Category Archives: Privacy

Signing your rights away over Equifax data breach?

People are insisting that enrolling in Equifax monitoring if you are affected by the company data breach takes away your right to sue. The truth is more nuanced.

As did many Americans, I went to equifaxsecurity2017.com to see if my personal information was compromised in the company’s massive data breach that exposed millions of Americans’ credit information to cyberhackers

The web site told me it does not appear my information was part of the breach.

Sigh of relief. Millions will not be so lucky.

If my information had been part of the stolen data,  I can sign up for free credit monitoring through Equifax’s TrustedID, a service that usually costs you a hefty fee. 

But soon a story began circulating that, should you choose to sign up for TrustedID, you were also signing away your legal rights to sue the company over the data breach and would instead have to avail yourself of forced arbitration with the company.

The clause in the terms you agree to when you sign up for TrustedID at any time as a paying or free customer says this:

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.

That seems to me as if it might force you into arbitration over any potential damage done to you by the data breach, instead of you retaining the legal right to insert yourself into any single or class-action lawsuit which might arise over the incident.

The language also seemed fuzzy enough for New York State Attorney General Eric Schneiderman to get involved in discussions with company officials over the clause.

After those talks, Equifax added this to their web site:

The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.

So the forced arbitration clause does apply to anyone who signs up for TrustedID at any time, and it does indeed require you to choose forced arbitration over lawsuits against that service EXCEPT for the data breach incident in this week’s headlines

This incident speaks to one important issue: Absent any meaningful leadership on the national level on these consumer financial issues in a Congress (Democrats and Republicans) that is mostly in the pockets of Wall Street, certain state attorneys general continue to be the watchdogs that protect millions of us from the worst abuses of industry.

If you want to know more about the issues of arbitration (which can be a good thing) and forced arbitration clauses (which can be bad things) read this excellent information from the National Association of Consumer Advocates.

Ashley Madison hack and a new world of privacy intrusion

If you’re finding satisfaction in the Ashley Madison leak, you might think a bit more long-term about the possibilities it represents:

Computer security expert Graham Cluley quickly warned against such witch hunts on his blog.

“For one thing, being a member of a dating site, even a somewhat seedy one like Ashley Madison, is no evidence that you have cheated on your partner,” he wrote. “You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh … never seriously planning to take things any further.”

You might be a journalist who joined to write about Ashley Madison, for example. Or, as some self-described Ashley Madison users have said on Reddit, you may be in an open marriage.

“But more importantly than all of that, if your e-mail address is in the Ashley Madison database it means nothing,” Cluley wrote. “The owner of that e-mail address may never have even visited the Ashley Madison site.”

I doubt the “I joined to do research” excuse will gain much traction if a spouse discovers the other spouse’s name, but that is just me.

The rest of the points in the article are well taken:

Perhaps the best and broadest take on #AshleyMadison-gate came from The Awl’s John Herrman.

“I’m not sure anyone is really reckoning with how big this could be, yet,” he wrote. “If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private. The result won’t just be getting caught, it will be getting caught in an incredibly visible way that could conceivably follow victims around the internet for years.”

Spend enough time looking into people’s backgrounds and you will discover that many people who think they have nothing to hide have not fully thought through the issues involved.

As was noted by MSBNC’s Chris Hayes:

That email you sent making fun of your boss. That racist or sexist joke you giggled about with co-workers on the company’s internal communications system. That time you claimed that illegal tax exemption. Your treatment five years ago for drug or alcohol abuse. Think about all the things you think you do in private and then think about how many of them have some connection to the online world. Those activities are all at risk of being exposed, past or present.

And if those who are offended by marital infidelity can have their way with Ashley Madison, think of all the hackers out there who might have moral issues with Tinder, Manhunt, Scruff, Grindr and the web sites off which many people think they are buying sex toys or bongs in private. That time you had that STD. That abortion you had long ago. Remember when you were treated for depression and exhaustion in college? Or that membership you had on that porn streaming/download site?

All of this ignores also two of the core issues involved: the theft of credit card data and the theft of login and password information. (Yet another reason to use a password manager and use a different login and password for every web site you use. Of course, some of the most popular store this information online, which brings us back to the original problems.)

Ashley Madison is a major turning point, and not a good one.

Source: Don’t gloat about the Ashley Madison leak. It’s about way more than infidelity. – The Washington Post

ashley madison

Get the hell outta here, willya?

GawkinghAtBrideAndGroomKiss

Will credit card hacking scandals soon be a thing of the past?

My debit and credit cards have been hacked about six times now since I started using them. Mostly this has happened when I did one of two things:

  • Use a card internationally in out-of-the-way places. Use the card in a 7-11 in Bangkok and you are likely going to be OK. Use your card in a bodega in the jungles of Costs Rica and the chances that it will be hacked go up astronomically. My cards were hacked from several places after a couple of international trips.
  • Use a card in non-standard places in this country. Use an ATM in a locked bank vestibule and you’re likely to be OK. Use it in one of those free-standing cash machines you find in bars and nightclubs — or an ATM open to the street, which is prone to having a foreign card reader attached — and the probability of getting hacked goes up. My cards were hacked after using one in a bar in Chicago.

To say this is a hassle every time it happens in an understatement, especially if your bank decides, as my Massachusetts bank did after I moved from Boston to Chicago, that I needed to get documentation from two stores in Western Massachusetts for fraudulent charges in places I’d never been.  Credit cards chained up with padlock

Now along comes Wired Magazine with an article detailing why it will soon get much tougher for credit card hackers to ply their trade in the United States:

The solution has been available for years: Put logic in the card. Thanks to Moore’s Law, an inexpensive tamper-resistant microprocessor fits comfortably in a space smaller than your driver’s license photo. With a computer on both edges of the transaction, you can employ cryptography and authenticate the card interactively, so that eavesdropping on the transaction gains you nothing. Just as IBM’s Parry made our wallets smarter by adding computer storage, a modern card is smarter still by having an entire computer onboard.

Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.

Color me not shocked that banks in this country wouldn’t bother with what the rest of the world is already implementing for its customers’ safety. Banks here didn’t care until the fraud costs to them skyrocketed.

It’s a very interesting article, and you can read the rest of it here.

You have to wonder what kind of idiot it takes to approve something like this

A television station in Cleveland was having problems with vandalism in a bathroom. So some genius decided it was acceptable to install a hidden camera there:

A hidden camera was discovered recently in a bathroom at Cleveland TV station WEWS, according to a memo sent to station employees. bathroom_stall8-1

The video camera was discovered in a first floor men’s bathroom used by station guests at the ABC affiliate on Euclid Avenue. The camera has been removed, said General Manager Sam Rosenwasser.

A July 14 email written by Rosenwasser and obtained by the Northeast Ohio Media Group said he took disciplinary action against an employee. Multiple sources said management fired a station engineer.

“It has come to my attention an unauthorized camera was placed in the first floor men’s bathroom in response to complaints the bathroom was repeatedly being defaced,” Rosenwasser said in the memo. “First, let me assure you as soon as I found out about this, the camera was removed. Second, I want to let you know any recording made through the camera has been destroyed. Third, we are taking appropriate disciplinary action against those involved.

You’d think that people who work at a television station would know the laws about hidden cameras and bathrooms, but I guess not.

Read the entire article here.