Day: 8 August 2019

The FTC Completely Blew Its Settlement With Equifax

The rollercoaster of stories that followed last month’s settlement between the FTC and Equifax was truly something to behold. The FTC touted its value, which critics excoriated as inadequate. Articles soon explained how to get a cash settlement for those who already have a credit monitoring service, but were quickly followed by those arguing that the widely-publicized $125 figure was dependent on the number of claimants for a $31 million pool. Some, like Karl Bode at Vice, said that the “FTC should fine itself for false advertising” after claiming that those affected could be eligible for $125.

I don’t think this fully grasps just how badly the FTC blew this settlement, and primarily for a reason almost entirely unrelated to the confusion about the $31 million fund for credit monitoring payouts.

I was among many who got this wrong when I repeated the claim of the $125 payout, and also in my summary of why that $125 figure may be incorrect, so I thought it would be valuable to go back to the settlement itself to explain why this is a raw deal. In its press release, the FTC summarized the divvying up of the $575–700 million settlement:

  • $100 million is paid as a fine to the Consumer Financial Protection Bureau

  • $175 million is paid to settle cases brought by 48 states, plus Washington D.C. and Puerto Rico

  • $300 million is set aside for a consumer restitution fund, which would compensate individual claimants directly

It’s that last bucket of cash in which two specific piles of money reside. The first is a $31 million pool for alternative payouts for credit monitoring, which the FTC required Equifax provide to claimants. But if a claimant already has credit monitoring, they can opt to be paid up to $125 instead. And we will get to that “up to” in a moment.

A second pool, also of $31 million, is to be used to compensate claimants for time spent dealing with the settlement. For example, if a claimant spent an hour on the phone with an Equifax representative to get their credit frozen, that would be paid out of this second pool.

The remainder of the $300 million is to be set aside for direct out-of-pocket losses arising from the breach, such as those stemming from fraud, identity theft, and so forth. None of the money from this settlement will be given back to Equifax, but the details are not as simple as the FTC portrayed, either.

I want to get the matter of the $31 million buckets out of the way first, and I think Lily Hay Newman of Wired explains it perfectly:

But not all is lost, and there’s still a decent chance that Equifax will pay you all $125. As Slate points out, the $31 million cap will lift, assuming Equifax hasn’t spent all of the $425 million in its “Consumer Fund” — money it has committed to things like covering people who can specifically document losses stemming from the breach — in four and a half years. At that point, whatever’s left of that $425 million will be applied to the $125 payouts, presenting much better, if belated, odds.

Like all things Equifax, this does not come without a caveat. Even if the full $425 million in the consumer restitution bank account goes towards $125 payments for compensation of credit monitoring services, that amount would only support the claims of 3,400,000 people. Over forty-three times that number were affected by this breach.

Also, because this bucket is part of a pile of money with broader scope, those claims will be mixed with requests for compensation of time spent, as well as direct losses from fraud.

A bigger problem still is that this settlement is designed to mitigate the financial damage to consumers. That would be handy if this data were stolen for economically opportunistic reasons, but that doesn’t seem to be the case. A February report from Kate Fazzini at CNBC noted that no Equifax breach data had surfaced anywhere, despite financially-motivated hackers usually publicizing their haul with urgency.

A more likely scenario is that those responsible for exfiltrating Equifax’s files were state actors. A Bloomberg story from September 2017, citing investigators and those briefed on their findings, claimed that China was a likely culprit, though another country could be responsible.1 It is likely that the data stolen — which comes from a financial firm, making it ostensibly more accurate than any old data dump — could be combined with other sources to target specific individuals, per Fazzini’s reporting and Bloomberg’s story.

This settlement does nothing to dissuade state actors from continuing to pilfer sensitive data, nor does it encourage care for those who stockpile information like this. Of course, the FTC has limited scope and powers. It could not accomplish the former, but it certainly could attempt the latter.

Instead, the Commission agreed to a weak deal that barely impacts Equifax’s financial status and does little to encourage better behaviour in data-hoarding industries. Even if this were a financially-motivated crime, this settlement does not protect those affected. But this breach was so much more, and this settlement doesn’t begin to address the far more serious and more likely rationale.

  1. I am obligated to point out that this Bloomberg story bears in its byline the two reporters responsible for the inaccurate “Big Hack” feature.

    By the way, that story just won the Black Hat Pwnie for the most overhyped bug. Congratulations — I guess? — Michael Riley and Jordan Robertson. ↥︎

Uber Lost Over $5 Billion Last Quarter, Including $3.9 Billion in Stock-Based Compensation After IPO techcrunch.com

Kate Clark, TechCrunch:

$5.2 billion in net losses represents the company’s largest-ever quarterly loss. Revenue, for its part, is up only 14% year-over-year, igniting concerns over slower-than-ever growth. The company says a majority of 2Q losses are a result of stock-based compensation expenses for employees following its May IPO. Stock compensation aside, Uber still lost $1.3 billion, up 30% from Q1.

Aaron Gordon, Jalopnik:

But you math whizzes out there will note that leaves approximately $1.3 billion in regular ol’ we-just-lost-a-buncha-money losses, up from $1 billion last quarter and $878 million a year ago.

[…]

As of this writing, Uber has lost $16.2 billion since 2016.

How is this investor-subsidized pirate taxi operation not considered predatory?

Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials vice.com

Kim Zetter, Vice:

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked.

But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties — all states that are perennial battlegrounds in presidential elections.

Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard.

A reminder that proposals to fund increased election security are being blocked by Senate Republicans. Also, it remains unclear to me what glaring problems exist with paper ballots which are solved by electronic voting machines.

The Grey Fog of Moderating the Web stratechery.com

I’m not sure why, but the hottest topic right now in technology ethics seems to be Section 230 of the Communications Decency Act, and I’m already hearing the snoring of half of the people reading this post. This latest round of discussion was perhaps spurred by the ridiculous bill brought by Josh Hawley, which resulted in horrible articles in mainstream publications — one in the New York Times, and another in Bloomberg.

Moderation powers, more generally, have become newsworthy after Cloudflare dropped 8chan in the wake of revelations that the terrorist responsible for the two-hundred-ninety-first mass shooting of 2019 in the U.S. posted his manifesto on the discussion board. Jennings Brown of Gizmodo found this to be a symbolic and ineffectual gesture.

I think Ben Thompson’s take is well-rounded:

This third point is a valid concern, but one I, after long deliberation, ultimately reject. First, convenience matters. The truly committed may find 8chan when and if it pops up again, but there is real value in requiring that level of commitment in the first place, given said commitment is likely nurtured on 8chan itself. Second, I ultimately reject the idea that publishing on the Internet is a fundamental right. Stand on the street corner all you like, at least your terrible ideas will be limited by the physical world. The Internet, though, with its inherent ability to broadcast and congregate globally, is a fundamentally more dangerous medium. Third, that medium is by-and-large facilitated by third parties who have rights of their own. Running a website on a cloud service provider means piggy-backing off of your ISP, backbone providers, server providers, etc., and, if you are controversial, services like Cloudflare to protect you. It is magnanimous in a way for Cloudflare to commit to serving everyone, but at the end of the day Cloudflare does have a choice.

One nitpick I have with Thompson’s piece is that he compares Cloudflare’s decision to net neutrality:

To be perfectly clear, I would prefer that 8chan did not exist. At the same time, many of those arguing that 8chan should be erased from the Internet were insisting not too long ago that the U.S. needed to apply Title II regulation (i.e. net neutrality) to infrastructure companies to ensure they were not discriminating based on content. While Title II would not have applied to Cloudflare, it is worth keeping in mind that at some point or another nearly everyone reading this article has expressed concern about infrastructure companies making content decisions.

I see these as vastly different concerns. Internet service providers are utility providers. All of your web traffic from the same location goes through the same ISP, so it’s truly infrastructural. Cloudflare is entirely unlike that: it’s something that a web engineer can insert into the technology stack between their web host and incoming connections. It feels infrastructural, but it isn’t.

That nitpick aside, this is an excellent piece.

Despite Tech’s Universal Reach, Mainstream Writers Remain Overwhelmingly White macchia.to

Shawn Wilkins:

Over the years, I’ve become exceptionally privy to websites that lack depth when it comes to having people of color on their teams. The first site that I noticed was BGR. BGR has put up some questionable articles in the past, but to say their site isn’t one of the smaller-yet-respectable ones around when it comes to tech news, information, leaks, and rumors, would be misguided. As one of the first sites I wanted to explore when applying for jobs, this one hit the worst. Their team lacks any people of color or any other groups outside of “white 20s-30s male”. But this post isn’t just about BGR alone. If you name a tech-based site, chances are you see the same kind of results in various degrees throughout. Some have one or two POC writers, some have a plethora, others have none at all and are absurdly brazen about it to the point of tone-deafness or a lack of awareness – possibly both.

It is bafflingly myopic for the press covering an omnipresent industry to continue to rely upon mostly white and mostly male voices.

A Preview of CarPlay Changes in iOS 13 macstories.net

John Voorhees, MacStories:

When my lease was up earlier this year, CarPlay support was at the top of the list of must-have features when we began looking for a new car. We wound up leasing a Nissan Altima, which has a faster entertainment system, larger touchscreen, and better hardware button support for navigating CarPlay’s UI. The hardware differences took a system I already loved to a new level by reducing past friction and frustrations even though the underlying software hadn’t changed.

Just a few weeks after we brought the Altima home though, Apple announced that it would update CarPlay with the release of iOS 13 this fall. In a jam-packed keynote, CarPlay got very little stage time, but I was immediately intrigued by the scope of the announcement. CarPlay hasn’t changed much since it was introduced in 2014, but with iOS 13, iPhone users can look forward to not only significant improvements in its design, but a new app and other features that make this the biggest leap forward for CarPlay to date.

Like Voorhees, CarPlay support was a primary deciding factor when we were shopping for a car last year. Once you have it, it’s hard to imagine a vehicle replacement without it.

I can testify to the mostly-wonderful updates to CarPlay after spending two months with iOS 13 and, in particular, after a lengthy road trip last week. The new Dashboard view is excellent.

One of the more frustrating aspects of CarPlay was how it would directly mirror whichever app was frontmost on the connected iPhone. If the driver was relying on Maps directions, for example, and the passenger wanted to change the playlist, opening the Music app on the iPhone would switch to the Music app in CarPlay, too. That’s solved in iOS 13; CarPlay runs more independently of the iPhone, which is a boon on a road trip.

One limitation that still exists is that turn-by-turn directions still take over the Maps app in both CarPlay and on the connected phone. When we wanted to find a gas station or restaurant in the next town, the passenger would have to end turn-by-turn directions before being able to search Maps. I kind of understand the technical limitation here and, on a highway, it’s not a big deal to keep driving in a straight line, but it still feels like something that should be possible.

Also in Maps, I’ve found that its ability to recognize a likely next destination is spotty at best. I added motel bookings as calendar events with addresses, but Maps never once suggested these as destinations, even though CarPlay now includes a Calendar app.

Siri still has problems. I have cellular data disabled in Music because I only want to use my local library with my metered plan. Asking Siri to play a particular album or artist within my local library would always fail with the same message of needing to connect to WiFi first, suggesting that it was only searching Apple Music. It’s frustrating if you want to safely change your playlist.

Otherwise, I think that iOS 13 presents plenty of improvements to CarPlay. If you have a car and it supports CarPlay, you’re going to love these changes when the update ships next month.