Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

How Will Google Respond to Renewed Antitrust Claims in the EU & US?

Posted in eCommerce

Estimates are that Google controls 90% of the search engine market in the EU so it is no surprise about a recent report that the “EU’s antitrust investigation into Google’s business practices [focuses on] what have been identified as potential competition issues in the European markets.”  The eweek report stated that the EU was interested because if the FTC investigation that was dropped in 2013 after 19 months and now:

A European lawmaker has called on EU regulators to bring formal antitrust charges against Google after a document surfaced this week showing that the U.S. Federal Trade Commission had harbored strong concerns about the company’s business practices two years ago.

Google continues to grow as does the threat of antitrust actions.

Truste Pays $200,000 Fine for Breaching Contracts to Verify Privacy on 1,000+ Websites & FTC Oversight

Posted in eCommerce, Internet Privacy

“The Federal Trade Commission [FTC] has approved a final order resolving the Commission’s complaint against TRUSTe, Inc. for deceiving consumers about its privacy seal program”as posted on the FTC website on March 18, 2015.  FTC also stated that the Order the FTC will have oversight for 20 years and in particular making sure that Truste complies with the Children’s Online Privacy Protection Act (COPPA):

…requires the company in its role as a COPPA safe harbor to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. Each of these provisions represents an increase in the reporting requirements laid out under the COPPA Rule for safe harbor programs.

Our privacy is not what it appears given Truste’s confession and payment of the $200,000 fine, and it is unfortunate that so many have relied on Truste’s privacy promises.

47 State Cybersecurity Breach Laws May be Replaced by Federal Law

Posted in Cyber, eCommerce

TexasBarToday_TopTen_Badge_Small (1)

At a Senate hearing on cyberinsurance regarding notice to cyber victims there was testimony about a uniform federal cybersecurity breach law to replace the laws in 47 states which could help by having a uniform standard could “reduce the cost of breach responses and enhance consumer protection.”  The Senate Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security began examining cybersecurity with two hearings in February:

The first hearing examined the National Institute of Standards and Technology (NIST)’s partnership with the private sector to improve critical infrastructure cybersecurity. NIST’s continuing role was codified in S. 1353, the Cybersecurity Enhancement Act of 2014 (P.L. 113-274), originally introduced by Commerce Committee Chairman John Thune (R-S.D.) and former Chairman Rockefeller (D-W.Va.).

The second hearing informed Committee efforts in crafting a federal data breach bill. Sen. Moran’s hearing on Thursday [March 19, 2015] will continue the Committee’s examination of cybersecurity issues.

At the March 19, 2015 hearing reported that Senator Jerry Moran (R-Kan.) said that cyber insurance:

…may be a market-led approach to help businesses improve their cyber security posture by tying policy eligibility or lower premiums to better cyber security practices.

Replacing the 47 states notification laws should help consumers who rely on cyberinsurance for these breaches, but only if the legislation is well drafted and considered.

Cybersecurity Risks for Boards and CEOs – Time to Work More Closely with CIOs and CISOs

Posted in Cyber, eCommerce

Recently there was a report about the Sony breach which stated that as “a result of this pervasive and devastating attack, combined with other breaches, cybersecurity is no longer a CIO problem, but now a CEO and board level problem, given potential for business disruption.” The InformationWeek DarkReading March 11, 2015 report entitled “6 Ways The Sony Hack Changes Everything” included as number “2. Cybersecurity risk is squarely a board and CEO issue”:

Boards and executives are going to have to deal with cybersecurity risk like they do with legal, regulatory, geopolitical, or labor risk. It has to be central to the way business leaders think, and a planning consideration for those keeping sensitive information or transacting commerce online.

CEOs must have the same view of the digital realm, working with the CIO and Chief Information Security Officer [CISO], to better understand the risk.

Also number “6. Business executives are now much more aware of cybersecurity risks” includes this insight:

Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently, which will make their organizations more resilient to the risk of sophisticated attackers, or at least be more prepared when they experience a full-blown cybersecurity failure.

Insurance costs will increase as identified in number “5. Cybersecurity insurance and its coverage just got more expensive”:

 To date, cybersecurity insurance has focused on covering the risk of data loss, including the cost to notify clients whose data was lost during a breach. The focus has been on that facet of cybersecurity risk, not total business interruption or full-blown disaster recovery. Sony Pictures probably changed the expected loss number, which will likely have a ripple affect across the industry, driving up cybersecurity insurance premiums.

Here’s the complete list of all 6 Ways Sony impacts everything:

  1. Company survival is now a central concern for companies dealing with cybersecurity risk.
  2. Cybersecurity risk is squarely a board and CEO issue.
  3. Sophisticated cyber attacks combined with a credible terrorism threat is a new hybrid.
  4. We are more susceptible to this attack, and have few options to respond.
  5. Cybersecurity insurance and its coverage just got more expensive.
  6. Business executives are now much more aware of cybersecurity risks.

Whether Sony should get the credit or not is beside the point, the critical point is that Boards and CEOs need to learn more and work more closely with CIOs and CISOs.

Legal Liability for Paying for Online Reviews for Automobile Shipment Broker that Confessed to Astroturfing

Posted in eCommerce

The Federal Trade Commission (FTC) announced a settlement with AmeriFreight “that will halt the company’s allegedly deceptive practice of touting online customer reviews, while failing to disclose that the reviewers were compensated with discounts and incentives.”  The FTC settlement on February 27, 2015 with AmeriFreight (an automobile shipment broker based in Peachtree City, Georgia) was for “failing to disclose that they compensated consumers for their online reviews.”  The FTC complaint specifically stated that AmeriFreight:

  • Provided consumers with a discount of $50 off the cost of AmeriFreight’s services if consumers agreed to review the company’s services online, and increased the cost by $50 if consumers did not agree to write a review;
  • Provided consumers with “Conditions for receiving a discount on reviews,” which said that if they leave an online review, they will be automatically entered into a $100 per month “Best Monthly Review Award” for the most creative subject title and “informative content”;
  • Contacted consumers after their cars had been shipped to remind them of their obligation to complete a review to receive the “online review discount,” and qualify for the $100 award;
  • Failed to disclose the material connection between the company and their consumer endorsers — namely, that AmeriFreight compensated consumers to post online reviews;
  • Deceptively represented that its favorable reviews were based on the unbiased reviews of customers.

The term astroturfing was not used by FTC, but indeed this is an example of astroturfing since AmeriFreight admitting that it paid for reviews.

No Surprise – Identity Theft Tops FTC Consumer Complaints

Posted in eCommerce, Internet Privacy

The FTC (Federal Trade Commission) reported that ‘identity theft topped the FTC’s national ranking of consumer complaints for the 15th consecutive year.’  On February 27, 2015 the FTC issues its Consumer Sentinel Network for 2014 which identified these Top Ten complaint categories (including the number of complaints and percentages) for 2014:

  1. Identity Theft (332,646 -13%)
  2. Debt Collection (280,998 -11%)
  3. Impostor Scams (276,622 -11%)
  4. Telephone and Mobile Services (171,809 -7%)
  5. Banks and Lenders (128,107 -5%)
  6. Prizes, Sweepstakes and Lotteries (103,579 -4%)
  7. Auto-Related Complaints (88,334 -3%)
  8. Shop-at-Home and Catalog Sales (71,377 -3%)
  9. Television and Electronic Media (48,640 -2%)
  10. Internet Services (46,039 -2%)

Since 1997 the FTC has collected “fraud and identity theft complaints, …has more than 10 million complaints, including those about credit reports, debt collection and mortgage assistance scams, among other subjects.” To collect these complaints the FTC established the Consumer Sentinel Network as a “unique investigative cyber tool that provides members of the Consumer Sentinel Network with access to millions of consumer complaints” about:

  • Identity Theft
  • Do-Not-Call Registry violations
  • Computers, the Internet, and Online Auctions
  • Telemarketing Scams
  • Advance-fee Loans and Credit Scams
  • Immigration Services
  • Sweepstakes, Lotteries, and Prizes
  • Business Opportunities and Work-at-Home Schemes
  • Health and Weight Loss Products
  • Debt Collection, Credit Reports, and Financial Matters

Given the headlines we read every day about identity theft on the Internet  it seems unlikely that we will see any changes in the complaint categories anytime soon.

Do You Still Rely on Yelp Reviews After Hearing that Yelp Sues Astroturfers?

Posted in eCommerce

Yelp’s lawsuit alleges a breach of the ToS (Terms of Service) by the defendants who “try to game the system and undermine that trust, by building businesses based on fraudulent reviews…” in addition to the more obvious trademark violations.  The February 13, 2015 lawsuit was filed in the US District Court for the Northern District of California in which Yelp specified in its ToS (last updated on November 27, 2012 -which is about 296 “Internet Years”):

You agree not to, and will not assist, encourage, or enable others to use the Site to…Violate our Content Guidelines, for example, by writing a fake or defamatory review, trading reviews with other businesses, or compensating someone or being compensated to write or remove a review.

Also Yelps states in the lawsuit that:

Yelp commits substantial resources to prevent fake, altered, or otherwise fraudulent reviews and to prevent improper or unlawful uses of the content and information available on the website, including spam.

Yelp enforces compliance with the Yelp TOS in a number of ways, including by developing sophisticated technology to detect and marginalize fake or suspicious reviews, investigating businesses that post or purchase fake reviews, working with regulatory authorities to crack down on such businesses, and warning consumers about such businesses through consumer alerts. Yelp also takes spam very seriously and does not tolerate third parties, like Defendants, attempting to spam businesses listed on Yelp with confusing, unwanted, and false messaging.

In the lawsuit Yelp sued Edward James Herzstock, Alec Farwell, and Melissa Scheinwald, doing business as Yelpdirector, Revpley, and Revleap, and Does 1 through 20 and requests damages and injunctive relief based on these causes of action:

  1. Federal Trademark Infringement;
  2. Federal Trademark Dilution;
  3. Federal Unfair Competition;
  4. Cybersquatting;
  5. Breach of Contract;
  6. Interference with Contractual Relations;
  7. California Unfair Competition; and,
  8. California False Advertising.

CBS News reported that defendant Alec Farwell (one of the owners of Revleap) said in an email to MoneyWatch that what the defendants are doing is:

…legal in all aspects of the law, and we specialize in only legitimate reviews from real customers. Yelp has filed completely false and unsubstantiated claims against our company. We aim to decrease defamation and increase awareness of free speech for businesses. We level the playing field for everyone who uses the internet or reviews on any site.

This case may help establish more specific guidelines for astroturfing, but it is obviously too soon to know.

Red Flags Employers Should Know about Rogue Employees

Posted in eCommerce

TexasBarToday_TopTen_Badge_Small (1)

A recent Infoworld story included 7 Red Flags about employees regarding “someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you.”  The March 2, 2015 story entitled “7 warning signs an employee has gone rogue” including “Red flag No. 6: Never takes vacation” which should be a dead give-away given these comments:

I once worked with a woman who had been at the company for more than four decades. She was a hard worker, loved by everyone, although a bit cranky at times. She also never took a vacation, even when threatened. I was her boss for five years. At every annual review I would note that she didn’t take a vacation and I would cajole her to take one. She would say something nice or funny in response and say she would soon. But the next year would roll around and still no vacation.

The third year I threatened to fire her if she wouldn’t take a vacation. I even marked down her review score and reduced her bonus. Still she did not take a vacation, but I couldn’t follow through with the threat. She had been with the company so long, and I had a soft spot for her, as everyone did.

In the fifth year we forced her to take a week’s vacation. Lo and behold she continued to show up during the week to “see how things were going” in her absence. I physically had to escort her off the premises. I was truly worried about her health given how much she worked.

Then the checks started to arrive — it turned out she was getting kickback checks from all sorts of telco-related companies for more than 20 years. She had also given her son a job doing telco in the company, one for which he never showed up, and the company was paying for both their cars. In total, she had stolen more than half a million dollars over the course of 20 years.

Here is the entire list of Red Flags:

Red flag No. 1: Unexpectedly fails background check

Red flag No. 2: Says past employers didn’t trust them

Red flag No. 3: Knows information they shouldn’t

Red flag No. 4: Says they can hack a coworker or company systems

Red flag No. 5: Switches screens away from company assets as you walk up

Red flag No. 6: Never takes vacation

Red flag No. 7: Leaves the company angry

Obviously all employers should be alert to rogue employees and this list should be self-apparent!

More Cyber Criminals Targeting your Identity, Including Bad Guys in China!

Posted in eCommerce, Internet Privacy

According to a recent report groups in “China continue to target Western interests, but there has been a shift in focus from the theft of intellectual property to identity information” according to which drew these conclusions from a February 23, 2015 recent HP report entitled “HP Security Research, Cyber Risk Report 2015” which also stated:

Activity in the cyber underground primarily consists of cyber crime involving identity theft and other crimes that can be easily monetized.

The 7 key themes of the HP Report are:

Theme #1: Well-known attacks still commonplace – Based on our research into exploit trends in 2014, attackers continue to leverage well-known techniques to successfully compromise systems and networks. Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old.

Theme #2: Misconfigurations are still a problem – The HP Cyber Risk Report 2013 documented how many  vulnerabilities reported were related to server misconfiguration.

Theme #3: Newer technologies, new avenues of attack – As new technologies are introduced into the computing ecosystem, they bring with them new attack surfaces and security challenges.

Theme #4: Gains by determined adversaries  – Attackers use both old and new vulnerabilities to penetrate all traditional levels of defenses.  They maintain access to victim systems by choosing attack tools that will not show on the radar of anti-malware and other technologies.

Theme #5: Cyber-security legislation on the horizon – Activity in both European and U.S. courts linked information security and data privacy more closely than ever. As legislative and regulatory bodies consider how to raise the general level of security in the public and private spheres, the avalanche of reported retail breaches in 2014 spurred increased concern over how individuals and corporations are affected once private data is exfiltrated and misused.

Theme #6: The challenge of secure coding – The primary causes of commonly exploited software vulnerabilities are consistently defects, bugs, and logic flaws.

Theme #7: Complementary protection technologies – In May 2014, Symantec’s senior vice president Brian Dye declared antivirus dead and the industry responded with a resounding “no, it is not.” Both are right. Mr. Dye’s point is that AV only catches 45 percent of cyber-attacks —a truly abysmal rate.

No surprises in this HP report!

Watch Out! Your Computer Probably has Spyware Courtesy of the US Government!

Posted in Internet Privacy

Apparently the US National Security Agency (NSA) “has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives”  as reported by Reuters on February 16, 2015.  Reuters relied on a former NSA employee who confirmed the allegations which were presented in Kaspersky Lab’s report entitled “Equations Group: Questions and Answers” which stated that this malware has been around since 1996 and that the:

The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

The report identified victims in more than 30 countries including the US in these categories:

  • Governments and diplomatic institutions
  • Telecommunication
  • Aerospace
  • Energy
  • Nuclear research
  • Oil and gas
  • Military
  • Nanotechnology
  • Islamic activists and scholars
  • Mass media
  • Transportation
  • Financial institutions
  • Companies developing cryptographic technologies

Cannot image any other category so I guess that means everyone on earth, what do you think?