Computer chip defects force consumers to choose between speed and security

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

If you care about cramped airline seats, you should care about the FAA’s evacuation tests

Last month, I had the pleasure of testifying before the House Aviation Subcommittee on the implementation of the Federal Aviation Administration’s 2018 reauthorization bill. My testimony touched on many of the pressing consumer protection priorities for airline passengers teed up by the 2016 and 2018 FAA reauthorization bills. 

The big news coming out of that hearing, however, was FAA Deputy Administrator Daniel Elwell announcing that the FAA will this November conduct its first evacuation tests with live participants in two decades. While this may sound like the kind of announcement only politicos should care about, it’s actually a very big deal for anyone who flies 

Why is that, you may ask?  

FAA regulations require that the “maximum capacity” of an aircraft must be able to be evacuated in less than 90 seconds in an emergency. The analogy is to the “maximum capacity” signs you may have seen in conference rooms, hotels, or other public spaces. Since the 1990’s, airlines have gotten fuller, seats have gotten smaller, and more bags and support animals have been brought into the cabin. Despite these changes, FAA has not updated its evacuation standards and has been content to allow airlines to self-certify that they can meet the 90-second threshold, largely based on computer simulations. 

This all changed last July when Congress passed the 2018 FAA Reauthorization Act which requires FAA to set minimum seat size standards. That’s why Dan Elwell announced that the FAA will be conducting the tests in November. The airlines, which have been pulling down record profits in recent years as they’ve steadily crammed more butts into more and smaller seats, will almost certainly want the FAA to give its blessing that their sardine cans are safe.  

Unfortunately, the FAA seems intent on granting them their wish. The advisory committee it appointed to provide feedback on the evacuation standards is packed with industry insiders and hamstrung by its own charter from considering seat sizes and seat pitch (the room between seats) as part of its recommendations. The DOT’s Office of Inspector General has an ongoing audit of the evacuation standards, but there’s no indication that the FAA will wait on the results of that audit before it conducts its tests. 

We can’t let the FAA rubber stamp the airlines’ current inhumane and potentially unsafe seating configurations. That’s why NCL, along with a coalition of consumer and flyers rights groups this week sent a letter to the FAA and the DOT urging them to update their evacuation standards before the November tests. We’re calling on the agency to update its evacuation testing standards to account for things like the presence of passengers with disabilities, parents who are separated from their children (thanks in no small part to rising seat reservation fees), full overhead bins, and passengers who insist on taking their bags with them when they evacuate (or, even worse, filming themselves evacuating). These are all factors that are likely to slow down evacuations, but FAA’s evacuation testing standards don’t account for them. 

Updating evacuation testing standards may sound like wonky, inside-the-Beltway bureaucratese, but the consequences of not doing so could be deadly.

Why won’t New York’s governor Cuomo ban a nasty pesticide that harms children?

Reid Maki is the director of child labor advocacy at the National Consumers League and he coordinates the Child Labor Coalition.

Something really curious is happening in New York State. In June, the New York Assembly passed a bill to ban the nasty pesticide chlorpyrifos, which damages the development of children. But that’s not the weird part.

What’s surprising is that Governor Andrew Cuomo has not signed the bill, despite the fact that the NY Attorney General Letitia James joined five other attorneys general in suing the Trump Administration’s federal Environmental Protection Agency because it overturned an Obama Administration ban on the pesticide.

“Chlorpyrifos is extremely dangerous, especially to the health of our children,” said Attorney General Letitia James. “Yet, the Trump Administration continues to ignore both the science and law, by allowing this toxic pesticide to contaminate food at unsafe levels. If the Trump EPA won’t do its job and protect the health and safety of New Yorkers, my office will take them to court and force them to fulfill their responsibilities.”

The other states that joined the suit are Washington, Maryland, Vermont, Massachusetts, and California—the latter is the country’s largest agricultural producer (measured by cash receipts) and has decided to remove chlorpyrifos from the market in 2020. 

Studies have also linked chlorpyrifos to autism, cancer, Parkinson’s disease, reduced IQ, loss of working memory, attention deficit disorders, and delayed motor development.

Nationally, home use was banned in 2001 because of its impact on children’s developing brains. In 2018, Hawaii became the first state to enact a complete ban on its use, which includes farms.

Chlorpyrifos is also thought to damage male reproductive organs to the point that it can make men sterile.

Since food safety authorities determined that there was no safe exposure level to chlorpyrifos—that any trace of the pesticide was too dangerous—the European Union is expected to ban entry of food products contaminated with the pesticide next year.

In August, the National Consumers League (NCL) and the Child Labor Coalition (CLC), which NCL co-chairs, joined 80+ groups—including many from New York—on a letter, urging Governor Cuomo to sign the chlorpyrifos ban. We were naïve enough to think he would.

With an avalanche of data suggesting it is too dangerous to use and his own attorney general suing over its use, why has Cuomo seemingly decided not to ban the pesticide? We can only guess. In July, the governor signed landmark legislation to protect farmworkers from labor abuses, ensure equitable housing and working conditions, and grant them collective bargaining, overtime pay, unemployment compensation and other benefits.

Farmworkers are some of the most exploited workers in America, and we applaud the governor for doing the right thing, but he seems to be taking the position that—having done something farm owners didn’t like—he shouldn’t sign the chlorpyrifos ban because they won’t like that either. The farmers see the pesticide as an effective tool to help them grow crops.

The problem is that chlorpyrifos doesn’t just harm those who eat farm produce; It harms the very people that produce crops—the farmers and the farmworkers and the children of both.

Should giving farmworker labor rights mean that it’s okay to endanger their fertility and cause their children to suffer developmental delays or autism? And from the farmers’ perspective, shouldn’t their children be protected from those afflictions? The governor shouldn’t be striving to protect some of the people some of the time, but should protect all of the people all of the time.

Reducing the mountain of waste on airplanes

On a flight to Idaho earlier this week, I brought my own coffee mug. My flight attendant was unexpectedly enthusiastic: “Anything that will help save the planet,” she said. I do not find this to be the case at Starbucks, where baristas insist on giving me a new plastic cup when I’m getting my iced tea, or at the Nespresso counter at Bloomingdales, which recently refused to serve me a coffee in my own cup. Reducing our personal footprint should be a big issue for all of us as we see the rapid pace of climate change and what it is doing to our beloved planet.  

At home, I can compost food scraps, choose to take public transportation, minimize food waste, and drive a hybrid car.  But it’s tough to do your part to conserve, reduce, reuse, and recycle and try to “save the planet,” as an airline passenger.  The New York Times reports that the average air passenger generates three pounds of waste in the form of plastic cups, the headphones, food left on plates, wrapping for snacks, and plastic cutlerymultiply that times 4 billion passengers a year, and it really adds up! 

Sixteen-year-old Swedish climate activist Greta Thunberg opted to sail to New York from Europe to avoid being part of the problem: emissions from airplanes.  

The International Air Transport Association (IATA), a trade group representing the airlines, estimated that planes generated 6.7 million tons of cabin waste last year. Another group that studied the waste found that it broke down as 33 percent food waste, 28 percent cardboard and paper, and 12 percent plastic.   

So, what are the airlines doing, and how can consumers be part of the solution? Well, airlines are under pressure to conserve precisely because consumers are demanding they do so, as the New York Times article reported.  Air France said it would eliminate 210 million singleuse plastic items like cups and coffee stirrers. Qantas has removed individually packaged servings of milk and Vegemite, and now serves meals in containers made from sugar cane, and utensils made from crop starch. Some United Airlines flights use “fully compostable or recyclable service ware.”  

Consumers can inquire about recycling products and demand changes in rigid rules on tossing out untouched food and drink, in place supposedly to protect agriculture. The trade group IATA estimates that these untouched items make up 20 percent of total airline waste. As reported by the New York Times, companies employed to help reduce airline waste are making dishes from pressed wheat bran and “sporks” from coconut palm wood. 

Asking the airlines what they are doing to reduce waste is a good start. Let’s press the airlines for answers andwhile we are it: what about hybrid or electric engines on planes? That is a topic we can explore another day. 

NCL applauds USP for new and revised compounding standards

Every day, thousands of consumers in the United States—including those with rare diseases or allergies to commercially available drugs—rely on specially and individually made medicines known as compounded drugs. Compounding is critically important for patients but, if done improperly, this process can pose significant risks to patients and healthcare workers alike. Patients could—and have—received contaminated drugs or preparations that are subpotent, contaminated, or super-potent. Healthcare workers, in turn, can face risks of exposure to hazardous drugs.

A stark example is the 2012 series of medical errors that resulted in the contamination of compounded medicines, which in turn caused a deadly fungal meningitis outbreak in the United States—killing more than 70 people and causing more than 750 cases of infection in 20 states.

To reduce these public health risks, Congress and other policymakers have swung into action. Today, compounding requires universal standards that advance public health and patient safety priorities. A key player in this is the United States Pharmacopeia (USP), a scientific non-governmental standards-setting organization, which recently published new and revised compounding standards to help produce consistent quality compounded medicines and ensure that patients receive medicines that are the right strength, quality, and free of contaminants.

These updated standards reflect the latest advancements in science and clinical practice, and incorporate input from thousands of stakeholders in the medical and public health community—patients, healthcare practitioners, policymakers, academicians, and industry. The standards complement robust implementation of existing laws intended to ensure quality compounded products with the goal of protecting the safety of patients.

Consumers have an important role to play as we roll out the new guidelines for quality compounding and implementation of the new USP standards:

  • If you receive compounded medicines through your pharmacist or healthcare provider, report any resulting adverse events to your healthcare provider.
  • Sign up for FDA email alerts on safe compounding.
  • Remember to always contact your healthcare provider if you have questions or concerns about your health.

NCL is encouraged to see that the revised USP standards are consistent with FDA guidances. We applaud the efforts of FDA and USP to collaborate with the public health community to help protect patient safety.

Unpacking the broadcast TV repack

If you live in one of the 16 million U.S. households that receives television channels via free, over-the-air (OTA) broadcasting, chances are good that you have seen or will soon see a message pop up at the bottom of your TV screen.

These messages may say things like “the channel is moving frequencies,” “rescan your TV,” or “weak or no signal.” Don’t fret that you’ll lose access to your favorite channels, however. Those messages are just your local TV station letting you know that the station has, or will soon, change frequencies.

Why is this happening? Several years ago, the Federal Communications Commission (FCC), cell phone providers, and TV broadcasters agreed to reallocate parts of the nation’s spectrum that currently carry broadcast television to instead be used for wireless broadband services. This meant that broadcasters must move their stations to different parts of the spectrum to avoid interference with the wireless broadband signals.

For consumers, this means that over the next few years, you will need to re-scan the channels on your TV to continue receiving your broadcast channels. Depending on where you live, you may even have to re-scan on more than one occasion. Don’t worry—the channel numbers you’re used to won’t change. Any preparation that must go into tuning your TV to the new spectrum should be done automatically by your TV during the re-scan process.

Fortunately, the FCC and the broadcasters are going all out to make sure that consumers are not caught unaware by this process (known in industry jargon as the broadcast “repack”). The fastest way to get up to speed is to check out the FCC’s new video explaining the process and what buttons to press on your remote control to re-scan for new channels. The FCC also has a very useful website with FAQs and links to additional resources that can help answer TV owners’ questions. The National Association of Broadcasters also has a great resource with step-by-step instructions on how to re-scan at TVAnswers.org.

Unfortunately, we anticipate that scammers may try to latch on to the repack process. Back in 2008, fraudsters had a field day with the digital television (DTV) transition process, peddling worthless “coupons” and other scams to take advantage of consumer confusion over changes to their TV service. As the repack process gets underway fraudsters, we anticipate that scammers will be looking for ways to take advantage. For example, fraudsters have recently been advertising “miracle” TV antennas claiming they can do things they actually can’t, like getting cable TV broadcasts. As the TV repack gets more media coverage, it’s likely that more potentially misleading or fraudulent ads like these will start showing up in people’s email inboxes, in mailers, and on the radio or in newspapers. If you come across one of these scams, be sure to report it to NCL’s Fraud.org campaign via our secure online complaint form.

For the vast majority of OTA TV watchers, the transition is likely to happen without much friction. Nonetheless, getting familiar with the FCC’s resources keeping an eye out for the scams could help avoid an expensive headache. Until then, happy re-scanning!

Alabama’s abortion ban is an assault on reproductive freedom

Nissa Shaffi

On May 14, 25 white male legislators in Alabama decided the fate of reproductive health for millions of women in their state. This astonishingly homogeneous group supported the Human Rights Protection Act [SB 314] 25-6. Although women make up 51 percent of Alabama’s population, only 15 percent of women serve in Alabama’s state legislature. A mere three women were present for the vote.

The measure is draconian. It will prohibit abortion in all cases, even in instances of rape or incest, and will only permit the procedure in situations where the mother’s life is in danger or if the child presents a “lethal anomaly.” Physicians convicted of performing abortions could face Class A felony charges–carrying a punishment of up to 99 years. To put this into perspective, if a woman is raped and impregnated, her rapist would face less time in prison than would the provider who aborted the pregnancy.

In addition to Alabama’s extreme measure, five other states are considering so-called “Heartbeat Bills” prohibiting an abortion beyond six to eight weeks of pregnancy if a fetal cardiac activity is detected. Semantics matter because, at six weeks, a fetus technically only consists of “a group of cells with electrical activity.” This time frame is crucial because most women are not even aware that they are pregnant and therefore cannot make a timely decision.

We’ve been here before. Before Roe v Wade–the 1973 landmark case that declared the criminalization of abortion to be unconstitutional, thus securing a woman’s right to choose–200 women died annually because they could not access abortions legally.

Banning abortions will not prevent women from getting them. Indeed, shunning women and their healthcare providers only creates an environment where women must seek dangerous methods to end their pregnancies. An estimated 30,000 maternal deaths occur worldwide as a result of clandestine abortions in countries where the procedure is illegal. Restrictive abortion laws threaten reproductive freedom and endanger lives.

Statistically, abortion rates drop in countries where contraception is easily accessible and where the procedure is legal. For example, in countries like Israel and New Zealand, abortion is subsidized by the government. Additionally, creating social infrastructures that support motherhood–such as paid maternity leave and offering affordable childcare–reduce the incidence of abortion.

The National Consumers League strongly opposes punitive and cruel bills like the one in Alabama. Abortion is not a decision women enter into lightly. These are often excruciating decisions, which ultimately must be at the discretion of a woman and her doctor. These bills strip women of their agency to make safe and informed choices about their body, health, and lives. Alabama’s laws and their ilk are regressive and endanger the health of women, especially those of limited means. We call on all state legislators to recognize this fact and lift these terrible restrictions.

Technology can limit speeds on cars; EU set to require it

According to reports, the European Union (EU) is set to require a sophisticated set of technologies on all vehicles to limit driver speeds, described as satellite location cameras, intelligent speed assistance, video cameras, data recorder, and emergency braking starting in 2022. They say it will increase safety–but at what cost?

These measures will purportedly reduce fatalities by 20 percent and prevent 25,000 deaths over a 15-year period. Consumer advocates care deeply about auto safety, but how it’s done, what measures are used, and who pays for it is also important. There’s anger and skepticism in Europe about these kinds of measures. I must say, I share some of that concern.

Here in Washington DC, the Mayor and City Council put hundreds of speed and red light cameras all over the city and imposed large fines—$150 in some places for a first offense—for violations. DC has a lot of low- and middle-income residents; NCL looked at the placement of the cameras and found the biggest revenues were generated in heavily African American neighborhoods. And though the rationale for the cameras is pedestrian safety, after these cameras have been in place for several years, pedestrian injuries and fatalities are once again on the rise. The fines have become a cash cow for the city, generating well over a half billion dollars. Apparently, they haven’t done much to actually improve pedestrian safety. And I’ve talked to many people who drive for a living—they’ve all received the pricey $150 tickets for going 36 mph—while otherwise driving safely, some on roads that have virtually no foot traffic.

There’s more to learn about the new EU rules. Germany has no set speed limit, but in France, backlash on its limits has resulted in half the network of speed cameras being destroyed. I’m more of a “build safer cars” advocate, not “impose draconian fines on drivers.” The former is more effective in preventing injury and death. Two EU rules that have reduced fatalities significantly: mandatory seat belt usage and performance standards for crashworthiness of vehicles make a lot of sense. So does emergency braking technology, because it’s automatic when conditions trigger it. But I fear that more video cameras, data recorders, tracking the location of vehicles—all of which raise privacy issues—may sound good but won’t bring safer roads and will just result more in fines generated for municipalities.

We will be watching with interest the EU rollout of required technologies on cars. We should overserve it closely because the United States will probably not be far behind.

What broadband privacy? – National Consumers League

When you ask consumers about the kind of information that they’d like to keep private, location data is usually near the top of the list. That’s why Motherboard’s recent investigation into cell phone companies’ location data sharing services is so troubling.

In the sting, Motherboard reporters paid a bounty hunter $300 to locate a phone. The bounty hunter was able to find the phone without any hacking tools. Instead, he used real-time location data originally sourced from the phone’s wireless carrier.

Additional reporting revealed that approximately 250 bounty hunters and related companies had access to AT&T, T-Mobile, and Sprint customer location data. To put this in perspective, one bail bond firm admitted to utilizing phone location services at least 18,000 times, and other companies used the services thousands or tens of thousands of times.

These kinds of abuses are exactly what NCL and other public interest groups were worried about when we supported the Federal Communications Commission’s (FCC) 2016 broadband privacy rules. Those common-sense rules would have prohibited Internet service providers (ISPs) from sharing consumers’ location data and other types of sensitive information without their consent. In particular, NCL filed comments urging the FCC to create strong data security rules for ISPs.

When the FCC adopted its broadband privacy rules in October 2016, it was a victory for privacy and data security advocates. Unfortunately, those rules would be short-lived, thanks to Congress’ decision to use the Congressional Review Act (CRA) to overturn the rules in March 2017. By using the CRA to overturn the broadband privacy rules, Congress effectively precluded the FCC from ever passing “substantially similar” rules in the future.

The Motherboard investigation has not only sparked multiple responses calling for a more detailed investigation but also proves two important things: it has confirmed that ISPs have been irresponsible with consumers’ data and that broadband privacy rules are still needed.

House Energy & Commerce Committee Chairman Frank Pallone (D-NJ) wrote FCC Chairman Ajit Pai, asking him to provide an emergency briefing explaining what the FCC has done to address the broadband privacy issue. Incredibly, Chairman Pai declined. FCC Commissioner Geoffrey Starks commented on the recent findings saying, “the for-profit location data industry has flourished in the shadows without any government oversight.” Additionally, Motherboard’s revelations prompted calls from senators and FCC commissioners to investigate the cell phone companies’ data sharing practices. While investigations are a good start, real consumer privacy protections can only come through legislation. If you don’t think that cell phone companies should be allowed to sell your personal information without your permission, now is the time to call your Congressional representatives and tell them you want real broadband privacy protections.

Rubio’s bill is an empty promise – National Consumers League

Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.

To say that privacy advocates are skeptical of the Rubio bill is an understatement. For starters, the bill makes no mention of stringent enforcement, heightened transparency, or timely notification of violations. Other bills from Senators Wyden (D-OR) and Schatz (D-HI), however, implement sensible provisions. These include defining sensitive information and requiring the Federal Trade Commission (FTC) to establish a Bureau of Technology, which would give the FTC more resources to investigate companies. However, Rubio’s bill maintains one stark difference: state preemption. Rubio has made it clear that his bill would preempt state privacy bills like California’s in favor of a federal privacy standard.

In comparison to the CCPA’s strict provisions, such as enforced rulemaking authority and timely notifications to consumers, Rubio’s bill would only give the FTC authority to craft privacy rules if Congress is unable to do so after more than two years of debate.

Rubio justifies this prolonged timeline by suggesting that Congress needs more time to make informed decisions to protect consumers and promote innovation. Rubio claims this approach is sensible because it ensures a non-partisan approach from the experts who are informed on the best course of action.

In reality, Rubio’s bill is a poor option for consumers and companies. For starters, the bill would only allow the FTC to craft privacy rules based on the guidelines in the Privacy Act of 1974. While the Privacy Act may have been timely back in 1974, it is hopelessly antiquated and unable to account for modern technological advancements. The Rubio bill fails to address issues like data minimization or data security standards and fails to broadly define personal information.

Ultimately, the Rubio bill exists to address industry concerns about a “patchwork of privacy bills.” It fails to add any substantive new consumer protections, despite the voluminous evidence that such protections are needed. Rather, the Senator suggests that in order to create a comprehensive data privacy bill, Congress needs more time—time which consumers, in this day of record-setting data breaches and privacy threats, simply do not have.