Major Breach of Internet Security at LinkedIn and eHarmony

As explained in this AP story, "Business social network LinkedIn and online dating service eHarmony said Wednesday that some of their users’ passwords were stolen and millions appear to have been leaked onto the Internet."

I work for a large employer, and our IT director just emailed the entire community saying (1) if we have accounts with LinkedIn or eHarmony, we should immediately change our passwords; and (2) if we use the same password for other online sites or services, we should change those passwords too.

Questions: (1) Have there been serious adverse consequences from similar past leaks of online passwords and other private information? (2) What policies would tend to prevent similar future leaks? (3) What policies or actions tend to mitigate the adverse consequences of these types of leaks once they have occurred?

Story About Bad Debt Collection Practices and Possible Gap in the Law

Read this story from the New Jersey Star Ledger.

The Push to Kill Civil Legal Services for Poor People

Heather Rogers has written "The relentless push to bleed Legal Services dry." Congress created the Legal Services Corporation (LSC) in 1974 to provide civil legal representation to poor people. In 1981, Ronald Reagan set out to kill LSC. He didn't succeed -- entirely. But he achieved a 25% budget cut, taking the annual appropriation to $321 million, and things have gone downhill since then. The current fiscal year appropriation is just $348 million. (1981 funding in real, inflation-adjusted terms would require $812 million.) That's right -- $348 million to provide civil legal services to all 46 million Americans living in poverty. Rogers explains that political support for LSC is so weak that most of LSC's friends in Congress are just looking for small increases (and spend most of their effort fighting cuts). Worth reading.

GOP Continues Efforts to Hamstring CFPB

Here.  To understand why the Bureau needs the same resource independence as other financial regulators, see here.

Study of Clickwrap/Privacy Policy Terms

 

Jay P. Kesan

,

Carol M. Hayes

, and

Masooda Bashir

, all of Illinois, have written Consumer Privacy Choices, Informed Consent, and Baseline Protections to Facilitate Market Transactions in the Cloud.  Here's the abstract:

So many of our daily activities now take place 'in the cloud,' where we use our devices to tap into massive networks that span the globe. Virtually every time that we plug in to a new service, the service requires us to click the seemingly ubiquitous box indicating that the user has read and agrees to the provider’s Terms of Service and Privacy Policy. If a user does not click on this box, he is denied access to the service. It is generally accepted that no one reads these agreements. They click accept, because otherwise they could not use the service of their choice, and these terms are typically almost entirely disregarded as a factor when services are chosen. If a user is asked why he does not read these terms, he might offer reasons like the dense legalese, or the length of these agreements.

However, not reading these agreements can have negative effects. Some agreements contain binding arbitration provisions, limiting the agreeing party’s avenues for redress if the provider wrongs him. When a user is not informed about the terms of a privacy policy, she may be unknowingly consenting to the disclosure of her information to third parties with whom she would not want to share her information. These agreements can also affect the agreeing party’s legal rights. The Department of Justice has argued that violating a website’s Terms of Service amounts to a violation of the Computer Fraud and Abuse Act. Additionally, agreeing to overbroad privacy policy terms could reduce a party’s protections under the Stored Communications Act and the Fourth Amendment.

As part of this work, we analyzed and categorized the terms of TOS agreements and privacy policies of several major cloud services to aid in our assessment of the state of user privacy in the cloud. Our empirical analysis showed that providers take similar approaches to user privacy, and were consistently more detailed when describing the user’s obligations to the provider than when describing the provider’s obligations to the user. This asymmetry, combined with these terms’ nonnegotiable nature, led us to conclude that the current approach to user privacy in the cloud is in need of serious revision.

Privacy and autonomy, values necessary for a free society, are threatened by the asymmetric terms and unawareness of parties agreeing to such terms. Based on analysis of the law, theories of privacy developed by scholars, findings of research into human-computer interaction, and an analogy to the ethical guidelines of informed consent followed by social science researchers, we propose the following modest but realistically achievable goals to advance user privacy in the cloud.

First, we suggest adopting a legal regime that requires companies to provide baseline protections for personal information and also take steps to enhance the parties’ control over their own data. We view data control as consisting of two parts: 1) data mobility, where consumers are assured the ability to move course-of-business data from one provider to a competing provider at will, without encountering lock-in problems due to formatting issues; and 2) data withdrawal, where consumers have the right to serve notice and takedown orders on entities that possess and use the consumer’s personal information against the consumer’s wishes.

Second, we argue that collectors and users of personal information in the cloud should be held to ethical guidelines mandating informed consent to facilitate informed contracting. Adopting an approach that is consistent with the informed consent standards required of social science researchers, we view informed consent as consisting of five elements: 1) disclosure, 2) competence, 3) comprehension, 4) voluntariness, and 5) agreement.

Third and finally, we propose that a multi-tiered approach to privacy be mandated by regulations, requiring companies to make heightened privacy protections available to consumers. By mandating choice, we are creating a market where consumers have meaningful choices regarding the level of privacy being afforded, and the existence of these privacy choices will facilitate market transactions. Ultimately, our goal with this piece is to apply established law and privacy theories to services in the cloud, and set forth a model for the protection of information privacy that recognizes the importance of informed users.

Taxmaggedon and the Deficit

The claim that we are heading toward Taxmaggedon is built on the idea that recent tax cuts are set to expire at the end of 2012 and, that, therefore, if Congress doesn't do something after the election, taxpayers will be hit with a signficant tax increase all at once, harming taxpayers with modest incomes and possibly slowing economic recovery. We discussed the issue critically here and followed up here. But allowing taxes to go back to their previous levels would greatly reduce the deficit, while both parties' Taxmaggedon "solution" will bloat the deficit. The Republicans, for instance, want all the Bush II income tax cuts to stay in place. That would add $4 trillion to the deficit over the next decade according to the Congressional Budget Office. President Obama's plan -- which would keep the cuts in place for everyone except those earning over $250,000 per year -- would add a mere $3 trillion to the deficit over the same period. Read about it here.

Disney To Promote Healthy Foods and to Ban Junk Food Ads on Its Programming Aimed at Kids

This may be a big deal, and Michelle Obama's anti-obesity campaign may have played a big role in making it happen. Here's an excerpt from a New York Times article:

The Walt Disney Company, in an effort to address concerns about entertainment’s role in childhood obesity, announced on Tuesday that all products advertised on its child-focused television channels, radio stations and Web sites must comply with a strict new set of nutritional standards. The restrictions on ads extend to Saturday-morning cartoons on ABC stations owned by Disney. Under the new rules, products like Capri Sun drinks and Kraft Lunchables meals — both current Disney advertisers — along with a wide range of candy, sugared cereal and fast food, will no longer be acceptable advertising material. The initiative, which Disney revealed at a Washington news conference with the first lady, Michelle Obama, stretches into other areas. For instance, Disney will reduce the amount of sodium by 25 percent in the 12 million children’s meals served annually at its theme parks, and create what it calls fun public service announcements promoting child exercise and healthy eating.

More on People With Large Incomes Who Pay No Taxes

We told you last week about a recent IRS report on that topic. And, today, there's an op-ed on the same subject by Bruce Bartlett. Bartlett says that the number of high-income people paying no tax is on the rise, and he explains that while present-day conservatives don't seem concerned both Richard Nixon and Ronald Reagan were.

High Fructose Corn Syrup and the Obesity Epidemic

We told you recently about the high fructose corn syrup industry's unsuccesful effort to get the FDA to rename its product. Now, in this column, David Lazarus explains a possible connection between the FDA's decision and efforts to stem the obesity epidemic.

More on Supreme Court FDCPA cert grant

Last week, we told you about the Supreme Court's grant of review in a Fair Debt Collection Practices Act case. Read this report on the case, which emphasizes the issue on which the Court did not grant review.