How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

NCL calls for investigation of direct-to-consumer genetic testing industry in the wake of FamilyTreeDNA revelations

February 27, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC – Reports that DNA testing services like FamilyTreeDNA are sharing genetic data with law enforcement agencies should prompt regulators and Congress to consider new rules to protect consumers from abuses by the direct-to-consumer (DTC) DNA testing industry, said the National Consumers League (NCL) today. The reports about FamilyTreeDNA come on the heels of other revelations about lax data security and the potential for misinformation stemming from consumers’ use of DTC genetic testing kits. 

“Our genetic information is literally the code for who we are,” said NCL Executive Director Sally Greenberg. “The value of genetic data to law enforcement must be weighed against the significant potential for harm from misuse of such data. Our DNA data is tremendously sensitive, and extreme care must be taken to ensure that it is not used in unexpected ways or, even worse, misused to harm consumers. Unfortunately, the DTC genetic testing industry has exploded without effective oversight, leaving consumers at the mercy of companies whose primary goal may be monetizing this valuable data, not respecting their users’ privacy.” 

Specifically, NCL urges policymakers to take common-sense steps to better protect consumers’ genetic data, including: 

  • The Federal Trade Commission should immediately broaden its existing investigations of DTC DNA testing services to determine whether FamilyTreeDNA and similar services have engaged in unfair or deceptive trade practices by sharing genetic data with law enforcement without adequate notice and consent by users; 
  • DTC DNA testing websites should collectively pledge to obtain affirmative opt-in consent from current and new users prior to allowing law enforcement agencies access to users’ genetic data without appropriate legal process; and  
  • Congress should convene hearings to examine how widespread abuses of consumer privacy by the DTC DNA testing industry are and what, if any, new consumer protection regulations are needed to address the potential for consumer harm in this rapidly growing industry. 

For more information about the National Consumers League’s work on privacy issues and data security, visit https://www.fraud.org/data_breach.

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

 

What broadband privacy? – National Consumers League

When you ask consumers about the kind of information that they’d like to keep private, location data is usually near the top of the list. That’s why Motherboard’s recent investigation into cell phone companies’ location data sharing services is so troubling.

In the sting, Motherboard reporters paid a bounty hunter $300 to locate a phone. The bounty hunter was able to find the phone without any hacking tools. Instead, he used real-time location data originally sourced from the phone’s wireless carrier.

Additional reporting revealed that approximately 250 bounty hunters and related companies had access to AT&T, T-Mobile, and Sprint customer location data. To put this in perspective, one bail bond firm admitted to utilizing phone location services at least 18,000 times, and other companies used the services thousands or tens of thousands of times.

These kinds of abuses are exactly what NCL and other public interest groups were worried about when we supported the Federal Communications Commission’s (FCC) 2016 broadband privacy rules. Those common-sense rules would have prohibited Internet service providers (ISPs) from sharing consumers’ location data and other types of sensitive information without their consent. In particular, NCL filed comments urging the FCC to create strong data security rules for ISPs.

When the FCC adopted its broadband privacy rules in October 2016, it was a victory for privacy and data security advocates. Unfortunately, those rules would be short-lived, thanks to Congress’ decision to use the Congressional Review Act (CRA) to overturn the rules in March 2017. By using the CRA to overturn the broadband privacy rules, Congress effectively precluded the FCC from ever passing “substantially similar” rules in the future.

The Motherboard investigation has not only sparked multiple responses calling for a more detailed investigation but also proves two important things: it has confirmed that ISPs have been irresponsible with consumers’ data and that broadband privacy rules are still needed.

House Energy & Commerce Committee Chairman Frank Pallone (D-NJ) wrote FCC Chairman Ajit Pai, asking him to provide an emergency briefing explaining what the FCC has done to address the broadband privacy issue. Incredibly, Chairman Pai declined. FCC Commissioner Geoffrey Starks commented on the recent findings saying, “the for-profit location data industry has flourished in the shadows without any government oversight.” Additionally, Motherboard’s revelations prompted calls from senators and FCC commissioners to investigate the cell phone companies’ data sharing practices. While investigations are a good start, real consumer privacy protections can only come through legislation. If you don’t think that cell phone companies should be allowed to sell your personal information without your permission, now is the time to call your Congressional representatives and tell them you want real broadband privacy protections.

Rubio’s bill is an empty promise – National Consumers League

Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.

To say that privacy advocates are skeptical of the Rubio bill is an understatement. For starters, the bill makes no mention of stringent enforcement, heightened transparency, or timely notification of violations. Other bills from Senators Wyden (D-OR) and Schatz (D-HI), however, implement sensible provisions. These include defining sensitive information and requiring the Federal Trade Commission (FTC) to establish a Bureau of Technology, which would give the FTC more resources to investigate companies. However, Rubio’s bill maintains one stark difference: state preemption. Rubio has made it clear that his bill would preempt state privacy bills like California’s in favor of a federal privacy standard.

In comparison to the CCPA’s strict provisions, such as enforced rulemaking authority and timely notifications to consumers, Rubio’s bill would only give the FTC authority to craft privacy rules if Congress is unable to do so after more than two years of debate.

Rubio justifies this prolonged timeline by suggesting that Congress needs more time to make informed decisions to protect consumers and promote innovation. Rubio claims this approach is sensible because it ensures a non-partisan approach from the experts who are informed on the best course of action.

In reality, Rubio’s bill is a poor option for consumers and companies. For starters, the bill would only allow the FTC to craft privacy rules based on the guidelines in the Privacy Act of 1974. While the Privacy Act may have been timely back in 1974, it is hopelessly antiquated and unable to account for modern technological advancements. The Rubio bill fails to address issues like data minimization or data security standards and fails to broadly define personal information.

Ultimately, the Rubio bill exists to address industry concerns about a “patchwork of privacy bills.” It fails to add any substantive new consumer protections, despite the voluminous evidence that such protections are needed. Rather, the Senator suggests that in order to create a comprehensive data privacy bill, Congress needs more time—time which consumers, in this day of record-setting data breaches and privacy threats, simply do not have.

Carpenter v. United States: Impacts on privacy legislation – National Consumers League

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.

In the case, the FBI had requested records as part of an investigation into several Detroit-area armed robberies, and those records included details about call dates, times, and approximate locations. Carpenter asked that the cell phone evidence be suppressed because it was obtained in a search without a warrant.   

You’re thinking, “And? I’m not accused of armed robbery,” but it’s bigger than Timothy Carpenter. The Carpenter decision affects all of us, and in essence redefines government searches in a digital age.

Think of your relationship with your cell phone. According to Pew, 95 percent of Americans now own one. The same study found that for one in five of us, our smartphone is our sole source of Internet service. We carry them to work, to school, to our homes, and to meet up with friends. They go with us to our meetings, appointments, and vacations. They are a key vector through which we’re understood. Part of that is an unprecedented ability to locate us. When 95 percent of us are moving and communicating with our phones, and when 20 percent of us are using them as our only personal Internet connection, government access to when and where we use cell phones becomes an inroad to very intimate surveillance.

The FBI obtained records defined by the Court as “personal location information maintained by a third party” under the Stored Communications Act (SCA). SCA compels service providers to hand over records of electronically stored communications to government, without a warrant requirement, provided there is evidence for the information’s relevance to an ongoing investigation. Last week’s decision sets a new standard for expectations of digital privacy at a time when consumers and government are grappling with how to think about our lives online using documents drafted by the nation’s founders.

NCL has previously stated that consumer privacy is an integral part of the data economy, and we advocate for robust consumer protections in this space to encourage safe and secure use of online services. We applaud the Court’s decision and see it as an important step in the fight to safeguard consumers’ data in the United States and beyond.

Rebecca Kielty is spending the summer with John Breyault’s team, working on consumer privacy issues as NCL’s 2018 Google Public Policy Fellow. Rebecca received her B.A. from the University of South Florida Saint Petersburg and her M.A. from Georgetown University.

The promise and peril of always-on ad filtering – National Consumers League

Last year, we examined whether the growth of ad blocking was partly a logical response to consumers’ desire to reduce their data security risk. The catalyst for that blog post was Google’s announcement that it intended to include ad filtering-by-default in its Chrome browser, the most popular browser on the market. Earlier this year, that promise became a reality as Google rolled out an update to Chrome that included the ad filtering function.

Much of the online discussion around this move has centered on whether Google’s move, while laudable for pushing for less-annoying ads, should be viewed as a way for Google to give its advertising business an unfair leg up. That conversation is one that needs to happen to ensure that Google doesn’t abuse its market position as both the leading browser maker and the Web’s dominant advertising platform. However, it’s also important to consider whether and how consumers’ data security could benefit from this move. In this blog posting, I take a look at some of the data security benefits that could flow from the growth of always-on ad filtering.

First, however, we must acknowledge that the Coalition for Better Ads (whose Better Ads Standard serves as the basis for Chrome ad filtering tool) had limited goals. One reason for this may be that the Coalition didn’t include any consumer organization representatives as it developed its standard, who would have probably pushed for a broader scope. While removing annoying ads is certainly a plus for consumers, this limited scope means Chrome’s ad filter won’t address many of the reasons that consumers have increasingly embracing third-party ad blockers. As our colleagues at the Electronic Frontier Foundation recently noted:

This industry membership explains the limited horizon of the group, which ignores the non-format factors that annoy and drive users to install content blockers. While people are alienated by aggressive ad formats, the problem has other dimensions. Whether it’s the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies, users have a lot of reasons to take action and defend themselves.

Given this limited scope, what data security benefits can Chrome’s ad filtering provide to consumers? For one, filtering out annoying ads can help reduce consumers’ data security risk. When we first looked at this issue, we noted studies by UC Berkeley and UC Santa Barbara (supported by Google) and security firm Namogoo showing that tens of millions of browsers visiting popular websites were infected with malware and spyware.

Second, by having a default ad filtering function built in to Chrome, consumers’ need to install a third-party ad blocker can be reduced. While plenty of consumers install ad blockers for legitimate privacy reasons, scammers have found a lucrative side business in creating fake ad blocking software. For example, five fake ad blockers on the Chrome Web Store were downloaded more than 20 million times before the company shut it down this April.

Finally, as the impact of ad filtering on Chrome takes hold throughout the digital ecosystem, there will be pressure on other browser makers to improve their own technology to better protect consumers from ad-based malware. For example, in March, Mozilla announced that they will be rolling out ad filtering on their Firefox browser this fall. It seems likely that if consumers vote with their mouse clicks and choose more secure browsers, we’ll see other browser makers implement this technology as well.

Going forward, we will be monitoring whether default ad filtering on Chrome and other browsers has a demonstrable impact on browser infection rates. Ultimately, regardless of their browser choice, the goal should be for consumers to have a reasonable level of protection against browser-based malware attacks.

Target CEO is out – National Consumers League

This week, the CEO of Target, Gregg Steinhafel, resigned. He was unable to recover from the damage caused by a massive data breach at the company – which happened right in the middle of the holiday shopping season last year. Last December, Target announced that 40 million customers’ credit and debit cards and personal information had been compromised.  Steinhafel was with the company for 35 years.

Target’s experience is a cautionary tale for corporate leadership. The company was slow to respond to the panic that set in when consumers learned their card information had been compromised. I remember reading the advisory the company posted in December telling consumers all the things they had to do to protect themselves. There was precious little the company shared with its valued customer base – many of whom were Target credit card holders  – about what it intended to do to protect customers after the breach and into the future.

NCL issued a statement after the breach calling on retailers in the US to get with the program and adopt a more secure credit card system of Chip-and-PIN. That protocol is used widely in Europe and is less vulnerable to hacking at the point of sale. Criminals are busy 24/7 figuring out how to hack into retailer databases. We need to fight fire with fire. American consumers deserve the best protection for our financial transactions that the industry has to offer. Companies that don’t adopt these protections will find themselves much like Target  – losing customers’ trust and their business along with it.

Announcing the #DataInsecurity Project – National Consumers League

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

  • $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
  • $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
  • 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
  • $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
  • $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

FTC report shines light on continuing problem of ID theft – National Consumers League

In the world of fraud fighting, the release of the Federal Trade Commission’s Consumer Sentinel Data Book is something of a wonky holiday. Yesterday was no exception, with the agency publishing the annual report, which examines trends in the 2 million-plus complaints the FTC receives annually. The headline of the report was depressingly familiar: identity theft continued to be the biggest driver of complaints to the FTC for the 14th straight year. 

This trend is one of the reasons NCL produced our State of Identity Theft in 2013 report last year, which examined the continuing threat of ID theft and why we are making the issue of data insecurity a top priority in 2014.

Looking deeper into the Sentinel data, some additional interesting trends and questions come to light, including:

  • Does youth correlate with risk of identity theft? The FTC noted that 20% of ID theft complaints came from consumers aged 20-29, who comprise only 13.8% of the population. There is also a steady reduction in ID theft complaint rates as consumers get older. For example, 8% of ID theft complaints come from consumers aged 70-plus, which is consistent with their overall 9% distribution in the population. An open question is whether identity theft risk decreases as consumers age or whether the correlation is due to an increased likelihood that younger consumers will report identity theft.
  • The telephone is scammers’ contact method of choice. While recent news has been dominated stories about high-tech data breaches, it appears that scammers are returning to a somewhat old-fashioned tool: the telephone. Last month’s Fraud.org Top Ten Scams report noted that telemarketing fraud was making a major comeback, with 36% of complaints mentioning the telephone as the method of contact. The FTC’s new data confirmed this, finding that 40% of complaints cited the telephone as the method of contact. The telephone is now the preferred method of contact by scammers, overtaking email for the first time since 2011. Congress is taking notice as well. In December, a bipartisan group of legislators introduced the Anti-Spoofing Act, which would crack down on scammers disguising their calls by altering Caller ID information.
  • Scammers shifting technique in “grandparent’s scams.” Con artists have long used the story of a loved one in distress to defraud consumers, particularly older adults. Also known as the imposter scam, this fraud starts with the fraudster calling a victim with an urgent appeal for funds to help a friend or family member in need. For example, the scammer might claim that a beloved grandson was in a car accident overseas and needs money to pay a hospital bill or to get bailed out of jail. More than 121,000 consumers reported an imposter scam to the FTC in 2013, an increase of more than 36,000 complaints since 2012. The scam is evolving as well. Whereas fraudsters used to impersonate a friend or family member, they are increasingly claiming to represent a business or government official.
  • Encouraging signs in the fight against lottery scams. For the second year in in a row, complaints about this type of fraud have decreased (down by almost more than 10,000 complaints since 2011). Thanks in part to consumer education campaigns like DeliveringTrust.com growing awareness of these scams seems to be having an impact.

More than 2.1 million complaints were filed with the FTC in 2013, with reported losses of more than $1.6 billion. Given that fraud is a chronically underreported crime, we should assume that many millions more consumers were harmed. As we prepare to mark National Consumer Protection Week, this new data should serve as a reminder of the immense toll that fraud takes on U.S. consumers.

This data should push all of us — anti-fraud advocates, law enforcement, policymakers and everyday consumers — to redouble our vigilance in the fight against scammers.

Target data breach a wake-up call for retailers, policymakers – National Consumers League

92_creditcard.jpgAmericans assume that, when they shop, their personal financial information will be kept private and away from identity thieves. Unfortunately, that is not always the case, as evidenced by the more than 4,000 data breaches that have been reported since 2005 — an average of more than one a day over the last nine years. The latest headline-making breach involving the mega retailer Target is making many of us wonder just how safe our data is.

After data breaches occur, the burden for monitoring credit cards and recovering lost funds typically falls squarely on the affected consumers’ shoulders. This can cost the consumer significant time and money. If you think your personal information may have been stolen by cyber thieves in the Target data breach or any other data breach make sure you follow these tips:

  • Check credit card statements and your bank account every day to see if there are any unfamiliar charges. If you see any suspicious activity, report it to your bank immediately.
  • Monitor your credit report. It is a good habit to check your credit report at least once a year. If you think your personal information may have been compromised, check it sooner. Consumers can obtain one free credit report per year from each of the three credit reporting agencies via annualcreditreport.com.
  • Stay vigilant. Fraudsters may wait months to use your personal information.

Consumer advocates hope that the scale of the Target data breach will serve as the impetus for much needed data security reform. The time for change is now!

Although consumers’ financial information will never be 100 percent secure, there are things that can be done. Retailers can use advanced encryption technology and more secure firewalls. Credit card companies can encourage the use of “Chip and PIN” technology in their credit cards. Our politicians can pass legislation establishing a national data breach notification standard and urge the Obama Administration to explore incentives and penalties to encourage private sector businesses to better protect consumer data. These changes will not happen without pressure from consumers.

Target has provided a “responses and resources” page for consumers affected by the breach. Click here for more information. The FTC also has information for consumer online here.