that captured screen information and demographic data about consumers, including information on age, sex, income, and a variety of other metrics. Officials allege that VIZIO then took that information and sold it to third parties who used it to create targeted ads that reached consumers across their devices.

“[VIZIO] provided this viewing data to third parties, which used it to track and target advertising to individual consumers across devices. [It] engaged in these practices through a medium that consumers would not expect to be used for tracking, without consumers’ consent,” the complaint stated.

"Egregious invasion of privacy"

The complaint goes on to explain that the data tracking practices were unfair, deceptive, and in violation of the FTC Act and New Jersey protection laws, something that New Jersey Attorney General Christopher Porrino expounded on.

“New Jersey residents enjoying television in the privacy of their own homes had no idea that every show they watched, every movie they rented, every commercial they muted was being secretly tracked by the defendants who then exploited that personal information for corporate profit,” he said. “This kind of allegedly deceptive behavior is not only against the law; it is an egregious invasion of privacy that won’t be tolerated.”

The settlement requires VIZIO to pay $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, $300,000 of which has been suspended. The stipulated federal court order requires VIZIO to prominently disclose and obtain consent for its data collection and sharing practices, and stipulates that the company must delete all data collected before March 1, 2016.

The order expressly forbids the company from making future misrepresentations about the privacy, security, or confidentiality of any consumer information it collects. VIZIO has also agreed to implement a data privacy program, which will be evaluated biennially.

“This settlement not only holds the defendants accountable for their alleged deceptive practices, it requires them to destroy the data they gathered without consumers’ consent, and to revise their business practices to protect consumers from future privacy breaches,” said Porrino.

For more information, consumers can visit the FTC’s site here.

The Federal Trade Commission (FTC) and the New Jersey Attorney General’s office have reached a $2.2 million settlement with smart TV manufacturer VIZIO, re...

FTC report warns of privacy risks in cross-device tracking

Consumers should be allowed to opt-out of surveillance that follows them from one device to another

Privacy advocates aren't certain how they'll fare as the Trump Administration gets into gear, but federal agencies are continuing to press ahead with privacy protection initiatives, at least for now. However, they are not able to issue any new regulations under Trump's order that freezes all new rules.

The latest such effort is a staff report from the Federal Trade Commission that deals with what's known as "cross-device tracking" -- stalking consumers as they move from smartphone to laptop to tablet and other devices.

The surveillance is, of course, for the fairly pedestrian practice of targeting ads, but it feels invasive to many consumers and has the potential to be harmful if it's misused, most experts agree.

The FTC report recommends that, at the very least, companies that engage in cross-device tracking have an obligation to tell consumers they're doing it and to offer them a chance to opt out. Those who track such sensitive data as health and financial information should be required to seek permission in advance, the report recommends.

No action now

The report was prepared by the FTC staff and at the moment is just a report. Any new regulations embodying its recommendations would need to be written and adopted by the full FTC, something that's not likely to happen until President Trump nominates some new commissioners.

The FTC is supposed to be made up of five commissioners, but there are at present only three and there will be only two when Chairwoman Edith Ramirez leaves office Feb. 10.

Perhaps seeking to head off critics, commissioner Maureen Ohlhausen -- a Republican who is expected to be Trump's choice to chair the commission -- issued a statement noting that the report does not break any new ground but simply extends the existing principle that consumers should be informed when their activities are being monitored and recorded for marketing purposes.

"[The] report notes that consumers might be surprised if their activity on one device informed advertising on another device. As such, today’s report does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology," Ohlhausen said.

The 23-page report does note that under existing rules, companies that fail to "provide truthful information about tracking practices" may be violating laws against deceptive and unfair conduct.

"History sniffing"

The agency has taken such action in the past. In one such case in 2012, it reached a settlement agreement with Epic Marketplace, a marketing research firm it had accused of "history sniffing."

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said then-FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

In the report released Monday afternoon, the staff further advised companies to be careful about making "blanket statements," saying that the information they gather on consumers is "anonymous" when in fact it may not be.

"Often, raw email addresses and usernames are personally identifiable, in that they include full names," the report noted.. "Even hashed email addresses and usernames are persistent identifiers and can be vulnerable to reidentification in some cases."

Privacy advocates aren't certain how they'll fare as the Trump Administration gets into gear, but federal agencies are continuing to press ahead with priva...

Consumers see cash as defense against holiday hackers

But survey shows plastic remains the payment of choice

If more consumers doing last minute Christmas shopping are paying with cash, it could mean they are trying to stick to their budget in the final shopping frenzy.

Or, it could be a defensive move, an effort to prevent getting caught up in a retailer's data breach.

Thales, an IT and cybersecurity firm, reports most consumers would change their shopping behavior in some ways if they knew a particular retailer had suffered a system hack. While 20% of consumers in a Thales survey said they would avoid shopping at the store, the majority – 55% – said they would continue shopping at the retailer but would pay using cash.

The return to old fashioned currency bucks the recent trend of electronic payments that has caused some to speculate on the eventual demise of cash. But the Thales survey makes clear that consumers view cash as a firewall against their data being compromised.

Still using plastic

That's not to say that consumers have abandoned electronic payments. Far from it. The survey found that more than 90% of holiday shoppers will use a credit card, debit card, or mobile wallet to pay for at least some of their purchases.

And while mobile wallet use is on the rise, it has a long way to go to catch up with plastic, and even cash. Only 16% of shoppers said they planned to pay with their smartphones this holiday season.

In a promising sign for consumers' financial health, the survey found more shoppers plan to use debit cards and cash over credit cards. Since debit card purchases come directly out of a consumer's bank account, it suggests there could be less of a shopping hangover when credit card bills arrive in January.

Cash is still an important tool

Cash might not be king, but Jose Diaz, director of payment strategy at Thales e-Security, says it remains an important tool for consumers, not only for budgeting but in protecting against theft.

"These survey results offer a stark reminder that a serious data breach could stop many consumers from shopping at a merchant's store or at the very least move them back to cash payments," Diaz said.

As for the future, Diaz predicts greater use of mobile for both browsing and buying during the holidays. In the next five years, he also sees a sharp rise in the use of mobile wallets.

If more consumers doing last minute Christmas shopping are paying with cash, it could mean they are trying to stick to their budget in the final shopping f...

Florida appeals court rules against protection of phone password in criminal case

Judge says turning over a password is a matter of surrender and not testimony

At the beginning of 2016, controversy over phone privacy reached critical levels when Apple went head-to-head with the FBI over unlocking the contents of a phone used by one of the San Bernardino terrorists. The company had strongly opposed an order to create a backdoor that would allow investigators to access the device, saying that doing so was a violation of rights.

Although the order was eventually withdrawn due to a successful hack by the feds, Apple said that it would have set a “dangerous precedent” if it had agreed to help hack the phone. However, a decision by a Florida court may have set a related precedent that makes phone security less concrete in criminal cases.

According to Courthouse News, the appeals court ruled against a man suspected of voyeurism, saying that the accused could be compelled to reveal his passcode in order to search for incriminating photos. Judge Anthony Black reversed the decision of a trial judge who had ruled in the man’s favor, saying that compelling him to give up his password does not usurp his constitutional rights.

Violation of rights?

The defendant, named Aaron Stahl, was accused by a woman of pretending to drop his phone in order to crouch down and take photos up her skirt. Stahl reportedly ran when the woman called for help and was arrested by police, who were able to track his car license plate number.

Stahl initially told police that they could search his Apple iPhone 5, but he withdrew that consent before giving up his four-digit passcode. The officers obtained a warrant for the phone, but were unable to access any alleged pictures since they didn’t have the code. They petitioned the trial judge to have Stahl give up the password, but their request was denied on the grounds that doing so would essentially be a violation of the man’s Fifth Amendment rights.

However, Judge Black reversed that decision at an appeals hearing, saying that the passcode is not necessarily related to any criminal photos or videos that might be found.

“Providing the passcode does not ‘betray any knowledge [Stahl] may have about the circumstances of the offenses’ for which he is charged. Thus, ‘compelling a suspect to make a nonfactual statement that facilitates the production of evidence’ for which the state has otherwise obtained a warrant based upon evidence independent of the accused’s statements linking the accused to the crime does not offend the privilege,” he said.

Surrender, not testimony

The decision basically comes down to whether giving up the passcode is a violation of Stahl’s right to not testify against himself. According to the trial judge, Stahl couldn’t be forced to use the “contents of his mind” to unlock the phone – a decision that mirrors a classic law example that an accused person may be “forced to surrender a key to a strongbox containing incriminating documents,” but can’t “be compelled to reveal the combination to his wall safe.”

However, Black says that this is fallacious reasoning, arguing that the two examples are two sides of the same coin. “We question whether identifying the key which will open the strongbox – such that the key is surrendered – is, in fact, distinct from telling an officer the combination. More importantly, we question the continuing viability of any distinction as technology advances,” he said.

In the end, Black says that compelling Stahl to give up his password is more akin to surrendering a key to a lockbox and not a matter of testifying against himself. “Unquestionably, the State established, with reasonable particularity, its knowledge of the existence of the passcode, Stahl’s control of possession of the passcode, and the self-authenticating nature of the passcode. This is a case of surrender and not testimony,” he concluded.

At the beginning of 2016, controversy over phone privacy reached critical levels when Apple went head-to-head with the FBI over unlocking the contents of a...

Here are the most hackable holiday gifts

Intel Security warns many gifts under the tree may be vulnerable to hackers

We've seen that devices that connect to the internet can be the weak link in the web's security chain.

Last month a major denial of service attack briefly shut down several major internet sites after hackers mobilized millions of smart devices around the world.

So with all kinds of electronic devices under the tree this year, from laptops to drones, it might be a good time to think about which gifts are most vulnerable to a hack and what consumers can do about it.

Computers still number one

For a second year, Intel Security has compiled its McAfee Most Hackable Holiday Gifts list to identify hot-ticket items that pose the biggest risk. Topping the list of categories is personal computers. Whether a laptop or desktop, these devices are almost always connected to the internet and visiting websites where they can run into trouble.

Other gifts high on the list of vulnerable devices include smartphones and tablets, media players and streaming sticks, smart home automation devices, and drones. Intel Security says the ways some consumers uses these devices can add to the risk of a hack.

“Unsurprisingly, connected devices remain high on holiday wish lists this year,” said Gary Davis, chief consumer security evangelist at Intel Security. “What is alarming is that consumers remain unaware of what behaviors pose a security risk when it comes to new devices.”

Too eager to get started

Davis says the problem often lies in the eagerness consumers show in using their new gadget as soon as they get it. If they fail to properly secure it, Davis says cyber-criminals can exploit that eagerness to gather personal consumer data. That can expose them to malware or identity theft and even expose the internet to denial of service attacks, much like the recent Dyn attack that blocked access to Netflix, Amazon, Twitter, and other major sites.

Intel Security is particularly worried about drones, pointing out that sales of these aircraft are expected to explode in the next few years. Not properly securing these devices, however, can make them vulnerable to hackers who are able to disrupt the GPS signal and hijack the aircraft through its smartphone app.

To make connected devices more secure, Intel Securities suggests installing a comprehensive security software package, using only secure Wi-Fi, keeping software up to date, and using robust passwords and PINs.

We've seen that devices that connect to the internet can be the weak link in the web's security chain.Last month a major denial of service attack brief...

How to stay secure while shopping online

Expert suggests thinking about where you shop and how you pay

Consumers are buying more of everything online, so it shouldn't be a surprise that they are doing more holiday shopping with their mobile devices and PCs.

The National Retail Federation predicts consumers will spend more than half their holiday shopping budget online, a fact that probably hasn't escaped notice by hackers and cyber-thieves. So before you place the first online order, consider how best to protect yourself.

First and foremost, be mindful of where you connect to the internet. You are better off doing it at home, on a secure network. It might seem convenient to buy something while you're in a store or coffee shop, but remember, those are open networks and can be vulnerable to eavesdropping.

Randal Vaughn, professor of information systems in Baylor University’s Hankamer School of Business, has given ecommerce security considerable thought. He suggests consumers think about using alternatives to credit cards to make online purchases.

Use a gift card

“For example, one can use gift cards such as an Amazon gift card at some online merchants. Others may want to consider using a virtual credit card such as Bank of America's ShopSafe virtual card or a Paypal virtual card,” Vaughn said.

Still, even that isn't hack-proof. Vaughn says cyber-thieves could still rack up charges on virtual cards and returning items could be more difficult.

Another no-no is paying for an online purchase with a debit card. That's because fraud protections are not as strong for debit cards as they are for credit cards. Consumers who report a compromised debit card within two days can limit their losses to $50, the same as credit cards. But after that the liability can be as much as $500.

“If you do not report a fraudulent debit transaction, you might not have any limit to the amount of money you can lose,” Vaughn said.

Be selective where you shop

Another piece of advice is to be selective where you shop. Well-known retailers usually have robust cyber-security on their ecommerce sites. If you haven't heard of a company, you can't be sure. Research an unfamiliar company thoroughly before placing an order. Also, if a site is offering popular products at ridiculously-low prices, that could be a red flag.

“There is a large market for counterfeit goods, particularly in the fashion industry,” Vaughn said. “I generally search for online reviews of a web merchant before doing business with the merchant. However, reviews can be faked and one should be cautious,” Vaughn said.

Finally, Vaughn suggests consumers not overlook traditional brick-and-mortar stores. He says sometimes the best deals really are found by driving to the mall.

Consumers are buying more of everything online, so it shouldn't be a surprise that they are doing more holiday shopping with their mobile devices and PCs....

Symantec acquiring LifeLock for $2.3 billion

Deal helps Symantec expand beyond computer software products

A major software security firm is buying a leading identify theft prevention service. Symantec, which produces Norton anti-virus software, is acquiring LifeLock in a deal valued at $2.3 billion.

The boards of directors of both companies have already signed off but LifeLock shareholders will have the final say. Assuming they approve and other customary closing conditions are met, the deal should close in the first quarter of next year.

The acquisition marks the continued expansion of Symantec beyond the traditional anti-virus software products that fueled its initial growth. In an interview with Reuters, Symantec CEO Greg Clark said sales of Norton products have faced headwinds in recent years because of a decline in the number of personal computers in homes and offices.

Symantec said its acquisition of LifeLock will combine a leader in consumer security with a leading provider of identity protection and remediation services. It says the result will be the world’s largest consumer security business, providing a wide ranges of services and earning over $2.3 billion a year in estimated revenue.

New dimension to protection

“People’s identity and data are prime targets of cybercrime. The security industry must step up and defend through innovation and vigilance,” said Dan Schulman, Symantec Chairman. “With the acquisition of LifeLock, Symantec adds a new dimension to its protection capabilities to address the expanding needs of the consumer marketplace.”

There's little question that protecting against cyber crime is a growth industry. An estimated one-third of U.S. consumer have been victims of some sort of hack. As consumer concern about the threat grows, the industry has expanded its services.

LifeLock offers identify theft services, checking clients' credit for new account openings and credit applications. It also offers services to help consumers recover from an identity theft.

In the previous decade some of its marketing practices ran afoul of federal regulators. As recently as last year the Federal Trade Commission charged that Lifelock violated a 2010 settlement in which it agreed to stop making deceptive claims about its identity theft protection service.

For its part, LifeLock sees a merger with one of the largest computer security firms as a win-win for both companies. LifeLock CEO Hilary Schneider says the combined companies can deploy enhanced technology and analytics to improve services to consumers.

A major software security firm is buying a leading identify theft prevention service. Symantec, which produces Norton anti-virus software, is acquiring Lif...

How to protect your devices from hackers

In the age of the 'Internet of Things,' security is a top priority

Late last month, a massive denial-of-service (DoS) attack shut down access to many popular sites like Netflix, Amazon, and Twitter. The way that hackers made the attack happen was by using millions of internet-connected devices to request access at the same time, effectively overloading the system.

Experts have warned that similar attacks could easily be repeated, and that shoring up security on products in the vast “Internet of Things” (IOT) should be a primary objective. While doing so will continue to be an on-going and massive undertaking, there are some things that consumers can do to make their devices secure so that hackers can’t get a hold of them.

The Washington Post has reported that knowing which devices are vulnerable and how you can protect them can keep your private information safe and prevent future large-scale attacks.

How to spot an IoT device

The first step to protecting yourself from hacking attempts is knowing which of your devices are susceptible to them. Unfortunately, from a security standpoint, the number of IoT devices is increasing at a dramatic pace; some experts estimate that there will be as many as 30 billion connected devices by the year 2020.

The simple way to identify an IoT device is to see if it can connect to the internet or shares information over a wireless network. Right away, consumers may easily be able to recognize devices like computers and smartphones, but other less obvious devices like security cameras, DVR’s, and even smart home technologies like thermostats can apply.

Protecting your devices

Unless these devices are protected by a secure password, a saavy hacker can take control of it and use it for nefarious purposes. So, to prevent that, always make sure to change the default password on any device that connects to the internet; you can look in the user manual to do this for many devices.

If that option isn’t available, try doing a web search for “default [product name] log-in and password.” Once you have the credentials, you can log in and change the password.

Another path that consumers might take is choosing not to buy certain products with online connectivity. While it may be useful for certain electronic gadgets, is it really all that important to have a refrigerator that can go online? If that answer for you is no, and you can’t password protect it, then maybe consider buying a different product.

If you are worried about the connectivity of any of your devices, you can always contact the manufacturer for more information. The Homeland Security Department also releases public alerts on security issues, vulnerabilities, and exploits through its website here.

Late last month, a massive denial-of-service (DoS) attack shut down access to many popular sites like Netflix, Amazon, and Twitter. The way that hackers ma...

FCC adopts new privacy rules for broadband providers

The rules require consumer consent before sensitive information is collected or shared

The Federal Communications Commission voted today to adopt rules that protect consumers' privacy on the internet. The rules give broadband customers tools to make informed choices about how their personal information is used and shared by internet service providers (ISPs).

"It's the consumers' information," said FCC Chairman Tom Wheeler when the proposal was unveiled earlier this year, "and the consumer should have the right to determine how it's used."

Industry groups fought the proposal bitterly. USTelecom, a trade group, took to Twitter to denounce the rules as a "naked power grab."

But most consumer and privacy advocates endorsed the measure. Meredith Rose, staff attorney at Public Knowledge, said the rules would be "a step forward to protecting consumers’ economic and dignitary rights in their own data."

Rose said that without such rules, "consumers face a very real threat of having personal data exposed, sold to third parties without their knowledge, or misused in other fashions." 

Thorn in the side?

The 3-2 party line vote by the five FCC commissioners is seen as a potential thorn in the side of the pending Verizon/Yahoo and AT&T/Time Warner mergers. The deals are built around the notion that Verizon will have access to data Yahoo has collected about its customers, likewise for AT&T and Time Warner. 

To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent that will be required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. Sensitive information requires greater transparency and consent than more routine data. 

The approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

Three categories

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share "sensitive" information, which includes precise geo-location, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history, and the content of communications.

Opt-out:  ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” The "non-sensitive" information basically includes everything not included under the "sensitive" definition -- for example, email address or service tier data. 

Exceptions: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Clear, conspicuous

The rules require ISPs to give customers clear, conspicuous, and persistent notice about what information is being collected, how it is being shared, and how customers can change their privacy preferences.

ISPs are also required to follow "reasonable" data security practices and to notify customers of data breaches.

The rules apply only to broadband service providers and other ISPs and telecommunications carriers. They do not apply to websites and other "edge services," which are not under the FCC's jurisdiction.

The Federal Communications Commission voted today to adopt rules that protect consumers' privacy on the internet. The rules give broadband customers tools...

Verizon executive says the company needs more information on the Yahoo data breach

What they find out could affect how much they pay for their acquisition

It’s been a little over a month since Yahoo confirmed details of its massive data breach, which compromised information on roughly 500 million user accounts. When the news broke, many people speculated whether it would affect Verizon’s acquisition of the company – a deal that had been struck in July for around $4.8 billion.

Those rumors began heating up at the beginning of the month when reports suggested that Verizon was pushing for a $1 billion discount because Yahoo had not disclosed information about the breach. And now, only a couple of weeks later, talk will be swirling about what Verizon actually intends to pay.

According to a report from Reuters, a Verizon executive stated at a tech conference that buying up Yahoo still made good business sense. However, she said that Verizon still needed more information about the breach, which will ultimately affect how much the company plans to pay.

“I’ve got an obligation to make sure that we protect our shareholders and our investors, so we’re not going to jump off a cliff blindly,” said Marni Walden, president of Product Innovation and New Businesses at Verizon.

Uncertain future

As we reported previously, the Yahoo acquisition gives Verizon a lot of advantages. The company acquired AOL back in 2015, and combining it with Yahoo would give the company a strong competitive rival to the likes of Google and Facebook in the digital advertising market.

At the conference, Walden showed her enthusiasm for the prospective combination, pointing out that the deal could allow Verizon to cater more to brands, since Google and Facebook focus more on social media and search, respectively. “We can help other brands build inside of a very open, friendly marketplace,” she said.

However, not having all the information on Yahoo’s data breach could be a sticking point. When asked if Verizon could potentially back out of its acquisition deal, Walden was non-committal, simply asking for the next question. Leaving the door open in this way certainly won’t make the folks over at Yahoo sleep any easier.

It’s been a little over a month since Yahoo confirmed details of its massive data breach, which compromised information on roughly 500 million user account...

Consumers wary of social media privacy protection

Americans think the government should do more to protect personal privacy

In an odd juxtaposition, 80% of Americans say they use social media daily while 96% say they don't trust social networks to protect their privacy. You might wonder why so many people use something they think isn't safe, but that's a question that's seldom asked.

A recent survey conducted for the Craig Newmark Foundation provides a clue, however: we want the government to protect us. 

The survey found that many Americans think privacy laws are too weak, with Millennials being the strongest advocates for tougher privacy protections.

Millennials and Baby Boomers are the groups most distrustful of social media, the survey found.

  • Only 7% of Millennials have a lot of trust that social media sites will protect their privacy and personal information. Their trust of social media sites is down 9% from two years ago.
  • Adults 65+ have the least trust;
  • Of those who use social media the most – at least four social media sites – only 14% have a lot of trust in them;
  • Most of the best-known social media sites are seeing increased usage since 2014, according to responses to survey questions about which sites people use.

A majority of Americans surveyed also expressed concern about the lack of safety online, including fears over identity theft, email hacking, and non-consensual online tracking.

Similar findings

A recent Pew Research survey came to similar conclusions. It found that “68% of internet users believe current laws are not good enough in protecting people’s privacy online; and 64% believe the government should do more to regulate advertisers.” Americans also favor limits on how long the records of their activity are stored.  

Pew also found that “young adults are more focused than elders when it comes to online privacy,” and many have tried to protect their privacy, removed their names from tagged photos, and taken steps to mask their identity. According to Pew, 74% of Americans say it is “very important” to be in control of their personal information

In an odd juxtaposition, 80% of Americans say they use social media daily while 96% say they don't trust social n...

Experian reports many organizations still open to cyber attack

Many have developed plans but fewer have updated them

As a consumer, you trust your personal information to countless businesses and organizations.

You trust your doctor to keep your health records private, your mortgage company to protect your financial information, and your bank to secure your money from cyber attack.

However, a new report from Experian Data Breach Resolution presents a mixed picture on whether that trust is misplaced.

On one hand, the report found the number of organizations that have prepared a plan to deal with and prevent data breaches rose from 61% in 2013 to 86% this year. But it also found only 38% have fixed procedures and timelines for reviews and updates.

In fact, 29% of organizations haven't conducted a review or update since the plan was put in place.

No substitute for being prepared

"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution.

Bruemmer said it seems some organizations are simply “checking the box” when it comes to cyber security. He says developing a plan is only the first step in an ongoing process that unfortunately, must evolve to keep current with threats.

Of all the threats out there, ransomware appears to be growing fastest, posing the greatest risk to organizations. Successful hackers who are able to find the weakest link in a corporate network can encrypt all files on the network, making them inaccessible until a ransom is paid.

725 breaches so far this year

The Identity Theft Resource Center (ITRC) keeps a running count of reported data breaches in the U.S. As of early October, it had counted 725 successful breaches, with nearly half involving health care records.

These records, which usually include extensive personal history, including Social Security numbers, make it easy for hackers to steal identities.

The Experian report is not all bad news. For example, it shows 58% of organizations have increased their level of preparedness. But Bruemmer says that number needs to be higher to ensure the safety of U.S. consumers.

"Investing in breach preparedness is like planning for a natural disaster,” he said. “You hope it will never happen, but just in case, you invest time and resources in a response plan so your company can survive the storm."  

As a consumer, you trust your personal information to countless businesses and organizations.You trust your doctor to keep your health records private,...

Report: Yahoo scanned email for U.S. intelligence

Reuters reports that the government was looking for certain combinations of characters

On the heels of news that millions of Yahoo user accounts had been compromised, a published report claims the tech company complied with a government order to scan all customer's email for certain combinations of characters in real time.

According to the exclusive report by Reuters, three former Yahoo employees with direct knowledge of the activity said the scans were carried out on behalf of an unnamed U.S. intelligence agency. The purpose of the scans was not revealed, though it likely involved monitoring of suspected terrorist activity.

If true, it would probably be the first time that an American internet company aided the government by searching real time communications, rather than turning over stored messages or monitoring a limited number of accounts in real time.

Mayer made the call

Two of the former Yahoo employees say the decision to comply with the government order was ultimately made by Yahoo CEO Marissa Mayer, and it proved to be highly controversial. They linked the decision to last year's resignation of chief information security officer Alex Stamos, who now works at Facebook.

Everyone else allegedly involved is remaining tight-lipped. Reuters said Facebook declined to make Stamos available for an interview. It quoted a terse statement from Yahoo that said only "Yahoo is a law abiding company, and complies with the laws of the United States," leaving readers to draw their own conclusions.

Meanwhile, Reuters reports no one in the U.S. intelligence community is saying anything.

Yahoo rival Google, meanwhile, had no hesitation about commenting. A spokesman told Reuters the internet company had not been asked to scan emails, but if it had it would have refused. Microsoft also told Reuters it had not been approached.

Was Yahoo alone?

Security experts, however, said it was unlikely the intelligence services only approached Yahoo, since it was not determined which email service the target used.

“Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional, American Civil Liberties Union (ACLU) staff attorney Patrick Toomey said in a statement. “The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit.”

Toomey said customers who use email services like Yahoo are counting on technology companies to stand up to novel spying demands in court.

Last month Yahoo confirmed that 500 million user accounts had been compromised by hackers.

User information including name, email address, telephone number, date of birth, passwords, and, in some cases, security questions and answers were stolen almost two years ago.

On the heels of news that millions of Yahoo user accounts had been compromised, a published report claims the tech company complied with a government order...

Yahoo to announce details of massive data breach

The breach may involve the release of information on up to 200 million user accounts

This story has been updated. Click here for the update.

---

Earlier this summer, Yahoo’s long search for a buyer finally came to an end when Verizon agreed to pay $4.83 billion to acquire it. However, the new owners of the company may be dealing with some headaches in the near future.

Technology news website Recode reported yesterday that Yahoo will be confirming details of a massive data breach sometime this week, according to sources close to the situation.

The breach is likely connected to claims made by hackers earlier in the summer that they had access to 200 million Yahoo user accounts, including information on names, passwords, personal information, birth dates, and other email addresses.

Massive data breach

Sources reporting to Recode have been fairly tight-lipped on specific information related to the breach, most likely because government investigations and legal action will proliferate if the claims are true.

However, the initial indications don’t look very good. Earlier in the summer, a hacker going by the moniker “Peace,” said that he would be selling credentials on 200 million Yahoo users from 2012 on the dark web for little more than $1,800. One source remarked that the current situation was “as bad as that. . . Worse, really.”

When the news broke in July, Yahoo stated that it was aware of Peace’s claim but refused to lend it any legitimacy, saying that it would investigate the issue. Now, if it turns out that there was a massive data breach, it could mean financial repercussions for the company.

The core of Yahoo’s business that was sold to Verizon would be right in the thick of this scandal, which means that Verizon may end up having to deal with the fallout. This could lead to a readjustment of the transaction price that Verizon paid for the company, which is likely to make many shareholders worry.

Until confirmation of the breach is released, though, business should continue as usual. Both Yahoo and Verizon will continue to meet to review the former’s business so that the transition can run smoothly once regulatory agencies and shareholders ok the deal. 

Earlier this summer, Yahoo’s long search for a buyer finally came to an end when Verizon agreed to pay $4.83 billion to acquire it. However, the new owners...

Debt collection companies sued for $10 million over robocalls

Prosecutors say that consumers were harassed even if they didn't owe any money

Debt collection company iQor, along with its subsidiary Allied Interstate LLC, have been sued for $10 million by four district attorneys in California. The state officials said that the companies violated a number of consumer protection acts when they used automatic dialing systems to harass consumers with robocalls.

The complaint states that consumers were hounded by these calls for months, even when they owed no money. Prosecutors say that one consumer from San Jose received 126 calls in less than a month, while another man from Sunnyvale received 88 calls over a three-month period until he finally blocked the number.

iQor has defended its actions, and the actions of its subsidiaries, saying that the district attorneys were too quick to “suspend productive dialogue” centered around Allied’s “long-retired debt collection practices in favor of protracted litigation.”

“Allied enjoys an A-plus rating from the Better Business Bureau, is currently under no material regulatory restrictions at the federal or state level and is committed to consumer protection both within the state of California as well as the rest of the country,” said iQor officials in a statement. “Allied looks forward to defending this matter and continuing to improve its collection practices as industry expectations evolve.”

Violations

The charges do not look favorable for either of the companies, though. Prosecutors say that both firms violated a number of provisions from California’s Rosenthal Act, the state’s constitutional right to privacy, and the federal Telephone Consumer Protection Act – which forbids companies from using automatic dialing systems to call consumer cell phone numbers without consent.

The district attorneys also charged that the companies violated established consumer protections by calling before 8 a.m. and after 9 p.m. The companies also allegedly tried to collect debts that had previously been discharged during bankruptcy.

It isn’t the first time that Allied has faced regulatory scrutiny. From 2004 to 2011, the company was embroiled in several legal battles with state agencies across the country, including cases in Minnesota, Arizona, West Virginia, Maryland, Oregon, California, Florida, and Ohio. The company also paid $1.75 million to the FTC in 2010 for harassing consumers and trying to collect debts from the wrong people.

Debt collection company iQor, along with its subsidiary Allied Interstate LLC, have been sued for $10 million by four district attorneys in California. The...

Lawsuit says NBA team app eavesdrops on conversations

Complaint claims app takes control of the phones' microphones

As National Basketball Association (NBA) champs in 2015 and runners-up this year, the Golden State Warriors are a very popular team, with thousands of fans downloading the team's official app.

The app provides schedules, player profiles, scores, and news updates, along with other information, like an interactive map of Oracle Arena, where the Warriors play.

But a lawsuit filed in California claims it does something else – turns on an Android smartphone microphone, creating a potential privacy issue.

According to the suit, filed in federal court in San Francisco, the defendants, which include the basketball franchise, engages in the “unlawful practice of systematically and surreptitiously intercepting consumers' oral communications without their consent.”

Seeking class action status

The suit, which seeks class action status, alleges the app is in violation of the Electronic Communications Privacy Act. The plaintiff, a New York resident, claims the purpose of the breach is to determine the location of the consumer in order to tailor ads and promotions.

The suit does not claim that someone from the Warriors, or its affiliates, is actually listening to conversations. Rather, it says the app uses beacons to precisely locate fans and send them ads on their phones. It does that by producing audio signals around Oracle Arena that are picked up by the microphones on smartphones.

Damages

The suit is asking for at least $10,000 in damages for each of the estimated 100,000 consumers who have downloaded the app.

It turns out taking control of the microphone on your smartphone isn't that hard to do. And while this particular case only involves Android phones, iPhone users may also have something to worry about.

As we reported last week, there is malware out there targeting previously unknown vulnerabilities in Apple's mobile operating system. These flaws could not only let hackers take over your phone, they could also track your movements and turn on your microphone.

Fortunately, iPhone users can resolve the issue easily by simply downloading the latest version of iOS.

As National Basketball Association (NBA) champs in 2015 and runners-up this year, the Golden State Warriors are a very popular team, with thousands of fans...

Banks increasingly coming under cyberattack

Four in 10 consumers say their accounts have been compromised

Banks and other financial institutions spend billions of dollars on information and data security, mainly because they are such lucrative targets for cybercriminals.

Yet despite this spending and proactive defense, more than one-third of consumers say their personal bank accounts have been compromised. Almost 80% of financial institutions admit hackers have penetrated their defenses within the last two years.

These facts turned up in a new study by KMPG, which says banks can turn this negative into a positive.

"Financial institutions have a real opportunity to solidify trust with their customers by demonstrating that security is a strategic imperative, and that they are taking every possible precaution to protect consumers," said KMPG's Jitendra Sharma. "Consumers have a lot of options in this environment, so companies must get it right as the battle for customers is fierce."

Holding banks to a high standard

Indeed, consumers hold banks to a high standard. The survey showed that 37% said they would switch banks if their current financial institution did not cover their losses from a cyberattack. Nearly as many would leave if the bank didn't get out in front of the incident and acknowledge it in a timely manner.

In spite of the high-frequency attacks, the survey found the financial sector is the most proactive when it comes to defending against cyberattacks. About two-thirds of the financial sector executives polled for the study said their companies had invested in data security in the past year.

Not even the Federal Reserve has been exempt from cyberattack. A CNN report in June said the Fed has been under “constant” cyber-attack since at least 2011. The network listed at least 50 reported incidents it labeled as “unauthorized access” or “information disclosure.”

How consumers can help

The American Bankers Association (ABA), meanwhile, says there are steps consumers can take to make their banking transactions more secure. Its most basic tip is to create highly complicated and random passwords, avoiding pet names and other predictable combinations.

It says consumers should also monitor their accounts on a regular basis. Don't just do it when the monthly statement arrives.

Also, make sure computers and mobile devices are protected from viruses and malware. Don't give out your personal financial information in response to an unsolicited email, no matter how official it may seem. The ABA says your bank will never contact you by email asking for your password, PIN, or account information.  

Banks and other financial institutions spend billions of dollars on information and data security, mainly because they are such lucrative targets for cyber...

Feds mobilize industry for war on robocalls

FCC asks tech companies to find a way to block or limit these calls

The Federal Communications Commission (FCC) is preparing to wage war on robocalls and is trying to mobilize the technology industry to join the cause.

The FCC held a meeting with 30 of the industry's major players to talk about ways to hang up on these machine-generated calls, which are closely associated with scams, or products and services of dubious value.

You may be familiar with these calls. A recorded voice might congratulate you on winning a free cruise or tell you your business qualifies for a $250,000 loan. Or, the voice may claim to be calling from the IRS, warning you of impending jail time if you don't pay back taxes immediately – as in right now, over the phone, with a prepaid money card.

Biggest source of consumer complaints

The meeting was intended as a brainstorming session in hopes that Google, Apple, AT&T, and Verizon could find ways to limit or prevent these calls, which FCC Chairman Tom Wheeler calls “a scourge” and the biggest source of consumer complaints.

“They are an invasion of privacy, and this scourge is rife with fraud and identity theft,” Wheeler told the group. “The problem is that the bad guys are beating the good guys with technology right now.”

Wheeler says scammers outside the U.S. can use Voice over Internet Protocol (VoIP) to mislead voice networks. The bad guys have the ability to spoof a legitimate phone number that easily fools most caller ID programs.

FCC Commissioner Ajit Pai pointed out that there has already been some productive accomplishments in this area. He points to a 2013 competition among developers that resulted in Nomorobo, an app that he says has already stopped more than 126 million robocalls.

“We know there is a problem,” said FCC Commissioner Mignon Clyburn. “We know how much consumers dislike these calls. We know the public is frustrated, because they assumed that after they registered for the Do Not Call list, this would stop. It did not, so now it is time to take some real action.”

Previous action

The FCC has already taken some action. A year ago it adopted a proposal making clear that consumers have the right to control the calls they receive on both landline and wireless phones. That move also gave providers permission to implement robocall-blocking technologies.

Wheeler says the government needs tech firms to take it from here, noting that scammers are using technology to stay well ahead of regulators.

“It’s not as if good guys [are] standing idly by,” Wheeler said. “But we need more urgency.”

The tech firms attending the meeting apparently got the message. Reuters reports most have signed on to become part of a robocall strike force that will report back to the FCC in October on what it has come up with.

The Federal Communications Commission (FCC) is preparing to wage war on robocalls and is trying to mobilize the technology industry to join the cause.T...

Eddie Bauer reports data breach

It's the second retail intrusion report this week

If you recently used a debit or credit card at Eddie Bauer, your card information could be compromised.

The company reports its point of sale systems at its stores were infected with malware, giving hackers access to payment card data. If you used a card to make an online purchase at eddiebauer.com, no worries – the online portal was not affected.

According to the investigation, in-store payments between January 2 and July 17 may have been compromised. “May have been,” because the company says not all cardholder transactions during this time were affected. The problem is, there is no way to know which ones were and which ones weren't.

“The security of our customers’ information is a top priority for Eddie Bauer,” said CEO Mike Egeck, Chief Executive Officer of Eddie Bauer.

Egeck says Eddie Bauer has already beefed up its cyber-security and no customers will be responsible for any fraudulent charges to their accounts.

Getting to be a common occurrence

This is just the latest in a string of data breaches in which hackers have targeted large retail operations. Security experts say these targets are more attractive than individual consumers because the payoff is potentially much greater.

In recent years, major retailers like Michael's, Target, and TJ Maxx have been victims of point of sale data intrusions. Earlier this week, a major hotel chain announced it had become a victim.

On Monday, HEI Hotels & Resorts, which operates Hyatt, Sheraton, Marriott, and Westin hotels, revealed that hackers had penetrated the company's point-of-sale systems. Consumers who used a card at the bar or to pay for a room may have been compromised, the company said.

HEI reported malware in its system at 20 hotels across the country and says that data collection may have started as early as March, 2015.

What do you do now?

Eddie Bauer says not all transactions at its stores were affected, but it is still offering identity protection services to everyone who used a card to make a purchase during the period of the breach. The company said it has contracted with Kroll to provide free service for 12 months.

Additionally, consumers who used a debit or credit card at Eddie Bauer during the affected period should notify their card issuer and ask for a new card.

It is also a good idea to go back and review account statements beginning in January to look for unauthorized charges that might have been overlooked.

If you recently used a debit or credit card at Eddie Bauer, your card information could be compromised.The company reports its point of sale systems at...

Google loses a round in Gmail wiretap case

A class action suit charges that Google wrongfully intercepts emails to inject ads

It has come to seem pretty ordinary that California-based Google scans your Gmail before delivering it, then inserts advertisements that seem to correspond to the subject being discussed.

But a class action lawsuit argues that the action is not only unordinary but is a violation of the California Wiretap Act, which prohibits interceptions except when they are part of the "ordinary course of business." 

U.S. District Court Judge Lucy Koh handed a round to the plaintiffs last Friday, rejecting Google's claim that the practice is an ordinary part of how emails are delivered, Courthouse News Service reports.

In a 38-page ruling, Koh said intercepting emails to inject ads into them is not necessary or intrinsic to the email process and is done only so that Google can use the data it intercepts to display ads.

Too early

Google had moved for dismissal of plaintiff Daniel Matera's suit, arguing that it could not provide free email service without the targeted ads. But Judge Koh said it was too early to introduce the argument that intercepting email is part of the ordinary course of business, as Google had contended.

Matera's suit argues that Google is intercepting consumers' mail for commercial purpose, in violation of the state's Wiretap Act.

Matera has claimed that he is not a Google customer and thus does not benefit from Google's free email service. Nevertheless, he said, his emails to and from Google customers have been intercepted. He also argues that Google sells some of the data it intercepts.

Similar cases are pending, including one filed by a group of universities who say that Google wrongfully mines students' data.

It has come to seem pretty ordinary that California-based Google scans your Gmail before delivering it, then inserts advertisements that seem to correspond...

Hackers hit 20 hotels across the U.S., swiped credit card info

The attack affected properties owned by HEI Hotels & Resorts

You've probably never heard of HEI Hotels & Resorts, but you may have stayed at one of the Hyatt, Sheraton, Marriott, or Westin hotels the company operates. If so, you could be among those whose personal information has been swiped by hackers who penetrated the company's point-of-sale systems.

Even if you did no more than order a drink in the bar and pay the tab on your credit card, hackers coulld have you name, credit card number, expiration date, and verification codes. 

HEI says it found malware in its system at 20 hotels across the country and says that data collection may have started as early as March, 2015. 

The affected hotels are:

 "We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered," the company said in a prepared statement. 

HEI said it discovered the malware in its system as it was performing an upgrade. It has now been disabled and the upgraded system will be more secure, the company said. 

If you stayed at one of the affected hotels, you should check your credit card statements for suspicious activity. More information is available on the HEI site.

You've probably never heard of HEI Hotels & Resorts, but you may have stayed at one of the Hyatt, Sheraton, Marriott, or Westin hotels the company operates...

Consumers take chances with free W-Fi networks, survey finds

AARP finds nearly half of consumers use public Wi-Fi, many without taking precautions

Some health advocates are worried that wi-fi and cellphone radiation poses a health hazard, but AARP is worried about a different type of wi-fi hazard -- the danger public wi-fi spots pose to privacy.

A new AARP survey finds that nearly half of consumers use free public wi-fi at least once a month to conduct sensitive personal business including banking, shopping, and checking their email.

That's OK if the public wi-fi network is secure, but many aren't, said AARP's Frank Abagnale.

“The convenience of free wi-fi networks remains a great asset for surfing the internet or checking the news or the latest weather forecast,” said Abagnale, one of the nation’s foremost experts on identity theft, forgery, and secure documents.  “But consumers should never use unsecured wi-fi to log-in to social media, engage in credit card transactions, or do online banking.”

To raise awareness of the issue, AARP is launching the Fraud Watch Network campaign. Besides conducting the study and issuing consumer bulletins, AARP says it will help coffee shops, retail stores, and other businesses that provide free Wi-Fi as a customer convenience by providing them with a small poster-type tip sheet that may be downloaded from the Watch Your Wi-Fi website.

Abagnale, who was named AARP Fraud Watch Ambassador in 2015, has been associated with the FBI for more than four decades and has advised and consulted with hundreds of financial institutions, corporations, and government agencies around the world. Abagnale’s story was told in his best-selling book, Catch Me if You Can, and in the 2002 movie of the same name, starring Leonardo DiCaprio and Tom Hanks. 

The poster and other information is available online.

Some health advocates are worried that wi-fi and cellphone radiation poses a health hazard, but AARP is worried about a different type of wi-fi hazard -- t...

What your browser “fingerprints” say about you

Australian researcher warns that they can lead to significant privacy breaches

At a crime scene, detectives are able to lift fingerprints that are not visible to the naked eye. But those fingerprints tell a lot about who was at the scene.

It's a very similar situation when you visit a website. You can't see it, but your web browser may leave unique fingerprints everywhere you go, revealing who you are and what you're doing.

Security experts warn that these fingerprints can be monitored, tracked, and identified by companies that want to sell you something and hackers who want to steal from you.

"Fingerprinting on computers is invisible to most people but there are companies out there who are already using these techniques to learn more information about individuals, about their interests and their habits," said Lachlan Kang, an Australian computer science doctoral student at the University of Adelaide.

So what?

So what, you ask? Kang answers that in its most benign form, it might mean you get a barrage of ads, based on the sites you visit.

You might already have noticed that. If you search for a particular item on Amazon.com, for example, you may see adds for that item pop up on every website you visit after that.

At worst, though, Kang says this cyber sleuthing could be used to spy on you.

"Computer users generally are growing in awareness of privacy issues, but currently there's little that can be done to counter fingerprinting,” Kang said. “This is because fingerprints build up in between the websites you're visiting – your browsing history and personal information can be pooled in the gaps between those websites. Simply clearing your browsing history won't make any difference to this, because the information is already out there."

Working on a defense

Kang's goal is to build a defense against third parties that are following your fingerprint trail. He hopes to develop a software that acts in a similar way to anti-virus, allowing users who have installed it to block outsiders from seeing their browser fingerprints without their consent.

Kang is currently enlisting volunteers who would agree to allow him to analyze their digital fingerprints. He says he has about 25% of the number he needs.

In the meantime, if you'd like to get more information, or view your own browserprint, check this out.

At a crime scene, detectives are able to lift fingerprints that are not visible to the naked eye. But those fingerprints tell a lot about who was at the sc...

Google challenges law regulating facial recognition software

The search giant says it should not have to comply with the Illinois law

An Illinois law regulating "faceprints" is unconstitutional, Google argues in a court filing. The law requires companies to obtain written releases from individuals before collecting their biometric data, including facial scans.

"Illinois legislators cannot decide policy for the rest of the world," Google says in a motion filed last week with U.S. District Court Judge Edmond Chang in Illinois. The search giant says it can't be expected to know which people in its database are from Illinois. 

At issue is the Illinois Biometric Information Privacy Act, passed in 2008. Besides requiring companies to get permission before making facial scans, it also requires them to notify people about the practice in advance and to publish a schedule for destroying the information if permission is not granted.

The filing came after Illinois resident Lindabeth Rivera filed a potential class action lawsuit charging that Google Photos unlawfully stores millions of faceprints of Illinoisians. 

Facebook suit

Facebook faces a similar lawsuit and experienced a legal setback earlier this month when U.S. District Court Judge James Donato cleared the suit to continue, saying that Illinois law would be "written out of existence" if companies did not have to comply with it.

In the Google case, Rivera, who does not have a Google Photos account, said someone else took photos of her and uploaded them. Google subsequently used the photos to create a template of Rivera's face, she charged.

A second person, Joseph Weiss, charged in a separate suit that he does have a Google Photos account and uploaded 21 photos of himself but didn't give permission for Google to use them to make a permanent record of his biometric data.

In its filing, Google says Donato's ruling in the Facebook case was incorrect, basically arguing it has no way of knowing which faces in its database belong to Illinois residents. Therefore, the law would "effectively regulate conduct having no connection to Illinois," the company argued. 

An Illinois law regulating "faceprints" is unconstitutional, Google argues in a court filing. The law requires companies to obtain written releases from in...

Why using your bank's ATM could be dangerous

Kaspersky Lab says cybercriminals can plant malware in ATMs

Consumers have been warned that using debit cards is inherently more dangerous than credit cards. If thieves manage to steal your debit card information, they can clean out your bank account.

There have been numerous accounts of identity thieves planting “skimmer” devices on ATMs and gasoline pumps. These fake keypads usually fit over the real key pad and record PINs as they steal account information.

But these skimmers are now old fashioned, and consumers have been cautioned to inspect key pads before they punch in their PINs. So some thieves have become more clever and diabolical. They hijack the ATM itself, turning it into one big skimmer.

Security company Kaspersky Lab says one of its teams recently made the discovery while investigating an incident report at an unnamed bank. The team found traces of Skimer malware on one of the bank's ATMs. The cybercriminals had planted it sometime earlier, but had not activated it.

Backdoor.Win32.Skimer

The Kaspersky team believes the thieves gained access to the bank's ATM system, either physically or by hacking into the bank's network. After that, they installed Backdoor.Win32.Skimer, malware that infects the core of the ATM, which controls the ATM's interaction with the banking infrastructure, including cash processing and credit cards.

Even though the cybercriminals have full control over the compromised ATMs, Kaspersky says they move slowly and deliberately, not wanting to raise suspicions. They no longer need the fake card readers that are getting easier to spot. Instead, when they throw the switch, they turn the entire ATM into a skimmer.

The malware allows the thieves to withdraw all the money in the ATM, or to intercept data from all debit cards used at the machine, which will continue to work perfectly.

Obvious problem

The problem is fairly obvious. There is no way for a consumer to tell whether the machine they're using to withdraw money is stealing their card's data.

The security firm says most cybercriminals successfully breaching an ATM won't steal money directly. Rather, they'll use the software to steal debit card data, because they can do it for months before their scheme is uncovered.

They make duplicate cards using the stolen data and use those cards in uninfected ATMs to withdraw large amounts of cash.

Countering the threat isn't easy, but Kaspersky recommends banks undertake regular AV scans and upgrade security systems and policies. The company said its investigation is ongoing, and that it is sharing intelligence with the banking industry.

Financial losses due to skimming continue to mount. A year ago FICO Card Alert Service reported a 173% year-over-year increase in card and PIN skimming points at bank-owned ATMs. At the same time, it said compromised merchant debit card transaction points had declined sharply.

Consumers have been warned that using debit cards is inherently more dangerous than credit cards. If thieves manage to steal your debit card information, t...

Supreme Court casts doubt on privacy class-action cases

The issue boils down to the "concreteness" of the damage allegedly suffered by consumers

The U.S. Supreme Court today dealt a blow to privacy class-action cases that do not clearly establish that plaintiffs have been harmed, but it side-stepped setting any major precedents. The case involved information published by Spokeo, a "white pages" website that claims to provide accurate information about individuals.

Plaintiff Thomas Robins charged in the suit that Spokeo's site contained information about him that was incorrect and said that this had resulted in damage to his reputation and job prospects. He alleged that this constituted a violation of the federal Fair Credit Reporting Act (FCRA) of 1970.

But in a 7-2 decision written by Justice Samuel Alito, the high court vacated a February 2014 ruling by the Ninth Circuit Court of Appeals, which had held in Robins' favor.  

The trial court had originally dismissed Robins' case, saying he had not proven injury, but the Ninth Circuit disagreed and reinstated the case. Spokeo subsequently appealed, leading to today's Supreme Court ruling which split various hairs having to do with Robins' injury. It stated that while the harm was "tangible," it may not have been sufficiently "concrete" to warrant a trial.

Legal experts said the issue remains far from settled. 

Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP and chair of its privacy group, called it "a bit of a lateral pass back to the appellate court."

"Not surprisingly, the Court was focused on whether there was a concrete enough injury to allow standing. It concluded that this issue wasn’t given proper attention by the appellate court, and sent it back on those grounds,” Newman said.

FCRA requirements

The suit alleged that by setting itself up as a "people search engine," Spokeo had fallen under the requirements of FCRA, which apply primarily to consumer credit reporting agencies.

FCRA requires consumer reporting agencies to follow certain procedures to ensure the accuracy of their reports, limits the use of reports for employment purposes, and requires posting a toll-free number for consumers to request reports.

Robins, 29, alleged that his Spokeo profile "states that he is married, has children, is in his 50’s, has a job, is relatively affluent, and holds a graduate degree" yet, according to Robins’ complaint, all of this information is incorrect. 

The high court did not definitively rule on whether Robins' injuries were sufficient to warrant legal action, merely returning the case to lower courts for adjudication.

It also dodged ruling on whether a mere statutory violation is sufficient grounds for consumers to bring suit. 

Newman noted, however, that both Justices Ruth Bader Ginsburg and Sonya Sotomayor dissented from the ruling, saying they "concluded that misinformation about a consumer, such as educational information, family circumstances and economic status, was enough to satisfy the concreteness threshold that this sort of information – at the beginning of a lawsuit – could cause the plaintiff actual harm."

"So there are two votes in favor of allowing the case to move forward,” Newman said.

The U.S. Supreme Court today dealt a blow to privacy class-action cases that do not clearly establish that plaintiffs have been harmed, but it side-stepped...

FDIC faces Congressional heat over data breaches

Lawmakers accuse the banking agency of obstructing its investigation

When high profile retailers like Target or Home Depot suffer a data breach, it generally makes big news. When it happens to a federal agency, it's often less noticed.

So some consumers may be surprised to learn that FDIC, the agency that safeguards the nation's consumer banking system, has suffered several data breaches since 2013. Members of Congress say all the breaches were the result of FDIC employees going to new jobs and copying agency data to portable drives to take with them.

In a hearing Thursday, a subcommittee of the House Science, Space, and Technology Committee heard testimony from both senior FDIC officials and the agency's acting Inspector General.

Inconsistencies

Subcommittee Chairman Rep. Barry Loudermilk (R-Ga.) said he was troubled by what he called inconsistencies in FDIC testimony. He also accused FDIC of obstructing the committee's probe by not providing all the documents that were requested. He forcefully made that point in the video below, while questioning Lawrence Gross, FDIC's chief information and privacy officer.

No notification

The House subcommittee members said they established that FDIC had failed to notify any of the nearly 160,000 consumers that their sensitive information had been compromised, a step private sector firms are required to take immediately.

Both Republican and Democratic members of the subcommittee were said to be upset when FDIC termed a 2015 data breach as “inadvertent.” The committee says documents from the Inspector General show that it took several weeks to recover the portable storage device responsible for the breach, and that the former FDIC employee who took the drive hired a lawyer to negotiate its return.

“The FDIC has been less than forthcoming with Congress,” the subcommittee said in a statement. “From providing incomplete document productions to mis-characterizing the facts, this agency is obstructing Congress’ oversight and failing to protect taxpayers personally identifiable information.”

What the law says

Lawmakers points to the Federal Information Security Modernization Act of 2014 (FISMA) that requires the FDIC to notify Congress of major security incidences within seven days.

The subcommittee says the October 2015 incident that involved personal data for more than 10,000 individuals was not reported until more than four months after the breach, and only then after the FDIC Office of Inspector General prompted the agency to do so.

Last year Target paid over $39 million to settle charges relating to its 2013 data breach, in which million of credit card accounts were compromised.

When high profile retailers like Target or Home Depot suffer a data breach, it generally makes big news. When it happens to a federal agency, it's often le...

Protecting yourself from credit card fraud

Fraud becoming more common, but not more costly for consumers

Having someone steal your credit card information and use it to run up unauthorized purchases can be an unnerving experience. But in reality, it's not a costly one. At least not for the victims.

A new report by MagnifyMoney shows most consumers who experience credit card fraud do not suffer a financial loss. The survey finds credit card companies are living up to promises of $0 liability in case of fraud.

Of course, it's a little easier for credit card issuers to do that now, since now the liability for fraud falls on the merchant. But even before that transition took place last October, Magnify Money found that 96% of credit card fraud victims never had to pay a dime.

While 22.1% of consumers have reported credit card fraud, 93% of those incidents involved a criminal compromising a card, not the cardholder's identity. There is a very clear distinction.

Difference between account and identity fraud

When someone gains access to your credit card information, he or she can use it to buy things, at least until the issuer finds out and blocks further transactions. But if a criminal opens a new credit card account in your name, because he or she has stolen your identity, that's a much more dangerous event, since it could be months before the fraud is discovered.

Nick Clements, the co-founder of MagnifyMoney, says consumers need to realize that some type of fraud will probably affect them at some point, and preventing it is probably going to be a difficult task. That said, he notes consumers can play a big role in reducing its effects.

“Our effort should be focused on early detection and rapid reporting of any credit card fraud,” Clements said.

That can be aided, he says, by using available tools to detect fraud early and avoid financial loss.

Doubts about chip card

The new chip and signature cards are supposed to bring credit card fraud to a halt, but Clements expresses some doubts. He says chip cards may help reduce some fraud at physical locations, but won't provide additional security in online and mobile transactions.

Additionally, many retailers – and even law enforcement – have said someone with a stolen credit card can easily forge a signature. Without requiring a PIN to complete the transaction, they say the new cards are less secure.

Many retail locations that have installed the new chip card readers still are not using them. Clements says there have been many complaints about transaction times. The survey showed that 20% of respondents complained that the chip cards are “painfully slow.”

What to do

The Federal Trade Commission (FTC) has some advice to project yourself against credit card fraud. It starts with keeping you card in a secure place at all times. It also suggests making a list – on paper, not electronically – of all your credit card numbers and contact information, so you can quickly report any suspicious activity.

Other tips include:

  • Don't give your credit card information to anyone over the phone unless you initiated the call
  • During a transaction, try not to let your card get out of your sight
  • Check your bills for unauthorized activity as soon as they are available
Having someone steal your credit card information and use it to run up unauthorized purchases can be an unnerving experience. But in reality, it's not a co...

Microsoft files suit against the U.S. government over data privacy

The tech giant claims that the government violates First and Fourth Amendment rights when it forces access to cloud-based data

After the recent controversy between the Justice Department and Apple, wherein the latter had refused a court order to weaken its encryption to allow access to the cell phone of one of the San Bernadino shooters, privacy issues continue to be prominent.

Now, another tech giant is suing the U.S. government over supposedly indefinite gag clauses.

According to a Reuters report, Microsoft filed its lawsuit on Thursday over its right to tell consumers when a federal agency is looking at their emails. The company claims that the government is violating its First and Fourth Amendment rights by forcing it to remain silent when these actions take place.

Giving up rights

Microsoft is being put in this position in the first place due to the way that it stores data. Instead of having consumers store their own data on their personal computers, Microsoft keeps it on its own dedicated servers. According to the company, the U.S. government will often use Electronic Communications Privacy Act (ECPA) to access this secure data in order to further ongoing investigations.

This idea does not sit well with many tech companies, and perhaps even less so with consumers. Microsoft, in particular, believes that the government is taking advantage of new cloud-based storage to expand its power.

“People do not give up their rights when they move their private information from physical storage to the cloud,” said Microsoft in its lawsuit.

Expecting support

Critics of the lawsuit are quick to point out that Microsoft may be motivated by more than just an impetus to protect privacy. The company openly admits that it hears a lot of consumer complaints about this issue and that it may be losing consumer confidence and business when it comes to cloud-based services.

Regardless of the motivation, though, Microsoft fully expects to receive the support of consumers and the tech industry. “Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” said Brad Smith, Microsoft’s Chief Legal Officer.

After the recent controversy between the Justice Department and Apple, wherein the latter had refused a court order to weaken its encryption to allow acces...

Study finds consumers not too upset by data breaches

Only 11% say they stop doing business with a company that gets hacked

Data breaches are becoming increasingly common, but a new study finds that consumers aren't as upset about them as you might expect. In fact, the RAND Corporation study found that only 11 percent of those notified about a breach stopped doing business with the hacked company.

"While data breaches have become an alarmingly common part of American life, most people appear satisfied with companies' responses to data breaches and few decide to take their business elsewhere," said lead author Lillian Ablon. "It's unclear whether this response will induce companies to improve their breach notification practices."

About a quarter of those surveyed said they were notified about their data being included in a data breach during the previous year. Of those who had been notified at any point in their lifetime, about 44 percent said they were aware of the breach before the company notified them and about 10 percent said they discovered the breach themselves by noticing suspicious activity on their account.

While it is often thought that consumers are suffering "breach fatigue," the survey found that 62 percent accepted offers of free credit monitoring. Many of those who declined the offer said they already had a credit monitoring service.

Most were satisfied

More than three-quarters said they were highly satisfied with the company's post-breach response. Ethnic minorities, however, were less likely to say they were satisfied with the company's response and were more likely to stop doing business with the hacked company.

"Our research shows the importance of legislation that requires companies to notify individuals when a breach occurs," Ablon said. "Data breach notification laws empower consumers to take quick action to reduce risk and create incentives for companies to improve data security. Unfortunately, data breach laws are not uniform or even present for every state."

All but three states -- Alabama, New Mexico, and South Dakota -- have such laws.

Data breaches are becoming increasingly common, but a new study finds that consumers aren't as upset about them as you might expect. In fact, the RAND Corp...

ATM scams surged in 2015

Number of compromised cash machines rose over 500%

Automated Teller Machines (ATM) have become so common that there is an entire generation that can't remember going inside the bank to cash a check. Most of us trust these machines without giving them a second thought.

New research from FICO, an analytic software firm, suggests that this trust could be misplaced. It reports the number of ATMs compromised by criminals rose 546% in 2015. The total number of compromised ATMs was the highest ever recorded.

ATMs can become compromised when a criminal installs a “skimmer” over the machine's key pad. When a consumer keys in his or her PIN, the skimmer captures the number, giving the criminal access to the consumer's bank account.

The scammer might also install a tiny camera that can record the debit card number and PIN.

Quick hits

While the number of compromises rose sharply last year, the research found that the compromises didn't last as long, either because they were discovered, or more likely, because criminals reduced the time spent harvesting card data in an effort to reduce risk. T.J. Horan, vice president of fraud solutions at FICO, said it appears criminals are taking a “quick-hit” approach to ATM theft.

“They are moving faster to make it harder for banks to react and shut down the compromises,” Horan said in a statement. “They are targeting non-bank ATMs, which are more vulnerable — in 2015, non-bank ATMs accounted for 60% of all compromises, up from 39% in 2014."

A non-bank ATM is one you might find at a convenience store or public place, like a sports stadium.

In the past, FICO says ATM compromises tended to be concentrated in urban areas. That changed last year, with the scam showing up in small towns and rural areas, spread across the U.S. Horan says ATM operators need to be more aware of tampering but so do consumers.

What to do

"To protect themselves from this kind of fraud, cardholders should be more vigilant," he said.

Consumers should inspect an ATM before using it. If it looks strange, or has a very different interface than experienced in the past, it is prudent to go to another location. If you complete a transaction and suspect it has been compromised, be sure to contact your card issuer.

Check bank transactions regularly to look for unauthorized withdrawals. If your bank offers text or email alerts for suspicious activity, make sure you sign up for it.

ATMs for the most part are reliable and secure ways to get cash, but that safety and security shouldn't be taken for granted.

Automated Teller Machines (ATM) have become so common that there is an entire generation that can't remember going inside the bank to cash a check. Most of...

What if Apple's engineers refuse to crack open the iPhone?

Ordering the corporation to do it is one thing; getting its employees to agree is another

In all the back-and-forth sabre rattling over the FBI's demand that Apple help it break into the iPhone used by one of the San Bernardino terrorists, there's one element no one has previously discussed -- Apple's engineers.

If the courts eventually rule that Apple must give the FBI access to the phone's contents, that's a chore that will presumably be handled by Apple's engineers, who may well be the only people on Earth who know how to reliably de-encrypt the iPhone.

But what if they refuse? What if they simply resign and walk away?

That's the possibility raised by The New York Times, which reports today that Apple's employees are already discussing what they will do if their employer is ordered to, in effect, become an arm of law enforcement. 

It wouldn't be the first time individuals have refused to carry out the law because of their personal beliefs. Remember the county clerk who wouldn't issue a marriage license to gay couples, the nurses who won't participate in abortions, and all the other cases that have hit the headlines in recent years?

Individual rights

That's basically the argument Apple has made in its court briefs; it has said that forcing Apple employees to do things they find offensive amounts to a violation of their First Amendment rights.

If Apple is finally ordered to comply with the government's wishes and the engineers then refuse or resign, the government is back where it started. It would have to start over and pursue legal actions against all of the engineers who designed the encryption methods used in the iPhone, assuming it could learn their identities.

The Times noted that Apple CEO chief executive Tim Cook made that very argument in an email to customers, writing that “The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.” 

In that email, Cook noted that Apple has in the past provided information the FBI requested when it actually had the information in its possession.

"GovtOS"

But in this case, the information exists only in the shooter's iPhone. Cracking open that iPhone would involve creating a "backdoor" that would provide access to everyone's iPhone, exposing millions of consumers to invasion of privacy, financial skullduggery, and even physical harm, Cook said:

"Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession."

Citizens disunited

Apple said it would take six to ten engineers up to a month to meet the government's request but said it would be difficult to ramp up to build what it is calling "GovtOS" if key employees refused to do the work.

Meanwhile, another group of engineers would have to build software to be used by the FBI to access the iPhone's back door. Since many of these engineers would likely be the very ones who had worked on the original encryption system, it's not likely they would be very eager to undertake the task, the Times noted.

Some might recall that it was no lesser power than the Supreme Court that, in the Citizens United decision, held that corporations are essentially people and thus endowed with inalienable rights to give money to super PACs. 

Could be, but corporations -- virtual people if you will -- can't do much if the real people who make up that corporation refuse.  

In all the back-and-forth sabre rattling over the FBI's demand that Apple help it break into the iPhone used by one of the San Bernardino terrorists, there...

Robocaller hounded millions with vacation packages, feds charge

Many of those called were on the Do Not Call list, the FTC alleges

It may sometimes seem that telemarketers are using the Do Not Call Registry as a phone book. While it may not be quite that bad, the fact is that robocalls are so cheap to make -- less than one cent each -- that telemarketers just can't help themselves.

Thus it was that an Orlando company, Lilly Management and Marketing, felt compelled to call more than 100,000 consumers for each of the vacation packages it was hawking, even though many of them were on the Do Not Call list, drawing the attention of the Federal Trade Commission.

“We've halted this intrusive and troubling unlawful robocalling campaign and deprived defendants of the full revenues they obtained,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.

The FTC’s complaint charges Lilly and its owner, Kevin W. Lawrence, with making millions of illegal robocalls to sell deals offered by a number of vacation package companies. Many of those called were not only on the Do Not Call Registry but had specifically asked Lilly not to call them again, the complaint alleges.

Vacation Station

Operating under the name “USA Vacation Station,” Lilly allegedly bought lists of consumers’ telephone numbers, then cranked up its autodialers to begin bombarding those consumers with prerecorded pitches.

If a consumer picked up, listened to the pitch, and pressed “one,” they were transferred to a sales agent who tried to sell them a “magical Walt Disney World area holiday special” for which they “had been selected.”

Under a proposed civil penalty, the defendants would agree to a $1.2 million penalty but would only have to pay $19,000 because they claim not to be able to pay the full amount.

It may sometimes seem that telemarketers are using the Do Not Call Registry as a phone book. While it may not be quite that bad, the fact is that robocalls...

Choosing a home security camera -- local or cloud-based storage?

Each method has its benefits and drawbacks

Ensuring that privacy and security can be maintained in their homes is important to many consumers. But no matter where you live, there is always the chance that a break-in or other wrongdoing may occur.

To combat this problem, many people look to home security solutions like alarms – but perhaps one of the best things that a homeowner can install is a set of security cameras. But if you, like many others, don’t know the first thing about security cameras, then where do you start? To narrow down the choices, you may want to think about how you want your video stored.

According to a recent CNET article, you have two primary choices when it comes to storing video – either by local storage or cloud storage. While each offers a different set of benefits, choosing which one works best for you will depend on your security priorities.

Local storage

Local storage saves your security video clips just like it sounds – locally. Cameras that support local storage usually come with a slot where you can insert a microSD card, usually ranging from 16GB worth of storage to 128GB. Depending on the brand of camera you buy, you may have to go out and pick up a microSD card separately.

As is the case with many security systems, there are some options you can choose from in terms of what your camera will record. For those who want to make sure every second is recorded, the cameras can be set in continuous recording mode. If you’re less scrupulous, you can also set your camera to event-based recording mode. In this setting, the camera will only record when it detects motion, allowing you to get a little more out of your microSD card before you run out of space.

No matter what your preference is, when your card is finally full you can elect to overwrite the information and keep recording or take the card out and assess the footage. If you want to save any video that was picked up on the card, but want to continue using it, you can buy a card reader and card adapter to convert the information.

Cloud storage

For those who don’t want to buy any extra equipment, like the microSD cards, card reader, or adapter, cloud storage can provide an alternative that is a little more hands-off. Instead of physically having to manage a microSD card, cameras that operate using cloud storage save footage in – you guessed it – the cloud.

Depending on the service you use, your footage is sent to a remote server that is managed by a company. You will have to pay a fee to use the company’s service, which can vary in price. Currently, cloud-based security storage offered by Alphabet/Google costs $10 per month for 10 hours of continuous recording.

Which should you choose?

Local storage and cloud-based storage come with their own set of benefits, but choosing which one really comes down to personal preference. Local storage is preferred by many consumers because it gives you the greatest amount of access to your video, but if you want to save your video then you will have to buy extra equipment to do that. Also, managing the microSD cards manually could become tiresome after a while.

Cloud-based storage is much more hands-off in this regard, and you don’t have to worry as much about overwriting data. However, you will have to pay a monthly fee to access your video footage and technical problems with the company hosting the servers could lead to you not being able to access it in some cases. Also, since the information is hosted on a server, hackers could potentially get hold of your videos – making privacy a concern.

Of course, video storage is not the only consideration when it comes to buying security cameras – it’s just a good starting point for narrowing down choices. Be sure to do your research before committing to any one course of action so that you can get the best home security that works for you.

Ensuring that privacy and security can be maintained in their homes is important to many consumers. But no matter where you live, there is always the chanc...

New privacy rules proposed for Internet service providers

Consumers would get more control over how their data is used

The Federal Communication Commission (FCC) will consider new rules for Internet service providers (ISP) that would limit their ability to use consumer's browsing habits to narrowly target ads.

Currently, when consumers browse online, looking at cars, furniture or books, ads for those kinds of products follow them around the Internet, popping up on other websites they visit. That's because consumers' browsing habits are a product, sold to marketers who want to make their ads more effective.

FCC Chairman Tom Wheeler has released a Notice of Proposed Rulemaking (NPRM) to give consumers tools to determine how that information about them is used and shared by their ISPs.

New privacy requirement

Under the proposal, the privacy requirements of the Communications Act would apply to the Internet. The proposal will be voted on by the full Commission at the March 31 Open Meeting. Assuming it is adopted, it will be subject to a comment period.

The proposed rule would allow ISPs to continue to use customer data for marketing and other communications-related services by their affiliates unless the customer opted out. If the ISP wanted to continue selling customer data to third-party marketers, it would have to get the customer's permission through an opt-in process first.

Wheeler also says the rule would place stronger security requirements on ISPs, noting that security protections are crucial to protecting consumers’ data from breaches.

Privacy group input

A number of privacy advocates have urged the FCC to implement stronger Internet privacy safeguards. In a recent letter to the agency, the Electronic Privacy Information Center (EPIC) lobbied for opt-in consent for the use of all customer data for marketing purposes. It said an opt-in framework would better protect individuals’ rights, and is consistent with most United States privacy laws.

The letter noted that the Family Educational Rights and Privacy Act, Cable Communications Policy Act, Electronic Communications Privacy Act, Video Privacy Protection Act, Driver’s Privacy Protection Act, and Children’s Online Privacy Protection Act all require individual consent before gathered information can be used for any secondary purpose.

Verizon Wireless settlement

Earlier this week the FCC reached a settlement with Verizon Wireless over its use of customer data and so-called “super cookies.” The settlement contained some of the same features contained in the proposed new rule.

Verizon Wireless agreed to allow customers to opt-out of its internal use of gathered customer data. It also agreed to an opt-in feature, saying it would not sell that information to third parties without a customer's consent.

The Federal Communication Commission (FCC) will consider new rules for Internet service providers (ISP) that would limit their ability to use consumer's br...

Feds settle with Verizon Wireless in “supercookie” probe

Carrier will change practices and pay $1.3 million fine

For years Verizon Wireless has been inserting unique identifier headers (UIDH) – known as “supercookies” – into its customers’ mobile Internet traffic. Customers weren't asked or informed.

These headers were used to target specific ads to specific consumers. Verizon used the data in its own advertising programs and marketed the data to third parties.

After a Federal Communications Commission (FCC) investigation, Verizon has agreed to obtain customers’ opt-in consent before sharing this information with third parties, and will obtain customers’ opt-in or opt-out consent before using it within the Verizon corporate family.

“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said in a statement. “Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate.”

Improper disclosure

The investigation began in late 2014. The issue at hand was whether Verizon Wireless failed to appropriately protect customer proprietary information and whether it provided the proper disclosures.

The investigation found that Verizon Wireless began inserting UIDH into consumer Internet traffic as early as December 2012, but didn't disclose it was doing it until October 2014.

Verizon Wireless tried to assure regulators that the third-party companies that were getting the information were unlikely to use it to build profiles on Verizon Wireless customers. But just over a year ago there were news reports that one of these partners used the data for unauthorized purposes – restoring cookie IDs that users had cleared from their browsers.

$1.35 million fine

Under the terms of the settlement with the FCC, the company must pay a fine of $1.35 million and adopt a three-year compliance plan.

The company must abide by Section 222 of the Communications Act, which requires carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose.

The settlement is the second of the agency's Open Internet enforcement actions. Last June it proposed a $100 million fine against AT&T Mobility for misleading its customers about the data speed limits on its so-called “unlimited” mobile data plans.

For years Verizon Wireless has been inserting unique identifier headers (UIDH) – known as “supercookies” – into its customers’ mobile Internet traffic. Cus...

Privacy groups line up behind Apple against FBI

Security measures either protect everyone or no one, the groups argue

There has been so much back-and-forth in the Apple-FBI dispute that it has at times resembled one of this year's jousting contests posing as presidential debates.

In an attempt to get the argument back on track, a group of consumer privacy organizations have filed a friend of the court brief on behalf of Apple. The Electric Privacy Information Center (EPIC) and eight other organizations argued that the "security features in dispute in this case were adopted to protect consumers from crime."

The brief quotes security experts as saying, in effect, that cell phone security either protects everyone or no one. 

"The security of cell phones is of critical importance to millions of consumers who rely on these devices to protect their most sensitive personal data," the privacy groups argue in their brief. "As the theft of consumer devices continues to rise—millions of cell phones are stolen every year—the associated crimes of financial fraud and identity theft also increase."

Security features on Apple's iPhone and other smartphones help to limit such crimes, limited financial and emotional harm to consumers, the groups say. "If these safeguards are weakened, consumers will suffer, crime will increase, and the work of law enforcement will be made more difficult," the brief argues.

Special protection

The brief notes that the Supreme Court recently found that modern phones store so much sensitive data that they deserve special constitutional protections. 

Apple's encryption software amounts to a digital lock that keeps consumer data safe and should not be disabled for the sake of a single investigation, the organizations say.

"This Court should not order Apple or any company to weaken their digital locks because, if they do, consumers will suffer, crime will increase, and any shortterm benefit that the Bureau may obtain in this case will be more than outweighed by the increase in crime across the country that will result," according to the brief.

Besides EPIC, organizations filing the brief are the Center for Digital Democracy, Constitutional Alliance, Consumer Action, Consumer Watchdog, the Cyber Privacy Project, Patient Privacy Rights, Privacy Rights Clearinghouse and Privacy Times. 

There has been so much back-and-forth in the Apple-FBI dispute that it has at times resembled one of this year's jousting contests posing as presidential d...

Online payment portal Dwolla dinged for its security practices

Feds say consumers were deceived about the data security risks of using the online system

Regulators are serving notice a fast-growing online money-transfer business, stating that they must safeguard consumers' private data and live up to the promises they make about their security procedures.

The Consumer Financial Protection Bureau has ordered Dwolla to pay a $100,000 penalty for misleading consumers about its data security practices and instructed the company to fix its security practices.

Dwolla, based in Des Moines, Iowa, said the procedures questioned by the CFPB had taken place in earlier years and said it has improved its practices since then.

Dwolla, like others in the online payments business, takes much of the grunt work out of moving money online by simplifying the automated clearing house (ACH) process.

"Our ACH transfer platform securely verifies and connects your customers to their bank or credit union accounts for safe and quick transactions," the company says on its website, saying it offers "a fast, lightweight onboarding experience."

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Dwolla said it has more than 650,000 users and moves as much as $5 million per day. It noted it has not been hacked or experienced any known loss of consumer data. 

"Dwolla is glad to have come to a resolution with the CFPB regarding its investigation," Dwolla said in a blog posting. "The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012. Dwolla understands the Bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.
 
"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices."

Safe and secure?

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. But the CFPB said that, rather than setting “a new precedent for the payments industry,” Dwolla’s data security practices fell far short of its claims.

Regulators are serving notice a fast-growing online money-transfer business, stating that they must safeguard consumers' private data and live up to the pr...

Mail carrier a key player in identity theft ring

Alabama postal worker stole customers' identities for use in phony tax returns

Identity theft seems like a high-tech crime, carried out by hacking into databases, harvesting purloined emails, and using phishing expeditions to trick consumers into revealing their private data.

But sometimes it's as simple as reading the name on your mail. That's what prosecutors say postal carrier Elizabeth Grant did. The Seale, Alabama, woman worked for years delivering mail. On the side, she stole the names and addresses of the people on her mail route and provided them to her co-conspirators.

Her accomplices prepared phony tax returns and when the government mailed out refund checks, Grant stole them and turned the checks over to her partners in crime, trial testimony indicated.

The scheme resulted in more than 700 false returns being filed and more than $1.5 million in tax refunds being stolen.

Grant pleaded guilty and was sentenced to more than five years in prison yesterday by a federal judge in Alabama. Several of her collaborators were sentenced earlier.

Identity theft seems like a high-tech crime, carried out by hacking into databases, harvesting purloined emails, and using phishing expeditions to trick co...

Cybercrime is big business and getting bigger

Researchers calculate the massive returns hackers get on stolen credit cards

In the last decade, hackers have shifted their primary targets from consumers' PCs to corporations' networks.

The payoff from breaking into your computer might not be so much. Getting into Target, on the other hand, could be huge.

Just how huge hasn't been widely appreciated, but researchers at Michigan State University recently calculated that even small-scale hacking operations are making millions of dollars in profits by targeting corporate databases and stealing credit and debit card data.

"In the past two years there have been hundreds of data breaches involving customer information, some very serious like the Target breach in 2013," Thomas J. Holt, Michigan State University criminologist and lead investigator of the study, said in a release. "It's happening so often that average consumers are just getting into this mindset of, 'Well, my bank will just re-issue the card, it's not a problem.' But this is more than a hassle or inconvenience. It's a real economic phenomenon that has real economic impact and consequences."

Black market in plain sight

Holt and his fellow researchers found online forums in English and Russian where criminals who stole personal information auctioned it off in batches of 50 or 100. Someone who buys the data can then try to access the victims' bank accounts or buy goods or services with the stolen cards.

Holt says, on average, a batch of 50 stolen credit or debit cards can bring between $250,000 and $1 million on the black market. Buyers consider it a reasonable price, since they, on average, can use those 50 credit or so debit cards to pull in between $2 million and $8 million.

Coordinated approach

Holt says there needs to be a more intensive, coordinated approach by law enforcement agencies around the world to crack down on cybercrime. He says consumers also need to understand the stakes.

"My goal is make people cognizant of just how much their personal information means, how much value there is," Holt said. "If we don't understand the scope of this problem, if we just treat it as a nuisance, then we're going to enable and embolden this as a form of crime that won't stop."

Consumer Security company Mcafee estimates the annual cost to the economy of cybercrime activity is more than $400 billion.

In the last decade, hackers have shifted their primary targets from consumers' PCs to corporations' networks.The payoff from breaking into your compute...

Senator presses Google on student data privacy

Meanwhile, Apple refuses a court order to unlock an iPhone for the FBI

Sen. Al Franken (D-MN) and Google are engaged in conversations about privacy – in particular, the privacy of data Google collects about students.

In recent weeks, Franken asked the search giant to explain its student data privacy policies, and now he says Google has responded.

Franken said the company provided thorough answers, but there is room for clarification. For example, he says he would like to know what exactly Google is doing with the data it collects from students.

He would also like to know whether the company plans to give students and parents a choice of “opting-in” to data collection.

Fundamental right to privacy

"I believe Americans have a fundamental right to privacy, and that right includes the ability to control who is getting your personal data and how it's being used," Franken said in a release.

Franken says he thinks Google has done great work in education technology, but wants to make sure the company is doing everything it can to protect the privacy of students.

"Google's response to my questioning was thorough, and I appreciate its engagement on this topic,” Franken said. “But I'm still concerned about what exactly Google does with the information it collects and processes from students who are browsing outside websites—like YouTube—while logged in to Google's education services.”

Franken says he thinks the issue could be resolved by providing parents and students with stronger privacy protections.

Apple standoff with the FBI

Meanwhile, another technology company is invoking the privacy issue in a standoff with the government. Apple CEO Tim Cook has said the company will fight a federal court order to unlock the iPhone of one of the suspects in December's San Bernadino terrorist attack.

The FBI wants to view the contents of the phone, but an Apple security feature will erase the contents after a number of unsuccessful attempts to log in.

“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” Cook wrote in a letter to Apple customers. “In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.”

Apple maintains that once created, the software would be quickly stolen by hackers and used against Apple customers.

Sen. Al Franken (D-MN) and Google are engaged in conversations about privacy – in particular, the privacy of data Google collects about students.In rec...

States lobby Congress for new privacy legislation

Would undo amendment allowing debt collection robocalls to cellphones

It's an election year. What can members of Congress do to please the voters back home? How about stopping the annoying debt collection calls?

Twenty-five state attorneys general have signed a letter to the Senate Commerce Committee, urging it to pass the ‘‘Help Americans Never Get Unwanted Phone calls Act of 2015,’’ also known as the ‘‘HANGUP” Act, and send it to the Senate floor.

The proposed legislation specifically would repeal a recent amendment to the Telephone Consumer Protection Act (TCPA) to allow debt-collection robocalls to consumers’ cell phones. That amendment was slipped into the end-of-the-year budget act.

Before that amendment was passed, the TCPA outlawed all robocalls to cell phones. As amended, the TCPA now permits citizens to receive unwanted and previously illegal robocalls to their cell phones if the calls are made to collect a federally guaranteed debt, like a student loan.

Congress has the power

Missouri Attorney General Chris Koster said by passing the HANGUP Act, Congress could stop the barrage of debt-collection robocalls that run up the bills of consumers who pay for calls to their cell phones.

“Debt-collection calls and robocalls consistently top the list of complaints our office receives,” Koster said in a release. “Consumers have made it clear that they are fed up with robocalls, and our laws should be moving to restrict unwanted calls, not encourage them.”

Koster said his office received more than 41,000 complaints last year about unwanted calls, a majority of which were robocalls.

Huge annoyance

“My attorney general colleagues and I work aggressively in our states to stop unwanted, harassing calls to peoples’ landlines and cell phones,” Indiana Attorney General Greg Zoeller said in a release. “This is a huge annoyance to our citizens, and we hear from them every day about it. It’s even more frustrating when the federal government actively works to weaken our efforts aimed at protecting and serving our citizens. I urge Congress to stop allowing loopholes that legitimize robocalls and open citizens up to a barrage of unwanted or misplaced calls.”

On June 18, 2015, the Federal Communication Commission (FCC) formally adopted a rule change saying federal law does not prohibit telecommunication service providers from offering, upon a customer’s request, services intended to block unwanted calls. This clarification moved enforcement efforts forward and armed consumers with ways to prevent unwanted calls. The recent amendment, however, is a step back in the fight against robocalls, Koster said.

The attorneys general say consumers who would like to get rid of annoying robocalls can help by calling their Congressional representatives.

It's an election year. What can members of Congress do to please the voters back home? How about stopping the annoying debt collection calls?Twenty-fiv...

FTC calls game over on Running Fred

The Chrome extension allegedly Shanghaied consumers' Android phones

Running Fred is pretty scary. It's a game that takes place in an old castle, where devilish fiends chase innocent kids with sharp objects. But that's not the worst thing you can say about it.

The Federal Trade Commission (FTC) says Running Fred, which is a Google Chrome browser extension that runs on Android phones, has been running wild, taking over consumers' phones and installing other apps that cause all kinds of problems. The trouble began when a company called Vulcun bought Running Fred.

“After Vulcun acquired the Running Fred game, they used it to install a different app, commandeer people’s computers, and bombard them with ads,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.

But it's now "game over." Vulcun has agreed to corral Running Fred and stop installing the rogue apps on users' phones.

"Unbiased recommendations"

In its complaint, the FTC alleges that Vulcun and its founders, Ali Moiz and Murtaza Hussein, purchased Running Fred and replaced it with Vulcun’s own extension, which purported to offer users unbiased recommendations of popular Android applications.

What Vulcun’s extension actually did, the FTC charged, was to install apps directly on the Android devices of consumers while bypassing the permissions process in the Android operating system.

The extension caused a number of consumers to complain to Google, the owner of both Chrome and Android, according to the FTC. Some complained that the browser extension was opening multiple tabs and windows on their browser and advertising various apps. Others complained about the installation of apps on their mobile device without their permission, noting that the apps would reinstall themselves even when deleted.

The FTC’s complaint charges that Vulcun’s actions unfairly put consumers’ privacy at risk. By bypassing the permissions process in the Android operating system, the apps placed on consumers’ mobile devices also could have easily accessed users’ address books, photos, location, and device identifiers.  Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code, according to the complaint.

In addition, the complaint alleges that Vulcun misled consumers by saying that their extensions, including Weekly Android Apps and another called Apps By Cindy, provided independent and impartial selections of apps, as well as misrepresenting third-party endorsements received by the extensions.

Under the terms of the settlement, the defendants will be required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users express affirmative consent before the installation or material change of a product or service.

Running Fred is pretty scary. It's a game that takes place in an old castle, where devilish fiends chase innocent kids with sharp objects. But that's not t...

Fitness trackers aren't all that private, study finds

Canadian study finds all but the Apple Watch leak data

If you wear a popular fitness tracker to keep up with steps taken, miles walked, and calories burned, chances are you find it highly motivating. Some users have called it a personal trainer on their wrist.

But researchers at the University of Toronto say there is something consumers should know. Like any electronic device that connects via WiFi, the data collected by most of these fitness trackers might not always be private.

In a study, researchers say they found there are major security and privacy issues in trackers made by Basis, Fitbit, Garmin, Jawbone, Mio, Withings, and Xiaomi. The researchers reached their conclusion after analyzing data transmissions between the Internet and apps for the fitness trackers.

The seven trackers communicate with smartphone apps through Bluetooth. The researchers say that Bluetooth leaks personal data, and that anyone near a device could track a user’s location over time.

They also report certain devices by Garmin and Withings transmit information without encryption. Someone would have to know how to intercept the data, they say, but if they had the knowledge, it could be done.

Apple Watch the exception

The only device that did not leak data in the study was the Apple Watch.

Andrew Hilts, one of the report’s authors, says the security issue exists because each device has a unique identifier that is constantly sent out via Bluetooth. It's there even when you think it is turned off.

Hilts says the issue is easily resolved if device manufacturers implement an existing Bluetooth privacy standard. Until they do, he says, users will be vulnerable to location-based surveillance.

“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products,” Hilts said in a release.

If you wear a popular fitness tracker to keep up with steps taken, miles walked, and calories burned, chances are you find it highly motivating. Some users...

Wendy's set to investigate reports of a potential credit card breach

While unconfirmed, the scope of the breach is not yet known

Back in December, we reported that data breaches would become more numerous and dangerous in 2016. While the year is still young, it looks like some companies are wasting no time when it comes to becoming a part of that statistic. Fast-food giant Wendy’s has reported that it is investigating claims of a credit card breach at some of its locations, according to KrebsOnSecurity.

Wendy’s spokesperson Bob Bertini stated that the company has hired a security firm to investigate claims about the breach. He admitted that Wendy’s had received reports earlier in January from payment contacts about a potential breach.

“We have received this month from payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations. .  . Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts,” said Bertini.

Investigation is ongoing

The nature of the breach is still uncertain at this point in time. KrebsOnSecurity reported that it had initially received information linking the breach to areas in the Midwest, but that it has since spread to other financial institutions on the East Coast.

The timeline of when the breach first occurred is also unclear. Bertini indicated that some fraudulent charges may have occurred in the latter part of 2015. “We began investigating immediately, and the period of time we’re looking at the incidents is late last year. . . We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope,” he said.

Consumers who have been to a Wendy’s in the past few months would do well to check their financial statements for any inconsistencies. Though the breach is not yet confirmed, being proactive in your approach is always wise. 

Learn more about identity theft protection

Back in December, we reported that data breaches would become more numerous and dangerous in 2016. While the year is still young, it looks like some compan...

Hyatt releases list of hotels involved in malware incident

Guests at any of the roughly 250 hotels should keep a careful eye on their accounts

If you've stayed at a Hyatt Hotel recently, you may want to keep a careful eye on your credit card account. The hotel chain says it found malicious software in about 250 of its hotels.

The malware could have been used to extract credit- and debit-card numbers, as well as other guest information. Hyatt has published a list of the affected hotels on its website.

The malware was first discovered in December but little information was released at that time. Hyatt says it doesn't yet know how many customers were affected.

The company said the malware was present between July and December within payment-processing systems at its restaurants, spas, front desks, and other areas in its hotels.

"We encourage you to remain vigilant and to review your payment card account statements closely. You should report any unauthorized charges to your card issuer immediately," said Chuck Floyd, global president of operations for Hyatt. "Speak to your card issuer for details because, while card issuers’ policies related to fraud may vary, payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner."

Fraud detection

Floyd said Hyatt has arranged for CSID, a fraud detection service, to provide one year of CSID’s Protector services to affected customers at no charge. To activate CSID’s Protector coverage, affected customers in the U.S. may visit www.csid.com/hyatt-us and affected customers outside the U.S. may visit www.csid.com/hyatt-intl to complete a secure sign up and enrollment process.

Customers can contact Hyatt at 1-877-218-3036 (U.S. and Canada) or +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.

If you've stayed at a Hyatt Hotel recently, you may want to keep a careful eye on your credit card account. The hotel chain says it found malicious softwar...

New app “hides” location from third parties

Seeks to grant control over where personal information ends up

Whether you’re searching for directions or a place to eat, your smartphone is sending information to serversinformation that could potentially be used by the wrong people. But now, researchers have developed an app that blocks third parties from identifying a person's location based on what they search for online.

A research team led by Linke Guo, assistant professor of electrical and computer engineering at Binghamton University, recently won big at the Institute of Electrical and Electronic Engineers (IEEE) GLOBECOM Conference, Symposium on Communication and Information System Security.

Their papertitled, “Privacy-preserving Verifiable Proximity Test for Location-based Services”won the Best Paper Award and was honored in twelve different categories at the conference.

Secures information

Guo, who presented the paper with graduate students Gaoquiang Zhou and Qi Jia, says their app can protect users from having their information collected by third parties with malicious intent.

“The trend of people using searches and social networks on smartphones which aren’t well-protected is going up,” said Guo in a statement to Newswise. “Sometimes people share too much information. This is a way to help provide some security.”

The app, which grants control over where your information ends up, would benefit oversharers and average sharers alike. Studies show that neither party has a clear picture of how often apps share their personal information

Apps are tracking you

One 2015 study out of Carnegie Mellon gave 23 smartphone users a daily message called a “privacy nudge” telling them how many times their apps shared their location, photo call logs, contact lists, or other information.

Participants were stunned by the sky-high numbers. “Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days,” read one user’s privacy nudge.

The majority of smartphone users have no way of accessing relevant data about their apps’ behaviorbut the study demonstrated that when people do manage to get their hands on this privacy information, they quickly change their privacy settings and act to limit future sharing.

More control

During a time when it’s often not feasible to limit sharing, the app would step in to watch your back, granting a level of control not currently available.

“When we release personal information to the Internet, it is out of our control, and can be easily searched and used for malicious purposes,” Guo said. “We are trying to provide a more efficient and feasible solution to make sure that kind of information is secure.”

So instead of relegating yourself to an Amish way of life after learning that your location has been shared 5,398 times over the course of 14 days, you could simply download the app. It is not currently available to the public, but it may be in the future.

Whether you’re searching for directions or a place to eat, your smartphone is sending information to servers—information that could potentially be used by ...

Uber incurs $20,000 penalty over 2014 data breach

Concerns over "God View" location tracking may be more worrying to consumers

As the world becomes more dependent on the Internet and digitalization, many consumers are left worrying about maintaining their privacy; over the past couple of years, consumers have witnessed a worrisome number of data breaches and invasions of privacy across many different industries.

Now it seems that one company is paying for its transgressions. Uber, one of the leading ride-sharing services across the U.S., has settled with the New York Attorney General’s office to pay a $20,000 penalty for a data breach they suffered in 2014. The company has also pledged to do more to protect consumer privacy after public outrage connected to its “God View” tracking system.

"God View" tracking

Investigations into Uber began in September of 2014 when New York Attorney General Eric Schneiderman learned that executives within the company had access to consumer location data. The information was displayed as an aerial view of cars driving around various cities and was internally dubbed as “God View.”

Though the use of location services is typical on many apps, consumers became outraged at reports that Uber employees and executives were freely sharing this information with third parties. In two separate instances, consumers received confirmation that their location data was being used for non-business purposes.

In a blog post, Peter Sims recounted how he received text messages from someone attending an Uber launch party in another city. Apparently, Sims and others were being tracked and shown to party guests in real time. Many would consider these actions well outside of business purposes, including Schneiderman.

“We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here,” said Schneiderman. “I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees’ private information.”

Legal battles

Although unrelated, the company’s $20,000 settlement does not address the “God View” topic. This lawsuit originated in San Francisco and covers a 2014 data breach. It led to the improper disclosure of drivers’ names and license numbers.

Additionally, Uber is facing another class action lawsuit by their drivers who wish to be treated as employees instead of independent contractors. One version of the case was expanded to include 100,000 drivers in the San Francisco area this past month.

As the world becomes more dependent on the Internet and digitalization, many consumers are left worrying about maintaining their privacy; over the past cou...

Rascals make off with Time Warner Roadrunner data

Customers advised to change their email passwords

If you have Time Warner Cable's Road Runner service, you may want to think about changing your email password. 

Time Warner says the FBI notified it that up to 320,000 customer passwords may have been stolen, either through phishing attacks or through data breaches of companies that stored Time Warner customers' info.

Time Warner says it's not quite sure just how the data was filched but insists it wasn't through a breach of its system. It is emailing and snail-mailing customers, advising them to change their emails and keep a careful eye on their credit card and bank accounts for the foreseeable future.

“Our understanding is that the compromise had nothing to do with TWC’s systems or processes,” the company said in an email to potentially affected customers. “TWC has found no evidence of a breach in its systems that operate and secure email accounts for our customers.”

If you have Time Warner Cable's Road Runner service, you may want to think about changing your email password. Time Warner says the FBI notified it tha...

UK's Alzheimer's Society said to be lax with patients' data

British officials warn the society faces prosecution if it doesn't shape up

British officials say the Alzheimer's Society has "a disappointing attitude" about safeguarding its clients' privacy and warns it faces prosecution if it fails to make improvements quickly.

The Information Commissioner’s Office (ICO) has given the organization, which is separate from the U.S.-based Alzheimer's Association, six months to comply with an enforcement notice that outlines the required improvements.

The Society says it is "the UK's leading dementia support and research charity for people living with dementia, their families and carers." But the ICO said it found that volunteers at the society were using personal email addresses to receive and share information about the charity's clients, were storing unencrypted data on their home computers, and were failing to store paper records securely.

ICO's head of enforcement, Stephen Eckersley, said the society must begin training volunteers properly and giving them the same support as employees.

“Anything less is unacceptable and, considering the vulnerability of the people who use the society’s services, we have acted,” Eckersley said.

The ICO's report said that a corps of 15 volunteers handled sensitive information about nearly 2,000 cases in recent years, including medical findings, treatment data, and other personal information.

The shortcomings were first identified in November 2014. The current enforcement order is being issued because the ICO said the organization did not respond properly to the earlier recommendations.

British officials say the Alzheimer's Society has "a disappointing attitude" about safeguarding its clients' privacy and warns it faces prosecution if it f...

Database of 191 million voters left exposed on Internet

It's not clear who's responsible for the security slip-up

Sometimes stuff is stolen in cleverly organized break-ins. Other times, it's just left sitting out on the street. That's more or less the case with a database of 191 million registered voters that was reportedly left exposed and unprotected on the Internet.

The wide-open database was discovered by security researcher Chris Vickery, who reported his findings to Databreaches.net and security blog Salted Hash.

So far no one has nailed down exactly who's responsible, although fingers are beginning to point to Nation Builder, a digital campaign platform headquartered in Los Angeles. The company denies that it's responsible but says it may have contributed some of the leaked data.

“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns," said NationBuilder founder and CEO Jim Gilliam. "From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”

“We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws," Gilliam said.

Public or private?

But there are varying opinion on whether all of the leaked information is legally public. The Sacramento Bee reported that California Secretary of State Alex Padilla is working with Attorney General Kamala Harris’ office to determine whether any privacy laws were broken.

California law specifies that voter data is private, according to the Bee. The nearly 18 million plus voter file is only available for political, election, scholarly, journalistic, or governmental purposes.

Other states regard voter data as public, but some place restrictions on how it may be used or distributed. The information in the database did not include Social Security numbers or financial data but could still be used for marketing campaigns or for more nefarious purposes.

The rental value of the database was estimated at $270,000 by experts Vickery consulted.

Sometimes stuff is stolen in cleverly organized break-ins. Other times, it's just left sitting out on the street. That's more or less the case with a datab...

Researchers find security flaw in Target mobile app

Consumers who used the company's wish list app may have had their personal information compromised

Target just can’t seem to catch a break when it comes to the holiday season. After the company’s huge data breach at the end of 2013, which compromised the personal information of over 100 million consumers, another security flaw has been found this year.

Although smaller in scope, consumers who have used Target’s wish list mobile app may have had some of their personal information put in jeopardy, including their addresses, phone numbers, email addresses, and shopping registries.

The flaw was found by researchers at the Avast security firm. They determined that the mobile app’s Application Program Interface (API) was very easy to access over the Internet. Because of this, anyone who is able to determine how a user ID is generated can gain access to consumer files.

“If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from,” said the researchers in a blog post. “The Target app keeps a database of users’ wish lists, names, addresses and email addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!”

Meanwhile, Target disabled portions of its wish list app on Tuesday until the problem could be resolved. “We apologize for any challenges guests may be facing while trying to access their registry. . . Our teams are working diligently overnight to resume full functionality,” said Molly Snyder, a Target communications manager. 

Target just can’t seem to catch a break when it comes to the holiday season. After the company’s huge data breach at the end of 2013, which compromised the...

Wyndham settles FTC charges it mishandled customers' data

Hackers got access to credit card info on three separate occasions

A long-running dispute over companies' responsibility to protect customers' data concluded last week as Wyndham Hotels and Resorts settled charges that its security practices unfairly exposed consumers' credit card information to hackers.

Under terms of the settlement, the company will establish an information security program, conduct annual information security audits, and enforce the use of safeguards by its franchisees.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

Wyndham noted that the settlement "does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief" and said it initially disputed the allegations 'based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model."

In a prepared statement, the hotel chain said the settlement "sets a standard for what the government considers reasonable data security of payment card information."

Wyndham also noted that it "made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services and said that "to date Wyndham has not received any indication that any hotel customers experienced financial loss as a result of these attacks."

Court order

Consumers rate Wyndham Vacation Resorts

The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.  In addition, the order requires Wyndham’s audit to:

  • certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
  • certify that the auditor is qualified, independent, and free from conflicts of interest.

The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.

A long-running dispute over companies' responsibility to protect customers' data concluded last week as Wyndham Hotels and Resorts settled charges that its...

Google spying on students, privacy group claims

The alleged practice violates Google's own Student Privacy Practice

A privacy group says Google is spying on students without their permission and without notifying their parents. The Electronic Frontier Foundation (EFF) has filed a complaint with the Federal Trade Commission (FTC), saying it uncovered the practice while researching its “Spying on Students” campaign.

The campaign was created to raise awareness about the privacy risks of school-supplied electronic devices and software. EFF examined Google’s Chromebook and Google Apps for Education (GAFE), a suite of educational cloud-based software programs used in many schools across the country by students as young as seven years old.

While Google does not use student data for targeted advertising within a subset of Google sites, EFF found that Google’s “Sync” feature for the Chrome browser is enabled by default on Chromebooks sold to schools. This allows Google to track, store on its servers, and data mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and their saved passwords.

Google doesn’t first obtain permission from students or their parents, and since some schools require students to use Chromebooks, many parents are unable to prevent Google’s data collection.

Violates its own pledge

Google’s practices fly in the face of commitments made when it signed the Student Privacy Pledge, a legally enforceable document whereby companies promise to refrain from collecting, using, or sharing students’ personal information except when needed for legitimate educational purposes or if parents provide permission, EFF said.

“Despite publicly promising not to, Google mines students’ browsing data and other information, and uses it for the company’s own purposes. Making such promises and failing to live up to them is a violation of FTC rules against unfair and deceptive business practices,” said EFF Staff Attorney Nate Cardozo in a prepared statement. “Minors shouldn’t be tracked or used as guinea pigs, with their data treated as a profit center. If Google wants to use students’ data to ‘improve Google products,’ then it needs to get express consent from parents.”

Google told EFF that it will soon disable a setting on school Chromebooks that allows Chrome Sync data, such as browsing history, to be shared with other Google services.

EFF’s filing with the FTC also charges that the administrative settings Google provides to schools allow students' personal information to be shared with third-party websites in violation of the Student Privacy Pledge.

EFF’s “Spying on Students” project aims to educate parents and school administrators about the risks of data collection by companies supplying technology tools used by students.

A privacy group says Google is spying on students without their permission and without notifying their parents. The Electronic Frontier Foundation (EFF) ha...

2016 likely to hold more dangerous data breaches

Consumers could be collateral damage in cyber war

This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.

One of the most serious was reported in October, when hackers broke into an Experian system and gained access to confidential information about 15 million consumers who had applied for credit at T-Mobile.

Experian Data Breach Resolution has surveyed the landscape and offered predictions for what 2016 holds in terms of keeping consumer data secure. While some current issues remain relevant, there are a few emerging areas that organizations should watch out for to be better prepared.

Making major mistakes

"We saw different types of breaches this year, and one of the major mistakes companies often make is taking a one-size-fits-all approach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately, the reality is that no data breach is the same, and a wide variety of unique circumstances need to be considered in a data breach response plan."

One of the trends Experian foresees is the escalation of cyber-attacks among nations. When that happens, consumers and businesses tend to become collateral damage.

As nation-states continue to move their conflicts and espionage efforts to the digital world, the company predicts there will be more incidents aimed at stealing corporate and government secrets or disrupting military operations.

When that happens, one of the risks is exposure of information about millions of individuals. On the other hand, business data might be compromised more in 2016, or we could see an increase in large public-sector data breaches that expose millions of personal records.

New-age warfare

"This is new-age warfare and, as individuals, we need to pick up the pieces if we have been affected and our personal information has been exposed," said Bruemmer. "The public should not be complacent about identity protection. It's important to practice good security habits on an ongoing basis and monitor accounts frequently to catch fraud early."

Experian Data Breach Resolution also predicts hackers with a political or ideological agenda will become more active, trying to damage the repuation of a company or cause. There have already been a few over the last couple of years.

These hackers aren't in it for the money, meaning companies must revise their response plans and consider all possible scenarios.

"This was the new twist to the data breach landscape in 2015, with thieves leveraging stolen data to embarrass or harm companies," said Bruemmer. "Unfortunately, consumers are the pawns in the game, and they are victimized in the process.”

Personal harm or embarrassment

Being associated with the organization under attack, consumers may also suffer personal harm or embarrassment if their information is exposed. If an organization has a polarizing or controversial mission, it should consider this scenario and how it will take care of its constituency should a breach occur, Bruemmer said.

And that leads us to the 2016 presidential race. Bruemmer says political campaigns are likely to be tempting hacking targets.

"For a fame-hungry criminal or motivated detractor, this is an attractive platform,” Bruemmer said.

Bruemmer says all candidates, parties, and organizations had better be prepared by securing their systems and having incident response plans in place.

This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.One of the most serious...

VTech hack exposes personal data for 4.8 million kids, parents

Kids' birthdays and home addresses among the compromised data

VTech says the personal records of 4.8 million children and their parents have been breached by hackers. The data includes kids' birthdays and home addresses, as well as their parents' passwords and password hints.

The data was stored in VTech's "Learning Lodge" app store, where customers of the Hong Kong-based company can download apps, games, e-books, and other content for VTech products.

The company said the breached database contains general user profile information, including their name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address, and download history.

"It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway," the company said.

It noted that the database "does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers)."

Customers can contact VTech at vtechkids@vtechkids.com

VTech says the personal records of 4.8 million children and their parents have been breached by hackers. The data includes kids' birthdays and home address...

Cyber Monday safety tips

This is good advice to heed throughout the rest of the holiday shopping season

Shoppers who braved the malls on Black Friday might have risked some pushing and shoving but not a lot more.Those taking part in Cyber Monday run the r...

Comcast issues in-browser warnings to users who are suspected of illegal file-sharing

The company can interrupt or terminate your Internet access -- but there could be darker privacy implications

People have been pirating movies, music, TV shows, and other forms of entertainment for nearly as long as the Internet has been around. While illegal and somewhat morally hazy, these same people may have to w