How consumers must respond to the security threat inside nearly every computer

/in Featured Home - Fraud Prevention, Fraud policy, Fraud Prevention, ID theft, Privacy & security, Scams, Technology/by

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

CBD is not the cure for whatever ails you

/in CBD, Featured Home - Health, Health, Health policy/by

Unless you’ve been living under a rock, you’ve surely seen the dozens of ‘miraculous’ CBD products available today. Health food stores, pet supply stores, gas stations, and even your neighborhood pharmacy and grocery stores are carrying a plethora of CBD-infused products. CBD is included in everything from lotions and oils, beauty products, pet treats, and “tampons.” You can buy CBD-infused workout clothing and even take CBD yoga classes.

CBD, or cannabidiol, is a compound found in cannabis and derived from the hemp plant. After the passage of the Farm Bill, CBD is now legal and CBD products are marketed as having little or no THC, the primary psychoactive element in marijuana. However, under the bill, these products may lawfully contain as much as 0.3 percent THC, which is enough to produce intoxication or a positive result on a drug test, which has led to many workers unwittingly losing their jobs.

Sales of products containing CBD have exploded in recent years. In 2018, Americans purchased $500 million in products containing CBD. By 2022, that amount is expected to more than triple to reach $1.8 billion nationwide.

Consumers, take note! Illegal marketing of these products include unsubstantiated health claims as innocuous as offering “a higher sense of well-being” to the extreme claims of therapeutic benefits such as treating Alzheimer’s and Parkinson’s disease, schizophrenia, or AIDS. 

Our concern is that most CBD products on the shelves today fail to meet the safety standards we have come to expect:

  • Most have not been scientifically tested for safety and efficacy.
  • CBD product labels aren’t accurate in lists of ingredients and potency.
  • The purity and potency of ingredients in most CBD products have not been verified by reliable third parties.

Without these safeguards, consumers may be using these products or offering them to their children and pets with blindfolds on.

Exaggerated claims of unproven benefits are nothing new, but with the legalization of CBD, there’s a new explosion of untested products that demand attention from regulators. CBD could be key to the development of many new treatments and therapies. One indication is the success of the first FDA-approved drug containing CBD in controlling two types of rare, childhood-onset seizures. However, without better regulation and enforcement, unsafe dosages of CBD and the use of adulterated products make for a minefield of consumer caveat emptor.

Clinical studies have demonstrated potential risks of CBD, including liver toxicity, fatigue, and harmful interactions with other drugs. The Food and Drug Administration (FDA) has recently begun to take action. In October, it issued a strongly worded advisory discouraging pregnant and breastfeeding mothers from using CBD products. It also recently warned a Florida company that was illegally selling unapproved products containing CBD online with unsubstantiated claims that the products treat teething pain and earaches in infants, autism, attention-deficit/hyperactivity disorder (ADHD), among other conditions or diseases. We welcome that action by the FDA, and we want to see it doing more.

Advocates recognize the dangers for consumers and we are mobilizing. Earlier this month, National Consumers League (NCL) staff presented at a roundtable discussion of consumers and other partners about FDA’s authority to protect consumers via product testing and regulation of product marketing. The discussion allowed further sharing of information and identified opportunities to bring commonsense changes to the marketplace.

Consumers need access to good information about CBD, how to understand concentration levels in products, and the products’ risks. The FDA should take a more active role as a regulatory agency overseeing products that make health benefit claims. Our regulators should help consumers understand the difference between FDA-approved medicines and consumer products, including a definition of a safe level of CBD.

We welcome the potential that CBD has to offer new therapies and treatments, but the products in the marketplace must be safe and proven effective with hard science. NCL is committed to doing its part to help protect and educate consumers.

Computer chip defects force consumers to choose between speed and security

/in Consumer policy, Consumer Protection, Featured Home - Consumer Protection, Featured Home - Fraud Prevention, Fraud policy, Fraud Prevention, imported, Privacy & security, Technology/by

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

If you care about cramped airline seats, you should care about the FAA’s evacuation tests

/in Consumer policy, Consumer Protection, Featured Home - Consumer Protection, imported, Transportation/by

Last month, I had the pleasure of testifying before the House Aviation Subcommittee on the implementation of the Federal Aviation Administration’s 2018 reauthorization bill. My testimony touched on many of the pressing consumer protection priorities for airline passengers teed up by the 2016 and 2018 FAA reauthorization bills. 

The big news coming out of that hearing, however, was FAA Deputy Administrator Daniel Elwell announcing that the FAA will this November conduct its first evacuation tests with live participants in two decades. While this may sound like the kind of announcement only politicos should care about, it’s actually a very big deal for anyone who flies 

Why is that, you may ask?  

FAA regulations require that the “maximum capacity” of an aircraft must be able to be evacuated in less than 90 seconds in an emergency. The analogy is to the “maximum capacity” signs you may have seen in conference rooms, hotels, or other public spaces. Since the 1990’s, airlines have gotten fuller, seats have gotten smaller, and more bags and support animals have been brought into the cabin. Despite these changes, FAA has not updated its evacuation standards and has been content to allow airlines to self-certify that they can meet the 90-second threshold, largely based on computer simulations. 

This all changed last July when Congress passed the 2018 FAA Reauthorization Act which requires FAA to set minimum seat size standards. That’s why Dan Elwell announced that the FAA will be conducting the tests in November. The airlines, which have been pulling down record profits in recent years as they’ve steadily crammed more butts into more and smaller seats, will almost certainly want the FAA to give its blessing that their sardine cans are safe.  

Unfortunately, the FAA seems intent on granting them their wish. The advisory committee it appointed to provide feedback on the evacuation standards is packed with industry insiders and hamstrung by its own charter from considering seat sizes and seat pitch (the room between seats) as part of its recommendations. The DOT’s Office of Inspector General has an ongoing audit of the evacuation standards, but there’s no indication that the FAA will wait on the results of that audit before it conducts its tests. 

We can’t let the FAA rubber stamp the airlines’ current inhumane and potentially unsafe seating configurations. That’s why NCL, along with a coalition of consumer and flyers rights groups this week sent a letter to the FAA and the DOT urging them to update their evacuation standards before the November tests. We’re calling on the agency to update its evacuation testing standards to account for things like the presence of passengers with disabilities, parents who are separated from their children (thanks in no small part to rising seat reservation fees), full overhead bins, and passengers who insist on taking their bags with them when they evacuate (or, even worse, filming themselves evacuating). These are all factors that are likely to slow down evacuations, but FAA’s evacuation testing standards don’t account for them. 

Updating evacuation testing standards may sound like wonky, inside-the-Beltway bureaucratese, but the consequences of not doing so could be deadly.

Why won’t New York’s governor Cuomo ban a nasty pesticide that harms children?

/in Child labor, Diseases and treatment, Featured Home - Health, Health, Labor, Workplace safety/by

Reid Maki is the director of child labor advocacy at the National Consumers League and he coordinates the Child Labor Coalition.

Something really curious is happening in New York State. In June, the New York Assembly passed a bill to ban the nasty pesticide chlorpyrifos, which damages the development of children. But that’s not the weird part.

What’s surprising is that Governor Andrew Cuomo has not signed the bill, despite the fact that the NY Attorney General Letitia James joined five other attorneys general in suing the Trump Administration’s federal Environmental Protection Agency because it overturned an Obama Administration ban on the pesticide.

“Chlorpyrifos is extremely dangerous, especially to the health of our children,” said Attorney General Letitia James. “Yet, the Trump Administration continues to ignore both the science and law, by allowing this toxic pesticide to contaminate food at unsafe levels. If the Trump EPA won’t do its job and protect the health and safety of New Yorkers, my office will take them to court and force them to fulfill their responsibilities.”

The other states that joined the suit are Washington, Maryland, Vermont, Massachusetts, and California—the latter is the country’s largest agricultural producer (measured by cash receipts) and has decided to remove chlorpyrifos from the market in 2020. 

Studies have also linked chlorpyrifos to autism, cancer, Parkinson’s disease, reduced IQ, loss of working memory, attention deficit disorders, and delayed motor development.

Nationally, home use was banned in 2001 because of its impact on children’s developing brains. In 2018, Hawaii became the first state to enact a complete ban on its use, which includes farms.

Chlorpyrifos is also thought to damage male reproductive organs to the point that it can make men sterile.

Since food safety authorities determined that there was no safe exposure level to chlorpyrifos—that any trace of the pesticide was too dangerous—the European Union is expected to ban entry of food products contaminated with the pesticide next year.

In August, the National Consumers League (NCL) and the Child Labor Coalition (CLC), which NCL co-chairs, joined 80+ groups—including many from New York—on a letter, urging Governor Cuomo to sign the chlorpyrifos ban. We were naïve enough to think he would.

With an avalanche of data suggesting it is too dangerous to use and his own attorney general suing over its use, why has Cuomo seemingly decided not to ban the pesticide? We can only guess. In July, the governor signed landmark legislation to protect farmworkers from labor abuses, ensure equitable housing and working conditions, and grant them collective bargaining, overtime pay, unemployment compensation and other benefits.

Farmworkers are some of the most exploited workers in America, and we applaud the governor for doing the right thing, but he seems to be taking the position that—having done something farm owners didn’t like—he shouldn’t sign the chlorpyrifos ban because they won’t like that either. The farmers see the pesticide as an effective tool to help them grow crops.

The problem is that chlorpyrifos doesn’t just harm those who eat farm produce; It harms the very people that produce crops—the farmers and the farmworkers and the children of both.

Should giving farmworker labor rights mean that it’s okay to endanger their fertility and cause their children to suffer developmental delays or autism? And from the farmers’ perspective, shouldn’t their children be protected from those afflictions? The governor shouldn’t be striving to protect some of the people some of the time, but should protect all of the people all of the time.

Reducing the mountain of waste on airplanes

/in Consumer policy, Consumer Protection, Environment, Featured Home - Consumer Protection, imported, Transportation/by

On a flight to Idaho earlier this week, I brought my own coffee mug. My flight attendant was unexpectedly enthusiastic: “Anything that will help save the planet,” she said. I do not find this to be the case at Starbucks, where baristas insist on giving me a new plastic cup when I’m getting my iced tea, or at the Nespresso counter at Bloomingdales, which recently refused to serve me a coffee in my own cup. Reducing our personal footprint should be a big issue for all of us as we see the rapid pace of climate change and what it is doing to our beloved planet.  

At home, I can compost food scraps, choose to take public transportation, minimize food waste, and drive a hybrid car.  But it’s tough to do your part to conserve, reduce, reuse, and recycle and try to “save the planet,” as an airline passenger.  The New York Times reports that the average air passenger generates three pounds of waste in the form of plastic cups, the headphones, food left on plates, wrapping for snacks, and plastic cutlerymultiply that times 4 billion passengers a year, and it really adds up! 

Sixteen-year-old Swedish climate activist Greta Thunberg opted to sail to New York from Europe to avoid being part of the problem: emissions from airplanes.  

The International Air Transport Association (IATA), a trade group representing the airlines, estimated that planes generated 6.7 million tons of cabin waste last year. Another group that studied the waste found that it broke down as 33 percent food waste, 28 percent cardboard and paper, and 12 percent plastic.   

So, what are the airlines doing, and how can consumers be part of the solution? Well, airlines are under pressure to conserve precisely because consumers are demanding they do so, as the New York Times article reported.  Air France said it would eliminate 210 million singleuse plastic items like cups and coffee stirrers. Qantas has removed individually packaged servings of milk and Vegemite, and now serves meals in containers made from sugar cane, and utensils made from crop starch. Some United Airlines flights use “fully compostable or recyclable service ware.”  

Consumers can inquire about recycling products and demand changes in rigid rules on tossing out untouched food and drink, in place supposedly to protect agriculture. The trade group IATA estimates that these untouched items make up 20 percent of total airline waste. As reported by the New York Times, companies employed to help reduce airline waste are making dishes from pressed wheat bran and “sporks” from coconut palm wood. 

Asking the airlines what they are doing to reduce waste is a good start. Let’s press the airlines for answers andwhile we are it: what about hybrid or electric engines on planes? That is a topic we can explore another day. 

Protecting information privacy: challenges and opportunities in federal legislation

/in Featured Home - Fraud Prevention, Fraud policy, Fraud Prevention, Privacy & security, Technology/by

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

On September 11, 2019, policymakers, industry stakeholders, and consumer advocates gathered at The Brookings Institution to discuss the pressing question of how to protect information privacy through federal legislation. Representing the National Consumers League was Executive Director, Sally Greenberg.

How did we get here?

To set the scene, panelists first discussed why there is consensus on the need for federal legislation to address privacy and data security. The Snowden revelations showed consumers how much of their data is out there, and they began to question whether companies could be trusted to keep their data safe from the government. More recently, in light of the Cambridge Analytica scandal and increasing instances of identity theft and fraud resulting from data breaches, consumers have begun to question whether companies themselves can be trusted with their data.

Businesses are worried about lack of consumer trust interfering with their adoption of digital products and services. For instance, parental refusal to provide consent to the collection and use of data regarding their kid’s academic performance prevents the personalization of their children’s learning experience. By providing individuals with greater privacy protections, businesses hope that individual participation in the digital economy will increase.

In response to consumer privacy concerns, a patchwork of state bills on privacy and data security are also popping up. Business claims to be overwhelmed by the idea of complying with these differing regulatory schemes, especially in light of the EU’s General Data Protection Regulation (GDPR), which has already moved many organizations to comply with privacy and data security rules. To support businesses and to regain U.S. privacy leadership, greater international operability is necessary.

What should federal legislation look like?

Each panelist set forth their idea of what federal legislation should aim to achieve. Intel drafted a privacy bill which includes various protections but which lacks a private right of action – that is, the ability to take wrongdoers to court if they violate privacy laws. If companies promise not to use your information in certain ways and then do it anyway, in violation of law, you should have the right to take them to court. NCL’s Sally Greenberg directed audience members towards the Public Interest Privacy Principles signed by thirty-four consumer advocacy and civil rights organizations. Advocating in favor of strong protections, strong enforcement, and preemption, and highlighting the importance of “baking data privacy into products and services”, she offered NCL’s vision of a strong, agile and adaptive national standard.

Panelists drew comparisons between this approach and that of the EU’s GDPR, but criticized the time-consuming and resource intensive nature of that legislation. They agreed that U.S. legislation should avoid being too prescriptive in the details. Rather than requiring documentation of policies, practices, and data flow maps, legislation should focus on high-level issues.

Breaking down these issues according to consensus and complexity, Cameron F. Kelly listed covered information, de-identification, data security, state enforcement, accountability, and FTC authority as solvable issues. Implementation issues, he said, include notice and transparency and individual rights (access, portability, right to object to processing, deletion, nondiscrimination). However, Mr. Kelly noted that disagreement clouds a number of complex issues. These relate to algorithmic transparency, algorithmic fairness, and data processing limitations (use restrictions). Until consensus is reached in these areas, disagreements about preemption and private right of action are unlikely to be resolvable.

Notice and Transparency 

While notice and transparency are important aspects of a comprehensive approach towards privacy and data security, it is difficult for consumers to process the volume of information contained in privacy policies. Consumers also often have little choice but to “agree” to services that are essential to everyday life. As such, legislators may wish to explore the extent to which a company may force an individual to waive their privacy rights as a condition of service. Consent should only have a limited role in relation to sensitive data uses, and companies should focus on designing user interfaces to enable meaningful consumer consent. Panelists criticized the California Consumer Protection Act (CCPA) for its lack of detail and for putting the burden on individuals to protect themselves. It was agreed that federal standards should move beyond notice-and-consent and put the burden back on businesses.

De-identification 

One panelist called de-identification the “secret sauce” to privacy. Preserving the utility of data while removing identification puts the focus on data processing harms. It is important to get de-identification right for valuable research purposes. However, de-identification is often not done well and confusion lurks around pseudonymization. This technique involves replacing personally identifiable information fields within a data record with artificial identifiers. As data remains identifiable using that technique, data security and privacy risks remain. Companies must be incentivized to effectively de-identify data, to not re-identify, and to contractually restrict downstream users from doing the same. To avoid conflating data security levels with pseudonymization levels, a universal and adaptable de-identification standard must be developed.

Data security 

Because data security is critical to privacy, panelists agreed that it is the foundation upon which privacy legislation should be built. Panelists warned against an overly prescriptive approach towards data security but suggested that the Federal Trade Commission (FTC) should offer more guidance. “Reasonable” data security depends upon the nature and scope of data collection and use. This affords organizations flexibility when adopting measures that make sense in terms of information sensitivity, context, and risk of harm.

However, determining data security standards according to the risk of privacy harm is difficult because “risk of privacy harm” is an unsettled and controversial concept. It was also debated whether “information sensitivity” should be used to determine the reasonableness of data security standards. Public Knowledge argued that all data should be protected in the same way because the distinction between sensitive and non-sensitive data is increasingly questionable. When data is aggregated and sophisticated technologies such as machine learning are applied, each and every data point can lead back to an identifiable person.

While use of off-the-shelf software should generally be considered reasonable, higher standards should apply to companies that are more aggressive in their data collection and use. Extending to third party processors and service providers, organizations must continually develop physical, technical, and legal safeguards. To ensure robust infrastructure to secure their data, they should run tests, impact assessments, and put resources towards data mapping.

Data processing limitations

In sectors ranging from education to healthcare, the use of data undoubtedly has the potential to help us solve many societal problems. However, data use is pervasive, and new and unpredictably bad outcomes are also possible. Consumers want data to be used in ways that benefit them, for data not to be used in ways that harm them, and for their data to be protected. However, information collection and sharing is largely unbounded. If Congress wishes to move beyond a notice-and-consent model and put the burden back on organizations that handle data, then the boundaries of how data should be collected, retained, used, and shared must be confronted. Without limitations, the high value of data will continue to incentivize organizations to collect and retain data for the sake of it. These practices increase cybersecurity and privacy risks on unforeseen levels.

Calling out data brokers, Intel’s David Hoffman stated that databases containing lists of rape victims are simply “unacceptable.” However, transfer restrictions are likely to be one of the hardest areas to reach consensus on. Use restrictions, which relate to what organizations can and cannot do with data at a granular level, may be approached by creating presumptively allowed and presumptively prohibited lists. Use and sharing could be presumptively allowed for responsible advertising, legal process and compliance, data security and safety, authentication, product recalls, research purposes, and the fulfillment of product and service requests. Meanwhile, use of data for eligibility determinations, committing fraud or stalking, or for unreasonable practices could be presumptively prohibited.

However, it is difficult to determine the standards by which a particular data use should be “green-lighted” or “red-lighted.” To determine if a data use is for a purpose related to that which a user originally shared data, factors may be considered such as whether the use is primary or secondary, how far down the chain of vendors processing occurs, and whether the processor has a direct or indirect relationship with the data subject. The FTC has done work to articulate “unreasonable” data processing and sharing, and the Center for Democracy and Technology’s Consumer Bill of Rights emphasizes respect for context (user expectations) by laying out applicable factors such as consumer privacy risk and information sensitivity.

However, “context” is difficult to operationalize. One option may be to grant the FTC rulemaking authority to determine issues such as which data uses are per se unfair, or which information is sensitive. The deception and unfairness standard has guided the FTC for decades. However, panelists were concerned about giving the FTC a blank check to use the abusiveness standard to deal with data abuses. Instead, the FTC could be given a clear set of instructions in the form of FTC guidance, legislative preamble, or written in detail in the legislation. If this approach is taken, it would be necessary to confront the difficult question of what harm legislation should seek to address. Because privacy injury is not clear or quantifiable, it is difficult to agree on the appropriate harm standard. A specific list of the types of injury – not an exhaustive list – resulting from data processing would give the harm standard substance, and algorithmic data processing ought to be directly confronted.

Because the purpose of data analysis is to draw differences and to make distinctions, the privacy debate cannot be separated from the discrimination debate. Intent to engage in prohibited discrimination is difficult to prove, especially with use of proxies. For instance, rather than directly using a protected characteristic such as racial heritage as a proxy to offer payday loans, an algorithm could use zip code or music taste as a proxy for race in order to decide who to advertise payday loans to. To provide clarity and to promote algorithmic fairness, existing discrimination laws could be augmented with privacy legislation by defining unfair discrimination according to disparate impact on protected classes (disadvantaged groups). Privacy legislation should ensure that data use does not contribute to prohibited discrimination by requiring risk assessments and outcome monitoring.

To increase consumer trust and to provide them with recourse when they suspect that they are the victims of unfair discrimination, legislation should directly confront algorithmic transparency and burden of proof. Consumers cannot be expected to understand the mechanisms that determine what advertisements they are presented with or how automatic decisions are made about them. However, organizations should not be able to escape liability by claiming that they do not have access to the data or algorithm necessary to prove discrimination claims.

Enforcement

Panelists agreed that State Attorney Generals need to be able to enforce the law and that the FTC requires increased resources and enforcement powers. As Congress cannot anticipate every possible scenario, it is appropriate to give the FTC narrow rulemaking authority, the authority to fine for first offences, to be able to approve codes of conduct, and to clarify guidance on how to comply with the law on issues such as de-identification. The FTC needs vastly more resources to be able to accomplish this oversight and enforcement role. The jury is out as to whether Congress will pony up.

Sally Greenberg described the importance of also including an option for private parties to bring class-action suits. However, there was disagreement between panelists about whether individuals should be able to privately enforce their rights where the government lacks the resources or will to act. David Hoffman highlighted evidentiary problems associated with the difficulty in proving privacy harms. To better serve the public, he argued in favor of the creation of a uniform standard with strong protections.

Preemption of state laws 

The objective of creating a consistent federal standard was emphasized as a key driving factor for industry for the creation of a federal bill. Not including preemption of state law is a kind of “deal-breaker” for industry. They claim that complying with a patchwork of fifty different data breach notification standards is hard today. It was suggested that states could be given a window of five years with no preemption to allow them to adapt and innovate, after which time the situation could be reviewed. Or the reverse – preempt for five years and sunset the federal law. These suggestions both have merit, but in the end, answering the questions of preemption and private right of action remain to be seen.

I’m going for the kids’ portion!

/in Featured Home - Food, Nutrition, & Obesity, Food, Food policy, Food waste, Nutrition/by

With overweight and obesity stats in an upward trajectory, the National Consumers League and the Georgetown School of Business are partnering up for a survey on a simple topic: what do Americans know about portion sizes, calories of average foods, and how many calories we can eat each day without packing on the pounds? 

We have a health crisis in AmericaFrom 2015-2016, 39.8 percent of American adults were considered obesewhich means the body mass index (BMI) measurements of more than 129 million of us are considered obeseThe annual medical cost of obesity is estimated at $147 billion because heart disease, stroke, type 2 diabetes, and cancers are tied to obesity. What is particularly concerning is that more than a third of younger people, ages 20-39, are obese.  

In fact, the New York Times reported that roughly a fifth of our soldiers are obese! The military is trying to combat this problem by replacing sweet drinks with water and cutting out fried foods, but it’s not working. 

The United States Department of Agriculture’s Dietary Guidelines recommend that the average person should consume about 2,000 calories a day. Do most of us know that if you exceed 2,000 calories day regularly, you pack on the pounds? (That’s unless, of course, you’re getting a lot of calorieburning exercise or have a great metabolism.) Is that number too high for many of us? (It is for me. If I eat more than 1,650 calories, I know I’m going to put on weight.That’s what we want to find out with our research: what do Americans really know about this guideline? 

We will also be asking whether most Americans know how many calories are in average serving of common foods such as yogurt (150), hamburgers with bun (350), pizza (350 per slice), bagels (325), muffins (425), 4-piece fried chicken dinner with all the fixings (850-1,200), a 30oz. steak (1,400), a piece of cheesecake (650)big chocolate chip cookie (450)and an ice cream cone (300-400.) 

Also, dAmericans know what an average serving is? A Cheesecake Factory salad is not an average serving! Each of their salads have more than 1,300 calories. That’s too much for one meal. Unfortunately, restaurant serving sizes have increased a lot over the last several decades. 

Which brings me back to my headlinekids portions! I’ve begun sampling my local downtown DC upscale food spots popular with millennials like Roti, CAVAChoptThe custom is that you order a bowl of lettuce or spinach as a base and put lots of pretty healthy but also pretty caloric toppingsadd a protein for a few bucks extra, and crowned with shredded cheese and salad dressing. When you’re done, you have a big portion and lots of good food but also lots of caloriesalbeit not from hamburger and fries but still, calories! 

So try the kids’ portion! They are cheaper by a thirda lot less food, a lot fewer calories, and completely filling. My CAVA kids meal had a small white bread (unfortunately) pita, yogurt spread, two small spicy meatballs, cucumber salad, tomato salad, three pieces of fried breadand scoop of brown rice. In other words, a lot of food! I figured it was about 550 calories. Voila! A third of my 1,650 allowable daily intake of food. And I was stuffed. I’ll be trying other food outlets to check out the kids portions. And we recommend that other consumers do the samehelps to limit calories and prevent food waste when you’re eating out!

Boy jockeys in Indonesia risk injury and death

/in Child labor, Compensation / Wages, Labor, Labor policy, Workplace safety/by

Reid Maki is the director of child labor advocacy at the National Consumers League and he coordinates the Child Labor Coalition.

I didn’t quite believe my eyes when I saw the recent New York Times headline: “For Indonesia’s Child Jockeys, Time to Retire at 10, After 5 years of Racing.”  The story, written and photographed by Adam Dean, revealed that child jockeys in Indonesia’s island of Sumbawa as young as 5 are racing horses and getting hurt in the process. The cultural practice is entrenched and boy jockeys are getting younger each year. “In the late ‘90s, jockeys were usually aged from about 10 to 14 years old, but then we found the lighter jockeys to be faster, and now they are aged from about 6 to 10, Fahrir H.M. Noer, a deputy chairman of one of the races, told reporter Dean.

As an advocate who has followed child labor closely for 20 years, I was not surprised that young children might do something dangerous. More than one million children around the world are engaged in mining, which is extremely hazardous. We’ve seen photos of children in the Philippines who mine underwater, connected to very precarious breathing tubes. Children work with toxic chemicals in leather tanning facilities; they help break apart giant ships. Nearly half the 152 million children trapped in child labor perform hazardous child labor.

In this case, however, I was surprised that that children, 5 to 10, could be asked to control animals so large and fast—a task that requires well developed athletic skills. Dean’s stunning photos confirm that this phenomenon is happening:

Racing around the first bend. Adam Dean for The New York Times

Child jockeys, between ages 5 to 10, in a professional race on the island of Sumbawa in Indonesia in July.

The Child Labor Coalition has been posting these photos on Twitter (@ChildLaborCLC) and there has been almost no response from our 17,000 followers. Several tweets have elicited only one or two retweets each. There has been no horror decrying the practice–no expressions of concern for the little boys.  I don’t know why this is the case. Cleary, jockeying a horse is dangerous and these children are too young. Is the public confused because horse racing is a sport? Or does it feel that the use of children as jockeys is an embedded cultural practice in Indonesia and somehow acceptable?

Dean tells the story of Firmansyah, 8, who fell off his horse while racing and hit his head on a wooden railing. Fortunately, the boy’s injury did not seem to be as serious as feared.

Although horse racing officials in Indonesia defend the practice of using child jockeys as part of the culture and something the children want to do, some Indonesian advocates disagree. The Times story quotes Arist Merdeka Sirait, chairman of the National Commission for child protection, a nonprofit: “This is clearly child exploitation. The horses move so fast. The boys ride the horses with no proper protection. This is violence against children. As children, they cannot say no to their parents or whoever ordered them to ride the horse.”

This new report of child jockeys is not the first. We’ve known for a long time that the Persian Gulf nations used child jockeys—boys trafficked form Pakistan, Bangladesh and Sudan—to ride camels in races. For a time, there were reports that the boys were being replaced with robotic jockeys but that attempt appears to have been short-lived. In July 2002, Sheikh Hamdan bin Zayed Al Nahyan announced a ban on child jockeys under 15, but in 2010, Anti-Slavery International photographed violations of the ban. A report in FrontPage Mag in December of 2011 said that the “Camel jockey slave trade [is] still alive and well.” The report noted that some of the Persian Gulf’s boy jockeys in training were “starved, beaten and sometimes sexually abused.” Death and serious injury, as well as damaged genitals, may result from jockeying. The child jockeys in the Persian Gulf were also often victims of trafficking from other countries—something that doesn’t seem to be happening to the child jockeys of Indonesia.

The Indonesian jockeys wear masks on their faces. We can’t help but wonder if it is a deliberate attempt to obscure the riders’ faces so that race fans can ignore the fact that children are risking their lives for their pleasure.

An owner embracing his horse after a winning ride. Adam Dean for The New York Times

Check out this boy who is resting after an injury—he looks so young and fragile:

Imam Dudu, 8, resting after a fall. Adam Dean for The New York Times

And the facial injuries to this rider:

Firmansyah, 8, who fell from his horse the day before, getting ready for another race.

Isn’t it time for this dangerous practice to end?

Our gratitude to Adam Dean for breaking this story and for his stunning photos. Thanks to the New York Times for this powerful expose.

Happy belated Labor Day!

/in Labor, Labor policy/by

I have an excuse for not writing a Labor Day Blog last weekI had a draft all written and then CNN ran a wonderful editorial with a very similar thesis. The gist was that without immigrants–many of whom are denied citizenship, pay taxes, and perform a vast number of jobs–this country couldn’t function. They build our skyscrapers, mow our lawns, take care of our children and parents, bus tables at our restaurants, drive our taxis, Lyfts, and Ubers, serve us at fast-food restaurants, and so much more. So, I’ll try a variation on my original theme.

All four of my grandparents were immigrants. My dad’s parents came over as children from Lithuania, and my mom’s were from Romania. They were poor and didn’t speak English. My maternal grandpa crossed the Atlantic in a ship in steerage (below the deck) with just a few bucks in his pocket. He worked as a delivery boy and went on to found a thriving company. Why did they choose America? To escape pogroms aimed at Jews, for freedom of religion, and for economic opportunity.

Sound familiar? These are precisely the reasons immigrants from Central and South America, Asia, and Africa seek refuge and, ultimately, citizenship in the United States.

Yes, my relatives came here legally, but the path to citizenship was easier at the turn of the 20th Century. You basically just needed to be healthy to be admitted. But that changed in the 1920s when anti-immigrant sentiments ran high. If my grandparents hadn’t emigrated, they likely would have been murdered by the Nazis–and I wouldn’t be here. That’s true for millions of Americans today.

Today’s immigrants have many more barriers thrown in their path. And why should they? They want what my family came for: economic and educational opportunity and to work hard while raising families without the constant fear of violence and poverty. To be sure, we need a sound immigration policy–that means screening those seeking to immigrate for criminal backgrounds or health concerns. But banning all but a trickle of certain “favored” immigrants is crazy and hurts both our economy and social fabric.

Whenever I hear virulent anti-immigrant rhetoric from the White House or elected officials, I want to ask, “didn’t your family immigrate here? Weren’t they seeking the very same things today’s immigrants want?” The answer, of course, is “yes.” That’s why proclamations like “build the wall” and “ban Muslims” are so offensive, unfair, and not at all in keeping with the famous words of Lady Liberty: “give me your tired, your poor, your wretched masses yearning to breathe free.” These are the words that should be the theme for celebrating Labor Day.