Manipulative Social Media Practices

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy.

From the executive summary:

Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process. They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.

The popups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions. Also, Facebook and Google threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option.

[...]

The combination of privacy intrusive defaults and the use of dark patterns, nudge users of Facebook and Google, and to a lesser degree Windows 10, toward the least privacy friendly options to a degree that we consider unethical. We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given.

I am a big fan of the Norwegian Consumer Council. They've published some excellent research.

Posted on June 28, 2018 at 6:29 AM • 51 Comments

Comments

LukasJune 28, 2018 7:25 AM

I wonder what the actual effect of this is. When in doubt, I've now started to automatically pick the "discouraged" options in these dialogs. For me, the affordances added by these companies has the opposite effect than what was intended.

IonJune 28, 2018 7:41 AM

Beautiful and at the same time so ironic. So it is immoral to do that when the users can change the provider at any time, especially in 2018 when each of the major companies offers services that are equivalent of services coming from the others. Yet, the public that never had a choice to fund the wages, the wasteful meetings, the protocol or the pension plans of the authors, well, that is TRUE democracy and, of course it is moral.

As for excellent work and speaking up their minds and putting order in a seemingly chaotic world, well, it has been done in Moskow in the 1910s, in Berlin in the 1930s, in Madrid, Lisbon and whole of the Eastern Block. Of course, someone has to step in and block the evil ***, capitalists, whatever.

ATNJune 28, 2018 8:21 AM

What is all this fuss about privacy anyway?
Any costumer (i.e. paying) of the "free" service will anyway have access of all the information stored (with emphasis on what has been deleted in an undeleted form, with emphasis on what is restricted) in relation to his payement; and it seems such "free" organisation are not short of few tens of billions considering the amount they are investing in...
Obviously if the costumer is not paying enough he will only have anonimized data, but the "free users" have given complete authorisation to sell each and every of their personal detail.

vas pupJune 28, 2018 8:50 AM

@Ion. You have very good pint, BUT it is not capitalism per se which is predatory, but rather its modus operandi adopted in particular country.
Norway is capitalist country with capitalism with human face meaning they did not kill personal initiative (as in socialism: whatever you doing good, bad or nothing your income is close to same figure). At the same time they maintain healthy income inequality when it is not losing it stimulus feature, but does not let go up to the level of predatory/oligarchy model of capitalism.
You know the name of the country where 3(three) people own the same amount of property as 50% of its population. If you don't - guess out of three times. Modus operandi propagates to the almost all fields of life (privacy, healthcare, prison setting, legal system, demographics, you name it - list is long).

meJune 28, 2018 8:50 AM

@schneier
We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given.

THIS!!!

i don't get why "normal" laws are not applied on internet.
it's not that we need more laws for the internet, we just need to apply what exists.

for example this in italy falls under "deceptive commercial practices" (i'm not sure if i have translated it well)
but still nobody care....

HermannJune 28, 2018 8:51 AM

@Ion

> the users can change the provider at any time

No, they can't. With GAFA+ companies, free choice is a fallacy. You don't like Facebook and Twitter? Sure, you can use Agora and Mastodon. You won't miss any feature but you'll miss the size of their community (hello Meltcafe). I can hardly call this a choice. And even with such _alternatives_, you won't be able to escape pervasive Facebook iframes, preinstalled apps, Cloudflare/Google CDN and so on.

meJune 28, 2018 8:58 AM

another dark pattern of google:
when i bought my smartphone, every time i turned on location it asked "do you want to share your position with google or only turn on gps? bla bla accept/don't accept"

i clicked "don't accept", the next time i turned on location it asked the same thing again so i clicked "don't show again" and the "don't accept" button was grayed out, the only left option was accept...

so you could:
-accept and do somehting that you don't want to do
-click don't accept, every, single, time you turn on location (hoping that you never click by mistake accept, because you will have accepted forever)
-return the phone to the shop
-root the phone with cyanogenmod and get rid of all google bad things.
(this is what i did but it's not for anyone)

is this a real choice?
i don't think so...

meJune 28, 2018 9:01 AM

@ion
> when the users can change the provider at any time

it's like when police argued that they can use your mobile phone data location because *you chosed* to give away that data, so you don't care about your privacy and they don't need warrant.

quesiton:
not using a mobile phone is a choice?
of course you can't chose to NOT use a mobile phone these days.

and since you *must* use a mobile phone you are giving away your location data, but this is not what you want to do.

in fact recently judges decided that police need a warrant to get that data and hopefully companies will stop selling them for the same reason.

it-fr3akJune 28, 2018 9:02 AM

Also, when we update apps or the system, they add new options which are enabled by default. Or they just rename them and set back to enabled.
So after each update, you have to check your privacy settings.
Very annoing and confusing.

meJune 28, 2018 9:18 AM

@it-fr3ak
True, but can go even worse, nintendo wii after an update forced you to accept new terms or they bricked your console!!
it's not like "if you don't accept you can't play newer games"
it was like "if you don't accept you can't use the console anymore"

echoJune 28, 2018 9:28 AM

You will never get an analysis like this within the UK of UK instititions nor the damage they do to the market or how this impacts citizens rights. When push comes to shove thereis the example of UK MPs blatantly and deliberately attempting to grant themselves a privacy exception for party political electioneering purposes. UK politicians claim "parliamentary sovereignity" when it suits them (and have dodged Euriopean Convention protocols using this as an excuse) when the exact legal status of "parliamentary sovereignity" is NOT a settled legal question as authoritative legal opinion asserts within the context of the House of Lords (now likely within the remit of the Supreme Court).

Why has no UK authority hauled Facebook, Google, Microsoft et al over the coals? I daresay because to act from the point of veiw of citizens rights would uncover the sham of the Burkian doctrine parliament adheres to and would expose routine human rights and privacy abuses by the UK state.

meJune 28, 2018 9:50 AM

@it-fr3ak

you always have a choice!
in fact i decided to not "buy" (was a free game) a denuvo drm protected game. because that is my only choice if i don't want to support drm.
and the paid game that will come out soon will probably have denuvo drm too...
and also if i love that game i'm not going to buy it because of drm.
(i think that reasons are obvious in this forum, if not, and it it is not too much off topic, feel free to ask and i'll explain)

meJune 28, 2018 10:09 AM

@schneier
an interesting point in the report:
"Our opinion is that the findings are and will continue to be relevant even if the companies change their practices, because these examples illustrate the challenges consumers face in digital services at a given point in time"

i think they mean: "if now that we found you doing bad stuff you fix it. it doesn't matter, you breaked the law and you have to pay"

it-fr3akJune 28, 2018 10:27 AM

your right, I was refering to normal users who don't know what they're doing. They just want to use the app.

gordoJune 28, 2018 10:34 AM

US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices
JUNE 27, 2018

EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options.

https://epic.org/2018/06/us-consumer-groups-urge-ftc-to.html

vas pupJune 28, 2018 11:19 AM

@gordo: Thank you! FTC is like a sleeping bear.
Has a power, but not using it actively. E.g. phone scams. Federal law prohibited caller ID spoofing which all fraudster love to trick elderly folks in particular (the most vulnerable). How many those fraudster were actually penalized?
Same with privacy statements. FTC should develop requirements for those statements (clear, plain English - no legalize, short - you name it). Meaning require those statements are for CUSTOMERS/CONSUMERS understanding not company legal departments. Moreover, it looks sound idea to have independent escrow DB where on-line companies must save their policy with date effective, so anybody could check content relevant on particular date of service.
Same applied to CFPB (consumer financial protection bureau) - for financial business related to privacy. Unfortunately, current administration try to cut power of that organization.

echoJune 28, 2018 11:43 AM

Isn't there a case for a refrence model to be developed (with code samples) so companies cannot pretend they didn't know and/or accidentally created privacy breaching business logic in their systems?

Thomas W ColthurstJune 28, 2018 12:49 PM

It is way overstated -- perhaps even deceptive! -- to call these default values and UI affordances deceptive. (To wit: to deceive someone, you need to try to cause them to obtain a false belief. What false belief are the users allegedly acquiring here?)

What they are are nudges in the sense of Thaler and Sunstein. They are nudges towards a configuration that the companies in question clearly believe provide a superior user experience.

If the NCC report contained any sort of argument or evidence for believing that the "privacy friendly option" was in fact the best option for a majority of users for one or all of these products, then the rest of their findings might have some value. But since it doesn't, they don't.

(Note: I work for one of the companies in question, but I speak only for myself.)

hermanJune 28, 2018 1:13 PM

The antiprivacy features are similar to the habit of antivirus program vendors that attempt to enumerate evil programs.

There are far fewer legitimate programs than illegitimate ones, but there is no money in making white lists of good programs that actually work. Similarly, there is no money in making privacy features that actually work.

The privacy battle was lost when the first glass window was invented.

echoJune 28, 2018 1:21 PM

@Thomas W Colthurst

What does the dictionary have to say about "pressure" and "coercion" and "cognitive bias" and "con" and "abuse of power"?

I had a stormy meeting this week where I challenged a professional "expert" in a large organisation who gave me some nonsense about not his field and a lot of other babble. When he claimed to offer a solution I gave him the polite version of "heardit all before" and "don't believe you" which was rapidly followed by "this is a solution" "he was not lying". One later "hello" followed by a quick meeting with the "solution" and a few quick questions later I discovered that: A.) They were not the promised solution and B.) He had lied and C.) He had done a disappearing act and his front office staff put up a wall of shrugs and denials. Cue one fuming taxi ride back where I had to put up with a macho taxi driver babbling on about Uber and how awful they were and whether (wearing above the knee dresses etcetera) I had any trouble off them. Don't get me started on the previous taxi driver who got me to this meeting and the nonsense he spouted with the macho and generally rude security guard at the front desk.

The short version of what I am saying is perspectives differ depending on what your starting position is and battling against a corporation who don't listen or fail to act upon complaints (assuming they don't go straight in the bin) is like banging your head against the wall without, sadly all too often, public exposure in the media or legal (and sometimes political) action.

A lot of these problems arecaused to some degree not just by management but by lower down staff who aren't just lacking in knowledge of the critical issues but who don't value customers or who quite frankly have no more interest in their job than the pay cheque at the end of the month.

justinacolmenaJune 28, 2018 1:33 PM

The popups ... have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions. Also, [they] threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option.

That is only the beginning. Even when the user explicitly chooses to protect her/his own privacy, that choice is more and more overridden in a sly manner rather than respected. The high-tech cartel's operatives tell nothing but lies about consumer-level privacy, of which there is, in effect, none.

Often the safest place for a targeted individual is on the front lines in the confusion and heat of battle. Whereas those persecuting a targeted individual often develop a pernicious support among "pillars of the community" on the home front, on the battlefront, a targeted individual's persecutors (spies) tend to expose their connections to the enemy in the "fog of war."

Carefully laid plans and scrupulous OP-SEC go awry in the heat of battle, and one must take advantage of that, and apply "Murphy's Law" to the enemy: anything that can go wrong will go wrong, but make sure it goes wrong for the opposing side, and not for one's allies.

EdJune 28, 2018 1:48 PM

@Thomas W Colthurst,

Nice try Mr. Colthurst, or whatever your name really is. Deception can happen by omission of facts; a clear example of this would be omission of key evidence in a criminal trial. My eighth grader understands this. If you are smart enough to work for 'one of the companies in question', you should be smart enough to figure this out.

"... but I speak only for myself." Suuuure...

Birch June 28, 2018 1:55 PM

@ion

By the same logic there should be no regulation of food water quality medicines... Any regulation just gets in the way of companies distributing harmful products when there are some notional alternatives and the public is kept uninformed. Applying some reasonable regulation is not the road to communism - it is setting up the standards for good professional practice. I just wish my government was as proactive and cared for consumers and citizens.

JohnJune 28, 2018 3:22 PM

Deception By Design

CR Researchers Find Facebook Privacy Settings Maximize Data Collection

Users have little control over how data is stored or used by the social platform

"The researchers found that the design and language used in Facebook's privacy controls nudge people toward sharing the maximum amount of data with the company.
In addition, they say, one privacy setting works differently in the iOS and Android versions of Facebook's app. And the iOS version could mislead consumers into believing that certain privacy protections are on when they are off, according to Katie McInnis, policy counsel for Consumers Union, the advocacy division of Consumer Reports, who led the research. That could prevent consumers from making informed choices."  
https://www.consumerreports.org/privacy/cr-researchers-find-facebook-privacy-settings-maximize-data-collection/


This is how Facebook collects data on you even if you don’t have an account
"There’s little you can do about it."
https://www.recode.net/2018/4/20/17254312/facebook-shadow-profiles-data-collection-non-users-mark-zuckerberg


There is a constant drumbeats of massive screw-ups daily from this gigantic scam called Facebook.
When the grandmothers start deleting accounts then we will know its game-over.

PeaceHeadJune 28, 2018 4:11 PM

Thanks for this very pertinent and relevant set of info and discussion point set.
I don't see anybody anywhere else trying to present this information openly for people to think about more thoroughly. Certainly mass media outlets of television and syndicated radio aren't usually helping.

The first step of problem-solving is acknowledging the actual problem(s).
Informations like this start to give us a fighting chance via awareness.

I was already aware of much of this stuff, but I'm not very good at concise dialog in a way that doesn't often put people off.

Thanks.

echoJune 28, 2018 5:38 PM

@Bauke Jan Douma

Since returning from holiday I have barely glanced at the media and almost entirely avoided UK media. I think I read maybe 2-3 articles at most. The wall of stupidity is just too much to bear.

This is likely a squid topic but it caught my eye and made me wonder if politics and all the kind of shenanigans highlighted by this topics comments and the report cited by Bruce and work on alorithmically understanding language may have utility with respect of both organisational policy and implementations (especially in code) and the looser language of politicians and the media. Might it be possible for some kind of formal system to be developed along the lines of AI style systems in use by lawyers for analysing court judgments to pave the way for catching infractions by organisations in real time?

https://www.theatlantic.com/technology/archive/2018/06/how-computers-parse-the-ambiguity-of-everyday-language/563828/
How Computers Parse the Ambiguity of Everyday Language
Words with multiple meanings pose a special challenge to algorithms.

Somehow speakers of English master these many possible uses of the word with without anyone specifically spelling it out for them. At least that’s the case for native speakers—in a class for English as a foreign language, the teacher likely would tease apart these nuances. But what if you wanted to provide the same linguistic education to a machine?

John BonhamJune 28, 2018 6:07 PM

You can't sign up for gmail without a Cell phone number.

I remember not too long ago when I could.

Not everyone has a cell phone.

MajorJune 28, 2018 6:24 PM

Boy, the sock puppets are coming out of the wall on this. Bots too, I think.

Or should I say:

Gender the footwear entertainment broke out of the prison. Nuts!! I think!! Obey! Obey! Obey!

MajorJune 28, 2018 6:34 PM

And Google Chrome is still swearing, NO CROSSIES!!, every time I start Chrome, that it would improve my privacy if I'd only help myself and log in to my google account.

This whole thread makes me think of John Carpenter's "They Live!".

"Roddy Piper to the Googleplex... Alien invasion detected."

"But first, let us protect you: Log into your WeEatHumans.com account.

[LOGIN]

or press the bouncing pixel if you don't taste good."

Zephyr4 June 28, 2018 9:56 PM

How fitting that a Scandinavian agency should analyse the agressor’s methods in what is surely the digital equivalent of the Stockholm syndrome. Perhaps it would be best for all if we were to stop enabling our abusers.

JFJune 29, 2018 8:02 AM

@Bauke Jan Douma
Thanks for that reference and link - somehow, amidst all the news this week I had missed that tidbit.

@echo
"Somehow speakers of English master these many possible uses of the word with without anyone specifically spelling it out for them. At least that’s the case for native speakers—in a class for English as a foreign language, the teacher likely would tease apart these nuances."

Quite obviously not all Native English/American speakers learn to parse meaning out of ambiguity. I am thinking of political discourse in which the words spoken clearly are meant one way, but used out of context by the opponent as proof they said the opposite. Then amplified and repeated by supportive media.

A willful ignorance plays into this, I think, and some magical thinking. Think of our president's penchant for contradicting his own words, often in the same day. His true believers hold him to no standard at all.

echoJune 29, 2018 8:11 AM

@JF

Yes. Tony Blair was supposed to have possessed a similar quality of creating persusasive impressions which left people scratching their heads after wondering what they had agreed to. I have never forgotten how supine backbenchers who waved through a parliamentary vote the Iraq War on the nod. It is notable that Blair was a skilled barrister. Discussing any of this is such a complex and involved topic which I am sure many readers of this blog already know. I believe this is where the Norwegian Consumer Council reports helps as many have observed. In the UK the equivalent is the watered down Consumers Association (self-funded via the Which magazine) much the the watered down Equality and Human Rights Commission which, conveniently, only has powers to intervene not prosecute and has been slowly defunded in whatsome would argue is a time when action is required more than ever. You hardly hear a peep out of either the CA or EHRC. Such is the instititional fear of "parliamentary sovereignity" and media collusion.

CallMeLateForSupperJune 29, 2018 9:50 AM

@John Bonham
"You can't sign up for gmail without a Cell
phone number. I remember not too long ago
when I could."

Really? Apparently they raised the drawbridge while I was distracted.

I know it's a fact that Google pressures users to "sign up" for 2FA, and the SMS specie of 2FA requires a phone#. It's just pressure though - strong suggestion - and not a condition of service. If 2FA (and cell#) - or even just coughing up a cell# - ever becomes a condition of service, color me gone.

"Not everyone has a cell phone."

That is correct, of course. It is urban legend that everyone has, or needs, a cell phone.
But that conflicts with what "a lot of people are saying". ;-) Ya gots t' have a cell phone; what if someone wants to chat and you're out playing helicopter parent?! :-)

vas pupJune 29, 2018 11:29 AM

@Bauke Jan Douma • June 28, 2018 4:52 PM
Thank you for the link. Unfortunately, not good news. Corporate lawyer has his mentality already set up. Consumers (Joe/Jane) will probably not have FTC on their side.

albertJune 29, 2018 11:34 AM

@*,
Gmail has 1.2+ billion users.

@echo,
Blairs speech in favor of the Iraq War was one of the best speeches by a politico I've ever heard.


. .. . .. --- ....

echoJune 29, 2018 4:03 PM

@albert

I do agree his speech was a very powerful example of its kind. I felt at the time he was overcooking the case but given the barrister he is it has been said that he may have got caught up in his own case. Since Blair there has been a breakdown in "collective cabinet decision making" most notably over Brexit which has led to very undisciplined and cavalier behaviour. I do tend to agree with others that the mainland European style of governance may have the edge in terms of responsible decision making and believe this is something the UK can learn from.

People have their views some of which can become very polarised and heated but I am not inviting this. One study I linked to the other day in other topic and quoted from heavily mentioned Trump and I took great care to avoid mentioning his name to avoid inviting silliness which likely meant nobody read it.

Der Spiegel has some very interesting examples of mainland European argument on current contentious issues from a German perspective. Speaking of which I haven't read Le Monde in ages. Thanks for the inadvertent reminder!

http://www.spiegel.de/international/europe/interview-with-italian-interior-minister-salvini-a-1215157.html
http://www.spiegel.de/international/germany/migrant-policy-conflict-could-spell-the-end-for-merkel-a-1214503.html

https://www.lemonde.fr/le-monde-in-english/

VinnyGJune 29, 2018 5:05 PM

@John Bonham @CallMeLateForSupper re: GMail w/o cell phone # - Yes, you can, but to my best recall, you need to finesse your way past the entry field somehow or other (sorry, I was very annoyed at the time, and not keeping notes...) I just set up a new GMail account the other day, but not because I wanted one. I've had an original Barnes&Noble e-ink Nook 1 for several years. B&N recently announced end of support for the device. If they merely meant no more troubleshooting help or repalcement parts, I would have been OK with that. Unfortunately, in their pea-brains, the definition of "support" apparently includes the ability to download a new book to it that I have paid them for :-

VinnyGJune 29, 2018 5:15 PM

Wow - certain char strings seem to invoke active code in posting here. My comment above was summarily truncated following what was intended to be a sad face emoticon. I won't retype it all. My basic point (beyond stating that one can set up GMail without providing a cell #) was that to set up my new Nook tablet that B&N forced me to buy to replace my original e-ink Nook in order to continue to read books I had purchased from them, I had to download some apps from the Google Play Store, which required me to create a GMail account. Which imo describes the pervasive coercion applied to the consumer in a nutshell. In order to do some function that real life requires, the consumer is forced to satisfy a series of requirements that have nothing directly to do with that function, yielding protection of private information at every turn...

Clive RobinsonJune 29, 2018 5:49 PM

@ albert, echo,

Blairs speech in favor of the Iraq War was one of the best speeches by a politico I've ever heard.

I knew it was going to be at best mealy mouthed or just soapy sophistry before he had said it. I had worked out within a month or two of him being elected that he was not just a "crook" in the general sense, but actually a real criminal in the legal sense.

As for the WMD issue unlike most I actually had had some experience in the area, and thus new that much of what was being claimed was "utter bull" and that the UN weapons inspecters were way more qualifed both in expertise and boots on the ground intel than those politicos who were talking it up.

The point most people missed about Blair was how he saw himself with respect to Thatcher... She had had a strong relationship with the then US President and her flagging pipularity massively boosted by the Falklands War that many wearing the green or blue were involved with some to the ultimate price.

It was clear Blair wanted to "out do Thatcher" so not only needed the reflected glory of a US President but his own "Glorious War"... So he willingly became "Bush's Poodle" who in turn was the stooge for the neo-con plans for setting the Middle East on fire. But few realise that Bush needed Blair to legitimize the neo-con strategy with an international --faux-- legitimacy.

Thus all the deaths, carnage and follow on that has happend in the Middle East is very much down to Blair's vanity.

I have no hesitation in calling him not just a criminal but a war criminal of the worst form, who saw no reason to start a war other than personal vanity, based on trying to look better than a person quite rightly called "Mad Maggie"... If one asks how many deaths are on his hands the answer is "So many they can not be counted in any meaningful manner".

65535June 29, 2018 7:25 PM

@Gordo, vas pup and Bauke Jan Douma

“US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices
JUNE 27, 2018”

Good attempt using the normal path.

@ vas pup

“gordo: Thank you! FTC is like a sleeping bear. Has a power, but not using it actively. E.g. phone scams. Federal law prohibited caller ID spoofing which all fraudster love to trick elderly folks in particular (the most vulnerable). How many those fraudster were actually penalized? Same with privacy statements. FTC should develop requirements for those statements (clear, plain English - no legalize, short - you name it).”-vas pup

That is true. The FTC has blown any direction the political wind has blown. When a new political party comes in things change for the better or worse at many government agencies not only the FTC.

@ Bauke Jan Douma

The intercept:

“Tucker was fined $1.3 billion by the FTC; the other two have active investigations with the agency, both over data breaches that exposed the personal information of hundreds of millions of Americans. Smith also reportedly represented Facebook, another firm under FTC investigation, though the company’s name doesn’t appear on the disclosure form. But Smith’s legal work for companies with questionable commitments to U.S. laws doesn’t stop there. For example, Smith, who made $1,612,500 last year at Covington & Burling, received compensation for legal services from practically all of the nation’s large financial firms, including Wells Fargo, JPMorgan Chase, Capital One, American Express, Bank of America, Goldman Sachs, BBVA Compass, Synchrony Financial (a maker of branded credit cards for department stores), PNC Financial Services, and the American Financial Services Association. Financial companies linked to Smith have paid tens of billions of dollars in fines for securities and consumer protection violations.”-The intercept

https://theintercept.com/2018/06/27/andrew-smith-ftc/

This is typical of the ill political wind we have to day. But, in years gone past there have been strong consumer advocate lawyers that fought on under almost any administration.

But, as my previous post indicate, our up and coming lawyers have no real experience with coding, databases, authentication methods, solid Https, iFrames, firewalls and so on.

Worse, these new lawyers may have become addicted to Google and Facebook. Some law firms maybe using Windows 10 with office 365 and meta-dating out their privileged legal papers to Micro$haft or some smart criminal or police tech guy using the latest Persistent implants on said law firm's computers. The other side has read the law firms game plan and is prepaired.

I would hope that our major law schools would include a good bit of technology training in with the tons of legal training for new lawyers. There is a dearth of tech savvy lawyers out there who can handle both criminal and civil [consumer rights] cases as it is.

I believe that is why we are seeing a bottle neck of cases very slow working through the system that involve deceptive consumer practices by big tech firms and very little success on that score.

All of the tech savvy lawyers have been hired by the big tech firms and the little guy/gal is left with the least tech competent lawyer to server them. That is a travesty.

PeaceHeadJune 29, 2018 8:10 PM

@John Bonham:

I remember using a free email site (not gmail, not hotmail, not hushmail).
And it was great. Then I decided to upgrade so I payed for better service for a year. It seemed great at first.

But then they changed their features and added an SMS texting thing as a "security" feature. So they claimed I needed to receive a text message to confirm my full payment and member status or something like that. I took a risk and did it. The SMS text came superquickly while I was still filling out forms.

I happen to know that's a type of exploit technique, by the way, but it seemed like maybe it was according to our "new normal" as consumers.

Later on, I got locked out of my payed account, so the SMS text thingy was supposed to be useful for getting my account back, but it failed.

Ultimately, after trying to recover a lost/stolen paid email account two or three times I realised that it was an internacional phishing expedition being run out of Australia. They had no mailing address, no telephone number, just a website to send money to and their email servers. You had to communicate to them using their "forms" which conveniently for them, often failed.

Af first, it seemed like a site much much better than gmail and hotmail, because the featureset was impressive and I didn't get any spams at all. Their filtering was top notch. But by the time I quit using them, I realised that they probably knew the support "forms" didn't always work, but didn't care.

They are close enough via internet to process VISA/MasterCard/American Express transactions, but not close enough in terms of business practices to have a telephone number or address.

They are not alone in this way, even Amazon.com can be really hard to deal with at times, and they are a huge hack attack surface area target. More than once my account was usurped and their procedure to get my account back failed. I talked to them on the telephone, but their attitude was totally irresponsible until I reminded them that they get routinely hacked as a giant money-making corporation, while I'm just a typical end-user.

I eventually quit using them after a successful request from me to erase my personal info and reset my account so I could get in. But the damages are done in terms of personal info flowing on the net.

Some banks are just as sloppy if not sloppier--NO, I DON'T WANT VOICE RECOGNITION (as I learned from this site how voice recognition can be spoofed and improper purchases authorised automagically!!!)

I miss the days of landlines.
I am still gonna try and get a landline if I move though.
Somebody's gotta have them in case of emergency.

Peace be with ya.
May Peacefulness Prevail Within All Realms of Existence.

P.S.-@Bauke...

as per your claim that I am "fake". What type of role, person, occupation, hobby, appearance, credo, style, attribute were you expecting? The only thing about me that's ersatz is other people's illogical expectations of what I am contrary to just asking me. You seem to have participated both ways since you implicitly did seem to be asking me to explain to you who or what I am. If I am "fake" that implies you want me to "reveal my true self" type of thing.

I don't know what you were expecting about me, from me. But I will acknowledge that gossip about me is probably wildly incorrect.

I know of two conventional sources who made up nonsense about me locally. One source claimed that I "have a master's degree, am a genius", neither of which I have ever claimed. The other source, a since disowned former family member who is prone to habitual tall-tales and lies and argumentativeness (they even admit that they like to argue), and I now remember a third source... some folks who falsely accused me of assault; I went directly to the police for mediation and was "acquitted" pretty much on the spot and claims dropped no criminal charges even though they still say to me "you are not allowed here"... because they "don't like the verbage".

I think they don't like intellectuals and got spooked that I was using their hotspot to try and download a public domain file from the DOD. It didn't download from their hotspot, but I got it at home within a few minutes. It's a public domain file and so was their hotspot, but I voluntarily AVOID them, because I don't like being around people who are hostile for non-provoked reasons.

To answer your other question slightly more directly, yes, law enforcement has helped my community ALOT. And almost every day I witness a way how they are still needed. All that a person needs to do around here is read the newspaper, watch the daily news, or just talk to some of the local criminals. I have done all three. I try to stay out of everybody's way most of the time.

To be more direct, I'm an oddity, yes. But the confusion that it causes other people is not mutually exclusive of my honest to goodness personality, beliefs, and behaviors and activities.

I suspect that maybe you wanted to find out more of what type of person I am. Next time, just please say, "hey, you're kinda strange; please tell us more about yourself so we can read you better; then we won't be as ticked off if we disagree about the topic of the day." I don't go to DEFCON conventions on either floor/side.

Demasiado o Bastante. Bastante.

I don't claim to be 100% correct about everything at all times. So if u find flaws in my claims about technical educated opinions, you and all others here might as well know it--it's obvious to others anyhow. Luckily, some might assume I'm less educated than I really am, while others might assume that I'm more educated than I really am. I'm just a guy. Yeah, I'm a musician. Anybody clicking my link above would know that. The voice in the tune wasn't claimed to have been me; it's computer-generated ("situation is blinding light" tune).

OK, so let's not waste bandwidth on credibility audits. I'm done.

echoJune 29, 2018 8:12 PM

@Clive

I'm sure we could have a long discussion about this and other well trod topics. If thereis a problem in the UK I would say it is the desire for power. One definition fo power I read once stuck in my head: "Power is he ability to make someone do something they don't want to do" which is a different thing to "empowering".

gordoJune 30, 2018 3:32 AM

@ Bauke Jan Douma, vas pup, 65535,

FTC chairman Joseph Simons on the commission's authority and his pick of Andrew Smith as the new head of the Bureau of Consumer Protection:

“Our remedial authority with respect to data security and also privacy is something that’s of serious concern to me,” Simons said. “And I’m very nervous that we really do not have the remedial authority that we need in order to create a sufficient deterrent to deter the kind of conduct that we want to deter.”


[. . .]

Just two weeks into their tenures together, the FTC commissioners divided along party lines to approve Simons’ pick to lead the FTC’s bureau of consumer protection.

[. . .]

Simons defended Smith on Tuesday, saying that “he is now working for the government and his client is the commission.”

https://www.law.com/nationallawjournal/2018/06/20/ftcs-limited-data-privacy-power-makes-chair-joe-simons-nervous/?slreturn=20180530004103

A "sufficient deterrent" would be to enforce the law with "sufficient penalties", i.e., fines.

---

Data, Social Media, and Users: Can We All
Get Along?
April 4, 2018
Chris Jaikaran

In considering legislative options, Congress could also consider granting regulatory authority to a federal agency or agencies, or it could create a new federal entity to regulate companies. It appears that agencies do not currently have authority to regulate the data security at social media companies. Instead, data security may be enforced at a company pursuant to a consent order with the FTC after an unfair or deceptive practice investigation.

https://fas.org/sgp/crs/misc/IN10879.pdf

---

And from The Hill:

"Simons dismissed concerns about Smith’s record, saying that most of the bureau’s work is handled by career staffers who will be able to take up the slack in the event that Smith must recuse himself from an investigation."

http://thehill.com/policy/technology/388069-ftc-names-lawyer-who-represented-facebook-and-equifax-as-consumer

Aside from the fact that the bureau of consumer protection's new chief will not be working on what may well be core cases (not your typical data breach cases), the issue is not so much whether staff is capable but whether the the policy objective, "sufficient deterrent", is by way of remedies or penalties.

See also:

https://wp.nyu.edu/compliance_enforcement/2018/06/14/ftcs-cybersecurity-remedial-authority-limited/

gordoJune 30, 2018 3:49 AM

*may* not be working on what may well be core cases

---

Some hold that the best blue team players are ex-red team. In that light, conflicts of interest might be said to cut both ways.

Jon (fD)July 3, 2018 2:21 AM

@gordo:

"A "sufficient deterrent" would be to enforce the law with "sufficient penalties", i.e., fines."

Or prison terms for those responsible? A CEO of a firm cannot (should not be able to, anyhow) get off with 'I didn't know what they (the underlings) were doing'. Even if they didn't know, ignorance is not an excuse and they should be held responsible, because they are in what is supposed to be the responsible position.

Try, "Sorry, officer, I didn't know how fast my car was going. It was my car's fault, really. Why are you ticketing me?"

Jon (fD)

JimJuly 11, 2018 1:12 PM

They make it sound as if Google and Facebook having your data is ok, while others having it is not ok.

In my opinion, Google is the biggest danger to us all. Just about every website has Google scripts running in the background, silently spying on you, er, silently collecting information about you. How do you think the average person would feel if there was a Google employee standing behind them taking notes every time they went online? Google is taking continual notes, but they are doing it secretly, not openly.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.