Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer?  Jamie McClelland and Alfredo Lopez can tell you.

Their recent run-in with the men in black – the result of a spate of email bomb threats to the University of Pittsburgh -- offers a rare glimpse into the collision between free speech rights and the benefits of anonymity on one side with the needs of law enforcement to act quickly in the face of real threats on the other.

Their tale ends with an odd twist: FBI agents, caught on video, returning the server only four days after it was seized from a co-location facility in New York City. At the moment, no one knows why the FBI would take that unusual step. FBI Special Agent Bill Crowley said the agency wouldn't comment on either the seizure or the return of the server.

Federal investigators and local officials in Pittsburgh were scrambling last month as bomb threats targeting the University of Pittsburgh piled up. Within days, 46 such threats were logged, causing massive disruption as students and teachers were continually evacuated from building after building.  Parents and school officials pressured law enforcement to solve the case. For some reason, the FBI thought a server in a small facility in New York City might contain a crucial clue.

---

McClelland and Lopez run a progressive Internet organization called MayFirst/PeopleLink, which helps democracy-seeking groups around the world use the Web to organize. Together with sister organization RiseUp, MayFirst/PeopleLink offers email services, mailing list support and other Web tools. But their services make a promise that's critical to people fighting oppressive regimes: All data is encrypted, guaranteeing total anonymity to those who need it.

 

 

 

McClelland was on a conference call in MayFirst/PeopleLink's Brooklyn office -- which is in the same building where Lopez and his wife live -- on April 11 when he saw two men in suits standing at the door.

"I thought they were Jehovah’s Witnesses, but I joked with people on the call that it was the FBI," he said.  Moments later, it was no joke.

The agents flashed their badges and asked if they could come in; McClelland refused.  They asked if they could step into the vestibule. He refused again.

"I had had some rudimentary training,” he said. “It certainly had occurred to us that we might some day get a visit from the FBI given the nature of what we do. But this wasn't what I expected. I was surprised at how easy it was to say ‘no’ to them...There was no intimidation, none of that. The agent appeared more nervous than me, and I was pretty nervous."

Standing outside, the agents then showed printouts of a few emails with full headers to him, saying they were related to the Pittsburgh bomb threats. At that point, McClelland hadn’t  heard about the threats, so he said he didn't know anything about them. They asked if he knew anything about ECN.org, a server which appeared in the e-mail headers. Again, he said “no,” truthfully.

"I asked if I could have copies of the emails. The agents said “no.” But I then asked if I could get pen and paper and write down details of what we were looking at. They let me do that," McClelland said. "I then asked them if they thought our server was compromised. But they couldn’t tell me anything. So I asked for their business card and told them we would research it."

The agents left, but McClelland’s day had only just begun. What was ECN.org? Why did the agents show up unannounced? And most important, what would happen next? He was sure that wasn't the end of it.

"When you are visited by the FBI, even when it goes relatively easy like it did, your entire life gets put on hold as you deal with all the implications," he said. McClelland called Lopez and other leadership team members, and then called the Electronic Frontier Foundation for legal help.

“There were three hours of calls to run through things and make sure we had everything covered," he said.

Initially, Lopez and McClelland assumed that one of their members had been hacked, and the account used for illegal purposes. Simply patching whatever security hole existed could end the problem. But a visit to ECN.org indicated there was a much more complex issue.

ECN stands for the European Counter Network, an independent Internet service provider in Europe. It shares much the same mission as MayFirst/PeopleLink. On ECN.org, the provider offers anonymous email services through a service called "Mixmaster." Using Mixmaster, email users can achieve nearly undefeatable anonymity -- multiple servers pass messages from one to the other, each time stripping out header information and replacing it with false data, making it nearly impossible for investigators to "trace" the message to the original sender. 

ECN had subcontracted space on RiseUp's New York City server; RiseUp had in turn subcontracted that space from MayFirst/PeopleLink.  It now appeared that the FBI believed someone connected to the Pittsburgh bomb threats had used ECN's anonymous email capabilities, which led to FBI agents knocking on the door at Alfredo Lopez's home office.

"If you had asked me before this happened if one of our members ran an anonymous remailer, I would have said, 'probably,' " said McClelland. "That's exactly the kind of thing we want to support and we want to protect."

When correctly configured, anonymous remailers leave no trace at all. There are no log files to check, no other server "fingerprints." After making sure the server was running properly, McClelland called the FBI agent on the business card and told him all he knew about ECN, which essentially was nothing.

"We told him we suspected there was an anonymous remailer, there's nothing else we can tell you," he said. "We decided that was our best strategy ... to minimize disruption to our members. We didn't want to risk going to the next level of escalation."

The strategy failed.  The next day, MayFirst/People Link received a subpoena demanding that the organization answer a series of questions about its server. With help from the EFF lawyer, they sent the responses on Monday, April 16.

"At that point, we thought everything was OK, that we were done, and ready to move on," he said. 

Then on Wednesday, April 18, at around 6 p.m., things took a turn for the worse.

"I got a call from a tech who said, 'Jamie, the server isn't responding.' So he went to look for it in the rack and found that it was gone," McClelland said.

Later, Lopez and McClelland would learn that the FBI had produced a search warrant when it showed up at the XO Communications Manhattan server farm, where the MayFirst/PeopleLink server was housed, which gave agents the right to take the box. But at the time, they could only guess what happened.

"We filled out a help ticket that said, 'Our server is missing.'  We've never done that before," McClelland said.  "I can't emphasize enough that we received no communication from the FBI. From a human point of view, that is atrocious. But from a legal point of view, they don't have to do any more."

The impact was immediate, and devastating, for both MayFirst/PeopleLink and RiseUp. Hundreds of mailing lists, websites and email accounts were immediately knocked offline.

“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” Devin Theriot-Orr, a spokesperson for RiseUp, said  in a statement at the time. “This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails.”

While Lopez was scrambling to find a way to get the organizations back online, a camera with motion detection capabilities was installed at the server facility by an assistant.

"We thought it was a little like shutting the barn door after the horse ran out, but we did it anyway," he said McClelland said.

Generally, when FBI agents seize computers as part of an investigation, they're not returned for months, or even years. But within a week, a worker in the server room noticed that the motion detector camera had been activated on April 23. When he looked at the video, the tale took an even more unusual turn.

The video shows two men in suits -- apparently FBI agents -- placing the server back in its rack.  But the box isn't merely dropped off. The two appear to be plugging it in, and then watching the machine for a few minutes, perhaps looking to see if it is operating correctly.

Why would they do that? The FBI refused to answer a question about that.

But Lopez has a theory. There's only one way to defeat most anonymous email services: to compromise the computer that processes the emails with special software -- a virus -- that could defeat the anonymizing software.

"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind." 

MayFirst/PeopleLink later posted the FBI agent video online. The agency hasn't commented on it.

The server has not been returned to service; the organization is currently auditing the machine to see if it has been tampered with.

"I can tell you that's the burning question in my mind. We are planning on doing a full diagnostic on server to see if we detect anything on server," McClelland said. 

But even if it hasn't been tampered with, Lopez said he's outraged that U.S. federal agents would compromise Internet access for global groups fighting for democratic rights while hunting for evidence that doesn’t exist.

"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime," Lopez said. "This is serious … for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."

The MixMaster service was uninterrupted by the server seizure; anonymous messages were simply routed through other servers.

MayFirst/PeopleLink and RiseUp both told their members that no identities were compromised during the FBI seizure -- all data on the server is encrypted and there's no reason to believe the encryption was compromised. Still, U.S. government action against anonymous Web services could have a dangerous chilling effect, fretted Lopez.

"In some parts of the world, privacy and anonymity are a matter of life or death," he said. "These services are used for important work, and in many countries, they are the only way to communicate without putting yourself in serious danger."

The Electronic Frontier Foundation issued a statement last week accusing the FBI of "overreaching."

"The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails," wrote Hanni Fakhoury. "So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless."  

Lopez, who has two children in their 30s, said he understands why parents in Pittsburgh were concerned for their children's safety during the repeated bomb scares.  But he warned that repression often begins with "people who mean well."

"These people making the threats, these are jerks, nobody wants to protect them," he said. "But what do you give up when you give up freedom in exchange for the illusory feeling of security?  You can't trample people's rights because when you do, the terrorists have won."

The Pittsburgh bomb threats stopped on April 21. No bombs were found. There have been arrests in connection with the incidents, but authorities are still investigating.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Legislation that would give workers broad protection from the prying eyes of employers was introduced in both houses of the U.S. Congress on Wednesday. Both bills would make it illegal for employers to force workers or candidates to divulge social media passwords, similar to legislation nicknamed SNOPA, which was introduced last month. But the new Password Protection Act, sponsored by Sen. Richard Blumenthal, D-Conn.. goes even further, extending such limitations to smart phones, private email accounts, photo sharing sites and any personal information that resides on computers owned by the workers.

But Blumenthal's proposal -- and its companion in the House, introduced by Rep. Ed Perlmutter, D-Colo. -- is narrower in some ways than the Social Networking Online Protection Act(SNOPA) introduced April 27 by Rep. Eliot Engel, D-N. Y. SNOPA extended similar protections to elementary, high school and college students. Under the Password Protection Act,  students would not be protected.

---

Still, Blumenthal's legislation is "a good start," said Chris Calabrese, a lawyer for the American Civil Liberties Union. "We feel like it's a very flexible standard. It extends to your iPhone, to information you have on Google and anything else that may come up in the future that we haven't thought of yet. “

Still, Calabrese said his organization will work to include students before any proposal reaches a vote in Congress.

"Students are clearly the target of a lot of social media monitoring," he said. "We think students should have the same rights as everyone else. We'd like to see the best of both of these pieces of legislation combined."

Blumenthal, who has been publicly critical of firms that have requested employee Facebook passwords, said legislation is needed to protect workers.

“Employers seeking access to passwords or confidential information on social networks, email accounts or other protected Internet services is an unreasonable and intolerable invasion of privacy,” Blumenthal said in a statement. “With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation, which I am proud to introduce, ensures that employees and job seekers are free from these invasive and intrusive practices.”

Bradley Shear, a Maryland lawyer and activist who has helped draw attention to the issue, said he "applauded" the efforts of legislators who introduced the Password Protection Act, but was also concerned that students not be left behind as the legislation works its way through committee.

"Hopefully all the different interested parties will come together to find a solution that covers everyone," he said. "This is something that won't go away unless it's handled now."

The Facebook password issue has been bubbling up for years — in 2009, a Maryland state employee complained that he was required to provide his Facebook password during a job interview. But the subject has gained much more attention in recent weeks, after several news reports, including an msnbc.com investigation.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

Buying a smart phone from a third-party, discount online retailer might seem like a shrewd move, but a $50 discount could cost you $400 later if something goes wrong, in addition to any early termination fees charged by the carrier. That means consumers who buy from big-name third-party retailers like Target or Radio Shack could end up facing up to $750 if they prematurely cancel service. It also means consumers might be hit with a big bill from an unexpected place.

Ohio consumer Chris Eash found this out the hard way when an innocent mistake involving a handset return to a RadioShack retail store led to weeks of pestering by a company named Simplexity, which powers online cellphone sales at some of the nation's largest retailers, including RadioShack.com and Target.com.

Simplexity's proposition might sound simple: Consumers accept a discount in exchange for promising to pay a hefty fine if they cancel or change service within the first 181 days. But a glance online shows many complaints from consumers who are confused when hit by the fee.  

Simplexity does disclose the fee prior to purchase, but it takes some work to find it. On RadioShack's mobile sales Website, for example, the fee is revealed via a link labeled "instant savings terms and terms of purchase," on the final page of the cellphone checkout procedure. Users must click on that link and read through a pop-up window to learn that their credit cards will be charged $400 if the carrier indicates service is changed within 181 days.

---

Essentially, Simplexity is forcing consumers to cover the commission that would have been paid by carriers had the consumer maintained service. And it might be a fair deal for cellphone buyers to take a discount now and risk a fee later. For example, visitors to RadioShack.com on Monday were offered a chance to buy a 16 GB Droid Bionic with a Verizon contract for $49 -- $50 less than the $99 price advertised at VerizonWireless.com.

 

But as Eash learned, Simplexity can be very aggressive about getting its bounty from consumers when anything goes wrong. He visited RadioShack.com in March and decided to buy a 4G Motorola phone, then went to his local store to actually make the purchase. When he got home, he realized that the salesman had given him the wrong handset -- the 3G version -- and he went back to the store the next day to return it. At the store, he was told the 4G phone was only available at the Radio Shack Website. He was also told by Verizon that if he returned the 3G phone before buying the 4G phone online, he would lose his phone number.  So within about 48 hours, he ordered the 4G online, ported his number to it, then returned the 3G at the store.

Within days, Simplexity -- the retailer behind RadioShack.com -- contacted Eash and said he owed $400 because he'd changed the number associated with the 4G phone when it was sold. He hadn’t done anything wrong; he only had one phone handset, and he was honoring his contract. But no amount of pleading could deter the collectors, he said. The saga dragged on, with each firm blaming the other.

"I got a notice from Simplexity ... (saying) that since I haven't paid the $400, they are going to charge the debit card I used for my purchase," he said. He canceled his debit card to avoid the charge, but Simplexity then threatened his credit report. "I have spent hours on the phone with both Verizon and Simplexity trying to get them to work it out with no luck. Both say the resolution is up to the other company.  It's come down to ‘Give us $400 or we crap on your credit record.'"

Operators told him that, essentially, if Verizon didn't pay Simplexity its bounty for getting him to sign up as a new customer, he'd have to pay it.

At the end of his rope, he contacted msnbc.com. We contacted Verizon, which escalated his problem with Simplexity. Eash was then contacted by a Simplexity official who apologized and promised to fix the mix-up. The official indicated there was honest confusion because the number associated with the phone purchased from Simplexity had been changed, and that resulted in a “charge-back” from VerizonWireless.

The e-mail also explained that Simplexity must charge a hefty fee when phones are deactivated to avoid consumers simply purchasing their discounted phones and then canceling service and using a different provider.

Eash was satisfied, but the experience left him with serious reservations about using online discount cellphone retailers.

"Without some serious string pulling, I would have never talked to (the final Simplexity official) and would still be fighting with Simplexity,” he said. “I told him he had a company that with the exception of one person ... shows very little regard for their customers. I would strongly urge anyone considering buying a cellphone online to make sure this company is not the one behind the curtain pulling the levers.  They operate many store brand cellphone web sites that have absolutely no connection to the store on the page."

Simplexity did not respond to questions about Eash’s complaint or about its business model, which also involves selling phones directly to consumers through its WireFly.com Website.

Tom Pica, a spokesman for Verizon, said he couldn't comment on an individual consumer's account, but added that the firm has not received many complaints from consumers who purchased their devices from Simplexity.

"We have high standards for our authorized agents and the service they provide to our customers," he said.

Neither Target nor Radio Shack responded to requests for comment by press time.

If you’ve never shopped at a third-party online cell phone retailer, dual fees for prematurely ending a cell phone contract may be new to you. But they are common.  Amazon, for example, offers deep phone discounts but charges $250 if the service is disconnected or canceled before 181 days have passed, in addition to any carrier fees. Letstalk.com, which operates Walmart’s online cellphone sales, also charges $250, describing the charge as an “equipment subsidy recovery fee.” Such fees first caught the attention of the public – and regulators – in 2010, when Google added a hefty early termination fee to initial buyers of its pricey Nexus One phone.  After inquiries from the FCC, the fee was reduced from $350 to $150.

(ShopNBC.com also uses Simplexity to fulfill cell phone orders. Msnbc.com is a joint venture of Microsoft and NBC News)

Still, some consumers are apparently confused by Simplexity’s charges, and have lodged numerous complaints on Websites. Nearly all of them are accompanied by a note from a Simplexity official offering to clear up the matter.

One writer on ComplaintsBoard.com sounded desperate in a post titled, "I want my $600 back."  That consumer said he or she had purchased two Droid phones and returned them, only to be hit with a $600 charge. A writer named "WireflyKSCorpHQ" wrote back and offered to help and later posted a note saying the matter was resolved.  Another writer added, " I just received a text message (Alert) stating a withdrawal of 600.00 from Simplexity. I don't even know who they are or how they have my account number! Were you able to solve this issue? Is there any way I can receive my money back?" WireflyKSCorpHQ again offered to help.

Simplexity acknowledges questions about its discounts at a page on the Wirefly Website titled "How can Wirefly offer such great deals" Is it a scam? What's the catch?"

On the page, Simplexity explains that it passes commissions it receives from cellphone network operators on to consumers and why it must recover the commissions if consumers cancel service. It also brags about the price clarity it offers consumers.

"Cellphone rebates can be confusing and most people don’t like them. That’s why Wirefly has not offered rebates on any products since 2007," the page says.

The page doesn't to mention that in 2006, Wirefly.com, under previous ownership while named InPhonic Inc., was sued by the Washington, D.C., attorney general's office after more than 2,000 complaints about unpaid  rebates were received by the local Better Business Bureau office. The complaints were also the focus of an msnbc.com story. At the time, the firm was accused of creating near-impossible rebate terms, such as requiring consumers to file for rebates 180 days after service started, but no later than 210 days.

InPhonic, which at the time claimed to be the largest independent online cell phone retailer, settled that case in late 2006, agreeing to pay the rebates. The following year, the firm filed for bankruptcy. WireFly.com and other assets of the company were purchased by the Philadelphia-based private equity firm Versa Capital Management, which created a new firm named Simplexity. A spokesperson at the time told the Washington Post that the new company would not engage in any rebate programs in a story titled, "Rebates for customers of InPhonic in peril, again." Also at that time, InPhonic CEO David Steinberg said he would step aside.

But several members of the current Simplexity "Leadership Team" also worked at InPhonic, according to the Simplexity website. On that page, InPhonic is described only as "a publicly traded Internet retailer."

Simplexity maintains an A rating at the Better Business Bureau, though that agency's site says there have been 662 complaints filed against the firm in the past three years -- all of them "closed." That generally means the firm has responded, though it does not guarantee that consumers are satisfied with that response.

The only direct connection between Simplexity's current business model and InPhonic's troubled rebate model is the magic 180-day mark at which authorized resellers get to keep their bounty from mobile providers for signing up new customers.  What Simplexity is doing now is in some ways the reverse of a rebate program – rather than making consumers wait 180 days to receive a $100 or $200 check, the firm is crediting the consumer immediately and grabbing back that money in the event that the deal goes sour before 180 days. As long as consumers understand the risk they are taking by accepting Simplexity/Wirefly's discount, bargains can be had. Things do happen, however, and it’s worth considering if $50 today is worth a possible $400 bill tomorrow.

Eash was so scarred by his experience, and the hidden traps he landed in, that he says he would never do it again.

"My advice: Buy directly from the service provider and NEVER from a third party. In the long run it may be a LOT less expensive," he said.

 *Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

The war on drugs has gone digital; but is it also a war on cellphone users?

That’s just one of the questions raised by an msnbc.com investigation into use of cellphone tracking data by local police departments across the nation. Msnbc.com built a database of thousands of invoices issued by cellphone network providers to cities after cops asked for caller location and other personal information between 2009-2011. The invoices were first obtained by the American Civil Liberties Union and released to the public earlier this month.

The database offers perhaps the first blow-by-blow accounting of several cities’ use of cellphone tracking as a crime-fighting tool and the potential blow to civil liberties that the requests represent.

While 200 cities responded to the ACLU, three cities -- Tacoma, Wash., Oklahoma City, and Raleigh N.C. – provided enough detail to paint a picture of how cellphone tracking data is being used in mid-sized police departments around the nation. Categorizing the thousands of pages of invoices supplied by the three municipalities provided some insight into why cops use cellphone locations and call records to investigate crimes and how much the carriers earn responding to these requests.

The tension between the war on drugs and privacy is most readily apparent in Tacoma, Wash., where the most frequent reason that police requested cellphone data over a two-year period was to investigate drug dealing, the analysis indicates.

In Tacoma, while many of the 139 requests for cellphone data from Jan. 1, 2009 through June 30, 2011 involved serious crimes –  including 37 murder investigations –  the most frequent charge listed as the reason for the request is “UDCS,”  or unlawful distribution of a controlled substance.  No additional details about those 51 requests, or the crimes behind them, were available. Police officials from Tacoma did not respond to requests for comment.

The bills run up by local detectives requesting cellphone data aren’t small. Tacoma spent $17,496 checking cellphone records during that time span or nearly $1 for every 10 residents. Police in Oklahoma City spent $9,033 on cellphone records checks during one three-month stretch last year, according to the data compiled by msnbc.com.  In Raleigh, officials made an average of one location “ping” request from just one carrier -- Sprint -- every three days during the second half of 2011. 

---

“Location data for cops is like a kid in a candy store,” said Mark Rasch, former head of the Justice Department’s Computer Crime Unit.  “It’s a wonderful investigative tool which is highly intrusive of personal liberty and our rules on privacy, and rules governing access to this are not only antiquated but confusing and conflicting.  Add to that a profit motive by carriers, and lack of sufficient oversight on law enforcement access to the records, and you have a prescription for, at a minimum, violations of civil liberties.” Rasch is now a consultant with Virginia-based cyber security firm CSC.

The ACLU notes that much of the cellphone location data is obtained without a warrant, meaning no probable cause hearing before a judge is required.  Many cops counter that subpoenas are always issued – and sometimes refer to these as court orders -- but Rasch said that’s a misnomer. They are often little more than a request form.

“Cops can have a pile of blank subpoenas in their desk drawer,” he said. Carriers normally consent to subpoena requests, but legally they don’t have to. If they refuse, a law enforcement agency is then required get a judge’s order to enforce the subpoena, a step that’s rarely taken, he said.

Tacoma officials deserve credit: Of the 200 cities that responded to the ACLU’s Freedom of Information Act requests, Tacoma’s documents provided the most detail and included an easy-to-read summary page. Research on other cities was far more laborious, and required sampling, which is why this report is limited to three months of Oklahoma City’s invoices from April to June of 2011, and six months of Raleigh’s invoices from July 1-Dec. 31, 2010.  For consistency, the date used for all records indicates the date the invoice was filed, not the date of the crime or the date that police requested the data.

The study involves only local cops; federal authorities file their own cellphone location requests and wiretaps, which were not considered in this report.

It’s important to note that many invoices did not include an amount. In Tacoma, about half the amount entries for the 139 requests were left blank. It’s unclear if that means the request was filled for free or if the data entry was incomplete. That means the dollar totals published here could be far lower than the actual amount paid by the city.

If Tacoma’s experience is typical  – which isn’t clear – cellphone companies are earning millions of dollars fulfilling local law enforcement’s cellphone records requests. If Tacoma’s rate of nearly $1 per 10 citizens were extrapolated nationwide, cellphone companies would have billed local cops roughly $30 million from mid-2009 to mid-2011.

There are about 25,000 municipalities in the United States. Most have their own police force, and that total wouldn’t include county and state law enforcement agencies. If each one averaged $1,000 in requests – far less than Tacoma’s $17,496 –  that would total $25 million. Cellphone companies, as we’ll see below, have real expenses associated with data lookups, and they often fulfill life-or-death requests for free. Still, with $2,500 invoices being sent to towns across the country, it’s clear there is real money being made.

“I think that this data confirms that cellphone trapping is a routine law enforcement practice, not only for serious crimes but for more routine crimes ,” said Catherine Crump, the ACLU lawyer who ran its investigation. “It is integrated into the law enforcement’s everyday arsenal, and that makes understanding what data law enforcement uses, and making sure that this complies with the Constitution, all the more important. … This is first look we have to see how pervasive  this practice is.”

Raleigh, Oklahoma City details
Raleigh and Oklahoma City offered less complete data, but enough information to provide a glimpse of the kind of requests being made.

In Raleigh, we narrowed the study to one carrier – Sprint – for the last six months of 2010. Here’s what we found: Police made 59 requests, or about one every three days, and spent $2,300 over the six-month period, according to the data. Activity was most intense in the summer, with 17 requests in July costing $660. The vast majority of these requests were simple location “pings,” that cost $30 each, but there were some requests for voice mail and “picture mail” retrieval, which also cost $30.  The Raleigh invoices included scant detail, with only one bill including a hand-written note that said, “att. Murder.” 

“Other than noting that our investigative procedures comply with all applicable statutes, I don’t believe there’s anything I can add,” said Jim Sughrue, a spokesman for the Raleigh Police Department.

Oklahoma City police took the opposite approach, spending a lot on only a few requests. From April to June, 2011, the city received $9,033 in bills for data requests that went far beyond Raleigh’s location pings. One bill Oklahoma City received from Cox Communication totaled $2,500 for 60 days of “pen register/trap and trace” activity, which would ordinarily indicate police learned call details (but not call content) for every call placed to or from a target phone. That invoice, by the way, indicates a full wiretap costs $3,500 from Cox.

During this three-month span, the city made nine other requests for 24 days or longer of pen register/trap and trace data, including four additional requests for 60 days of data. Verizon billed the city $2,446 for five separate invoices dated May 13.

Capt. Dexter Nelson, spokesperson for Oklahoma City, said his department had gone to court and obtained permission for every cellphone records request invoice viewed by msnbc.com.

“In each of the cases in that document those were criminal investigation in which someone went before either a state or a federal judge to explain that case and the need to obtain that information … (and) to provide probable cause or reasonable suspicion,” he said.

The invoices indicate they are for subpoena compliance, but Nelson said carriers require a judge’s order to perform the more invasive pen register/trap and trace operation.

Nelson said he did not know if the invoices related to a single police investigation, or multiple investigations.

“Typically those are narcotics  cases, or it could be robbery, or it could be homicide. It could be any number of different types of investigations,” he said.

One back-and-forth e-mail discussion found within the city’s invoices between T-Mobile and police officials over pricing for the records requests offers insight into the kind of negotiations that occur between cops and carriers over data cost.

“The fees set are $100 per day for this tracking tool, capped at 10 days charge, or $1,000 per month. This is substantially less that our competition charges for their ‘per-ping’ GPS-base system, and again, there is no charge for non-criminaI/E-911 emergency support,” Michael McAdoo, T-Mobile’s director of law enforcement relations, wrote to city officials on June 6, 2008.

When city officials complained that some emergency requests – such as a life-or-death request to find a lost hiker or a missing child – and other communications should be free, then city Communications Technology Manager Lucien Jones made his case with sarcasm in a June 8, 2009, email.

“Let me see if I understand this: If a guy has an argument with his wife, pushes her down and runs off with her cellphone, we can track that phone free,” he wrote. “But if an armed robber kills his victim and takes their cellphone, and continues to commit a string a robberies, then the attempt by dispatchers and patrol officers to correlate 911 data of the next robbery with cellphone location data constitutes an "investigation," and we gotta pay $100 bucks a day .... Oh, but if the killer develops shame and depression and threatens suicide, then it’s free.”

McAdoo of T-Mobile offered this retort on June 10.

“In the first scenario with the guy who pushes his wife and takes her cellphone, we would only assist in tracking this person if served with a valid … ‘reasonable and articulate facts’-type court order to do so,” he wrote. “We would have no "reasonable belief of a threat to life or serious bodily injury" to allow us to legally locate this person as an emergency exception. In your court order, the judge would likely order reasonable compensation and our charge would be $100/day.  In the second scenario, we would immediately respond without an order as we would have a belief that, if left unchecked, this series of crimes might escalate into another killing, and yes we would charge $100/day for that response. In the third scenario--or in any suicide-prevention call from a  PSAP -- we would (and do many times each night) attempt to locate the person immediately and do so free of charge. And in any other lost hiker/missing motorist/missing juvenile/wandering Alzheimer's/Iost medivac helicopter/capsized boater/stranded mountain climber/etc. event, we would immediately assist at no charge (and do so probably hundreds of times each week), unlike some other national carriers which charge $100 per ‘ping.’”

Request by carrier, other data from Tacoma
The clearest picture of what goes on in medium-sized U.S. cities comes from Tacoma, however.

While there are a couple of big-ticket requests, many are for around $30. For example, in 2010, 10 of the 38 requests were for quick-hit, single $30 location "pings."

AT&T fulfilled the most requests – 45 – while Sprint and T-Mobile each filled 36, and Verizon 15.  There were also single requests filled by Facebook and MySpace.

After drug crimes and murders, there were 16 assault-related requests, seven robbery-related requests, five rape-related requests, four involving an endangered child and two related to finding a material witness.

There was also one invoice filed regarding a crime labeled “theft of a city laptop.” No additional information was available.  

Other information in the Tacoma data:

There is $850 bill from AT&T for a robbery/rape investigation in late 2009.  That's $100 for "location activation" and 30 days of daily tracking at $25 each. Just like consumers, law enforcement agencies get hit with setup fees.

The biggest single bill in Tacoma is for $1,300: 13 days of “E911 locator” at a flat $100 per day in mid-2010. The listed crime is UDCS, or "unauthorized distribution of a controlled substance."

Rasch said he wasn’t surprised by the volume of requests. If anything, he thought the numbers were low.

“I can’t imagine any case where location data wouldn't be important. The temptation to use and overuse this data is very strong,” he said.

He also said he’s not opposed to its use.

“It's not that (I) don't want them to have the data. In some cases, we want them to have it faster,” he said. “But we want it to be accountable. We want legal standards, procedural standards, and we want more openness about what they are doing.”

Both Rasch and Crump, the ACLU attorney, expressed  mixed feelings about the carriers’ earnings from law enforcement request, which are clearly substantial but might not be profitable. Both said they wouldn’t want carriers to charge any less, because the fees act as a natural barrier to abusive data gathering.

“The amounts give a good sense of how massive (the carriers’) facilities are for processing and handing over this customer data,” Crump said. “But it is good that carriers charge. If this were free, there would be a lot more of it.”

Rasch pointed out that U.S. officials and citizens haven’t yet settled on the debate about whether location data is private or public information, further confounding the constitutional issues raised by police cellphone tracing requests.

“FourSquare is doing this 50,000 times a day,” he said. “This data just involves cellphone carriers – there are dozens, if not hundreds, of other people know where you are – EZ Pass, Google, and so on. There are plenty of other ways for authorities to find you.”

He favors a system that would require cellphone carriers to inform customers – even after the fact – that law enforcement has obtained their location or cellphone call data.  And while he’s in favor of its use for investigating serious crimes, he said routine use of cellphone data to enforce the law could lead down a slippery path.

“Once you say that criminals have no rights, where do you stop?” he said. “For example: You claim your car as a deduction on your federal taxes. Would it be OK for the IRS to subpoena cellphone records to see if you are correctly logging your miles?”

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

 

Giselle and Zenayda Sedano of Cranford, N.J., never had a chance of keeping the rampaging waters of the Rahway River out of their home when Hurricane Irene roared through northern New Jersey in August. Now they are wondering if they ever had a chance to get any of the $21 million that the Federal Emergency Management Agency sent to help New Jersey’s flood victims.

We first met the Sedano sisters a day after the hurricane hit on Aug. 28, causing the Rahway River to breach containment and wreak havoc in their suburb of Cranford, where about one in five homes were damaged. They were picking through all of their worldly belongings and looking for something, anything, that wasn’t completely waterlogged. 

Now, more than eight months later, they are wondering why they didn’t receive any federal disaster aid to flood-proof their home, which is only about 100 feet from the river, while some of their neighbors who live farther from the water are getting nearly $200,000. Other Cranford residents are asking similar questions.

---

“There are homes in plain sight of mine that were selected which I will have to witness get elevated. But I'm right next to the river. I just don't understand," Giselle Sedano said. "It’s so hard waking up every day not knowing what’s going on."

The controversy highlights the challenges that FEMA and local officials face as they try to plan ahead and minimize future flood disasters.

Msnbc.com profiled the Sedano sisters in August when writing about the towns hit hardest by Irene. Giselle is a hedge-fund analyst and Cornell graduate; Zenayda works in the pharmaceutical business and is a Rutgers graduate. The two successful 20-somethings pooled their resources to buy a home in 2009, soon after they graduated from college, so they could move with their parents to Cranford.

Their parents came from Peru in the 1980s with nothing other than the clothes in their suitcase. Irene left the entire family in a similar fate; mom, dad, and the two sisters had little left outside the clothes they took when fleeing to a nearby hotel right before the Irene hit.

Nearly six months to the day after the storm, New Jersey Gov. Chris Christie announced that FEMA had awarded the state $21.6 million through its Hazard Mitigation Grant program. The money was promised to seven municipalities hit hard by the storm; Cranford received $3.1 million for "the elevation of select dwellings."  At around the same time, some Cranford residents began receiving phone calls saying they'd been selected for elevation grants. Others, including the Sedanos, heard nothing.

Like dozens of other Cranford residents, the Sedanos had responded to a notice last fall from the township indicating they'd like to participate in the elevation grant program. It's not cheap; even with the grant money, residents have to pay 25 percent of the cost.

Neighbor Kristen Wolansky also requested elevation aid, but she said the township never even acknowledged receipt of the request.

"There was no confirmation that your name was received. The information was just submitted into a void," she said.

The list of lucky homeowners isn't public -- "winners" were notified only by phone call, said Wolansky. But she and another frustrated Cranford resident, Steve Gorski, have pieced together a map based on conversations with neighbors. While unofficial, it shows several homes around the Sedanos' house receiving aid.

It makes sense for FEMA to flood-proof homes that are subject to repeated disasters. Like most flood victims, the Sedanos paid to participate in the National Flood Insurance program – in their case, the premiums were $2,015 annually. Elevating homes -- or purchasing them outright and making them into parkland -- is cheaper in the long run than continuing to pay pricey settlements every 10 or 20 years.

But there's not nearly enough money to buy out or elevate every home in danger -- only about 1 in 10 homes statewide in risky areas will receive funds from the $21 million FEMA grant, New Jersey state officials say. That means there's always a lot of disappointment when flood relief grants are doled out.

But the process for picking winners and losers raises questions. Ultimately, local officials decide which residents get the aid. There are complex considerations, such as preserving the character of neighborhoods, which are best left to local officials. But that also leaves them open to criticism and accusations of political patronage.

Compounding the problem are privacy requirements surrounding the process. Because participation is optional, and residents can decline the aid, the list of selected homeowners remains a secret until contracts are signed to begin work. That also means families like the Sedanos have no real avenue for appeal.

FEMA’s Hazard Mitigation Program has benefitted communities around the country. The state of Vermont received post-Irene buyout and elevation grants of $19.8 million, for example.  But the program also has a spotty history. More than $1 billion was set aside for land acquisitions and home elevations after Hurricane Katrina in Louisiana, but arguments over how to implement the program delayed the awarding of any grants for two years – and by 2008 – three years after the monster storm -- only 14 grants were paid out. Claims of contractor fraud also complicated that awards process.

By that measure, the post-Irene grant process is moving swiftly in New Jersey. Still, the Cranford secret has been kept for a while -- the homes picked by Cranford officials had to be included in the town's initial application for aid, which was filed sometime in the fall, according to state officials.

FEMA directed questions about the New Jersey grant process to state officials; the governor's office directed questions to the state’s Office of Emergency Management.

Mary Goepfert, spokeswoman for that agency, explained the process to msnbc.com.

"The homeowners have to stay private because if they don't participate, and their name is on a list … their home would be severely devalued," she said.

Goepfert said local officials must show that the choice of winners is "financially advantageous" -- that is, a buyout or elevation project must be cheaper than expected future insurance payouts. But otherwise, home selection is entirely up to municipalities, she said.

"For instance, it might make more sense to buy out three, four, five or six houses in the same neighborhood than it would to buy a house here and a house there,” she said.

But what if a resident who wasn't selected feels the process was unfair?

"That's a question for the municipality," she said.

Cranford Mayor David Robinson said he understands why some residents might be frustrated, but said the municipality initially tried to get enough money to elevate about 50 homes and was told by federal and state authorities to tone down its application.  Right now, 18 homes are slated to get elevation aid, and another five are selected as alternates in case others back out.

"We're going to go neighborhood by neighborhood and try to get all of them elevated," he said. "It's just a matter of which homes get first priority. That's what we really focused on." The town plans to apply for additional elevation grants in the future, he said.

This time, municipal officials looked at prior loss history, past flood claims and other data when picking the homes, he said, admitting that some of that data is incomplete.

"We've also found instances where people may have had private flood insurance, and we discover that's a blind spot not included in (our) loss data," he said. "We're working hard to fix that. ... (This time) we focused on homes closest to the river and going neighborhood by neighborhood with the loss data that we had." 

While the 18 "winning" homeowners and 5 alternates have been informed, he said there is no process to tell disappointed homeowners that they weren't picked, or why.

And how should a homeowner like Sedano feel if they feel left out, while neighbors benefit?

"If it's a next-door neighbor, maybe the explanation was that their loss data didn't fit into the cost-benefit analysis that was being worked on at that point," he said. 

The "losers" must simply trust that the selection was fair. The data -- and the reason for the selections -- remains private.

There is one public curiosity about Cranford's aid grant. The other six cities that were promised post-Irene grants all elected property buyouts; Cranford was the only municipality to pick home elevation.  That can be far less disruptive for homeowners, of course, because they don’t have to move. Elevation benefits the town's tax coffers, too, Goepfert said.

"With a buyout, those properties are written off from the tax ratable base," she said.  "But why Cranford chose elevation, you'd have to ask them."

Mayor Robinson said no one in the town expressed interest in a buyout.

All this mystery might be over soon. Goepfert said post-Irene aid was fast-tracked, and she hoped contracts for construction and buyouts would be signed within a month. Then, the list of winners and losers will be made public, she said.

For now, the Sedanos are slowing putting their lives, and their home, back in order. Most of the basic reconstruction of their home has been completed, and the family has moved back in, albeit with sparse furniture. They celebrated Easter Sunday at home this past weekend, their first meal in their rebuilt dining room since the flood.

"There were a few tears during dinner," Giselle said.

But the view of the river out their window, which once brought a sense of tranquility, now only brings trepidation. And until the list of to-be-elevated homes is published, the Sedanos are forced to wait and wonder why they weren't chosen.

"We find it totally unfair. Our home is directly in front of the river," Zedayna said.  

Here’s a handy list of credit card charges that consumers have complained about during the first part of 2012. Do any of them appear on your credit card? Read on to find out why you should probably pull out your statements and check them.

There’s a steady stream of new and clever ways for frustrated consumers to find each other online, make collective noise and get satisfaction. Among the more intriguing is BillGuard.com, which does for your credit card bill what a spam filter does for your email. 

Members sign up and let BillGuard scan their credit card statements for potentially fraudulent charges, billing errors or hidden, unexpected fees. The firm then asks consumers if they wish to tag the charge as suspicious. As soon as enough consumers say there’s a problem with a charge, all BillGuard members are warned and a suspicious-report web page is generated.     

---

Founder Yaron Samid, a startup vet who was part of the team behind Register.com, said he got the idea for BillGuard after he nearly was taken in by an automated fee that appeared on his credit card bill.

“Two years ago, I found out I was paying $10 a month for a post-transaction coupon scam after my wife bought concert tickets,” he said “When I Googled the charge, I saw countless blog posts, complaint boards and tweets screaming about the same "hidden fee." Turns out millions were duped by the same scam and were complaining about it online and to their banks. So why wasn't I told?”

Samid and partner Raphael Ouzan, a financial data security expert, set out to build a system that would harness “collective consumer knowledge” and allow credit card users to share this kind of information with each other. BillGuard also monitors other complaint-related websites and social media services for signs that a company might be misbehaving.

Customer surveys show that about 90 percent of credit card users fail to scan their bills carefully each month, so a proactive alert system is essential, he said.

To see if the system really works, we asked Samid to share with us 10 potentially problematic charges that BillGuard warned consumers about in the first quarter of 2012.

Then we contacted the 10 companies involved to see if the warnings were warranted. We’re publishing 9 of the 10 here – the tenth requires additional investigation.

The list is varied, ranging from a small company that’s sending out $500 gift cards with a catch, to a magazine empire that’s generating complaints through the way it signs up new subscribers. Several themes run through the list, including the dreaded “negative option,” which relies on consumer laziness to pile on monthly charges, to the third-party “data pass,” which leaves many consumers wondering, “How did this company get my credit card number?”

BillGuard’s statements, and the company responses, are listed below. Next to each company name is the charge as it’s listed on most consumers’ credit card bills, which is clickable to BillGuard’s complaint page about the company. Check your credit card bills to see if any of these items appear, and consider disputing them.

 

1) ShoeDazzle - SHOEDAZZLE.COM, INC. SANTA MONICA CA

BILLGUARD: “This hugely popular merchant was flagged by a user of ours who alerted us to their dubious usage of a negative-option membership model in order to charge you monthly. Upon your first purchase, ShoeDazzle “subscribes” you to their service. From that point on, you’ve agreed to be charged $39.95 every month unless you log into ShoeDazzle and click a “skip this month” link. Don’t “skip” in time, and you’re charged. In other words, you have to take action to avoid being charged. The terms and conditions explaining this subscription service are hidden at the bottom of the checkout screen in the fine print. Based on our findings and our users’ complaints about this unethical membership practice, we now propagate this information to our entire user base.”

RESPONSE: ShoeDazzle, which made a name for itself in part because of its affiliation with Kim Kardashian, says it no longer requires customers to subscribe to its service and no longer assesses a monthly charge. The firm announced the change in late March.

“Under the old model, we did communicate the process in a How It Works video, in Terms and Conditions, via email upon purchase, through our Client Service team,” said John Tabis, vice president of strategy at ShoeDazzle. He then invited us to forward any complaints that BillGuard received to him. “We are always seeking ways to improve, and we appreciate the feedback.”  

 

2) Zbiddy -- ZBIDDY.COM 877-403-6981 FL 

BILLGUARD: “Zbiddy is a penny auction site. Participants must pay a fee in order to place a bid. Every bid placed extends the allotted auction time. Due to their high profitability and cheap set-up costs, penny auction sites have been growing steadily over the past few years. Zbiddy was a relative newcomer to the scene a few months ago but has already garnered a reputation for practicing shill bidding (bids placed with intent to inflate auction price) in order to drive up prices and extend auction length. We found this out when we were monitoring the trending scams on Google.”

RESPONSE:Two e-mails to ZBiddy’s customer service were answered only by auto-generated responses, like this:

“We have received your request. Your email is very important to us. We will answer your specific query within the next 24-48 hours. Answers to most of your questions can be found out by visiting our FAQ section. Best regards, The ZBiddy Customer Loyalty Team.” One week after the first e-mail, we hadn’t received a response.

UPDATE, April 23, 2012: Seth Dillon of ZBiddy contacted msnbc.com and offered the following response:

"I've reviewed and responded to the complaints on the BillGuard website. Thank you for bringing those complaints to our attention. .. (It) is not accurate that we have a reputation for shill bidding. ... ZBiddy does not now - nor have we ever - engaged in any unethical bidding practices to artificially inflate the cost of items on our site. With respect to the complaints about unauthorized charges, please note this reply, which has been posted on BillGuard: "To place bids and win products on Zbiddy, you must first register and purchase a bid package. This process is standard across the penny auction industry and is not exclusive to Zbiddy. If you have questions about the registration process, or if you were unaware that you were being charged at the time of your purchase, please contact our Customer Service department at 1-888-406-6509. Our friendly agents are standing by to take your call and help resolve your issue. The Customer Service Desk hours are Monday through Saturday from 8 a.m. to 12 a.m. ET."

 

3) Scoresense -- OTL*SCORESENSE.COM 800-679-6327 TXAP15CTE

BILLGUARD: “What Scoresense claims to offer are 'free' credit services such as credit score, credit monitoring etc., .... What actually happens is the following: The user feels safe in giving Scoresense their financial information in order to receive their 'free' credit report and usually fails to notice that the 'free' report lasts for a limited time, (after) which Scoresense uses the supplied financial information of the user in order to charge him monthly for a membership service.”

RESPONSE: A customer service representative who answered a telephone call told us to write to customercare@scoresense.com. An email sent to that address was answered only with an automated response: “Thank you for your email inquiry to ScoreSense.  Emails are typically responded to within 3 business days. If you have an urgent matter or wish to cancel your account please contact customer care toll free …” After 48 hours, we hadn’t received a response.

 

4) TWX/Synapse --- TWX MAGAZINE SUBSCRIPTIONS

BILLGUARD: “TWX/Synapse uses a data pass model in order to trick consumers into costly subscriptions. What happens in data pass models is the following: Consumers buy a product at a participating third-party merchant. The merchant may be a physical grocery store or an online shop. During or after the checkout process the consumer is offered a free trial for magazines of his choice. Assuming that the company offering him the magazine subscription does not have his financial information and that he is entering a 'no-risk' trial period, the user signs the dotted line. What he does not realize is that the financial information he supplied to the participating third-party merchant is passed on to TWX and will later be used to charge him for the magazines once the free trial ends, without any notice between the trial and paid periods.”

RESPONSE: “Our customers are incredibly important to us, as millions of them enjoy our services. Terms are disclosed clearly, including verbally if the sales environment is face to face.  Additionally, if consumers for whatever reason are dissatisfied, we work very hard to settle any issues to their complete satisfaction.  We have an A+ rating with the Better Business Bureau for these and other reasons. Please attribute to a Synapse Spokesperson.”

 

5) LendNet -- LENDNET 101

BILLGUARD: “Short-term daily loans is are a growing field. The lender typically offers a short-term loan for very high interest rates. In this instance, the merchant offers to find you a suitable short-term loan provider. LendNet is in essence a middle-man. In order to find you a good loan provider LendNet requests your financial information.  It then uses the supplied information to bill you for a service fee ranging from $30 to $50. You need to have super-human vision and at the very least a law degree in order to find this fee in the fine print of the terms and conditions. In addition to this sneaky fee, some users have also reported that they were subsequently given a loan from a third party without prior consent to the loan terms or conditions resulting in monstrous interest rates. 

RESPONSE: The website is now down; e-mails sent to it were returned as undeliverable. There’s a host of complaints about the site in other locations online, including this one.   

 

6) FreeShipping.com -- IC FREESHIPPING.COM

BILLGUARD: “FreeShipping.com offers to supply you with free shipping from various merchants for a flat monthly fee. The problem is that FreeShipping works with multiple third-party merchant affiliates who unknowingly subscribe you to a membership. During the checkout process with the third-party merchant there is a small button at the bottom of the page, usually opted in by default, and unless you notice it and opt-out, your financial data is passed on to FreeShipping and you are a monthly paying member.”

RESPONSE: Thomas Caporaso, FreeShipping.com CEO, said BillGuard’s description of the service was “simply untrue.”

“There is no way that we can collect any billing information from the user without them physically entering it into our member registration form,” he said. “When people register for FreeShipping.com, they must enter all of their information into our signup page, including their credit card number and billing address. The terms of the offer are presented clearly, immediately next to where they would enter their credit card information, explaining that they may cancel at any time within the 30 days with no charges to their card, and that after the 30 days are over, the subscription converts into a paid membership at $12.97 per month. They are also required to check a box agreeing to the terms of service before we are able to process their trial.  Lastly they may cancel at any time after that with no additional billing from us.”

Many of the complaints generated against FreeShipping.com involve third-party websites sharing consumer information with the service. Caporaso said those consumers are also informed of the cost.

“Regardless if the member goes directly to Freeshipping.com or through a third-party merchant the enrollment process is the same as outlined,” he said.

There are many complaints about FreeShipping.com across the web, such as at this page. To support its complaint about Freeshipping, BillGuard also pointed to this lawsuit against the firm, and noted that there are 341 complaints about the company on ComplaintsBoard.com, and 66 complaints on Scambook.com.

 

7) Cellulean -- CELLULEAN.COM

BILLGUARD: “A free sample of a miracle diet product! Unfortunately, as some of our users learned, unless you call them and request to opt out within a few days of placing your free trial order you are sent a second package for the pricey sum of $75. The main reason most users do not call to cancel their subscription is that they never knew they were enrolled in one to begin with. Cellulean requests your financial information during the checkout process of the free trial supposedly to cover the shipping costs. What they are actually after is your financial information so they may bill you monthly for their product.”

RESPONSE: An operator at Cellulean’s customer service center told us to write an e-mail to CEO Patrick Leddy. He sent this response: 

"Our website and offer meets all legal guidelines set forth by the Federal Trade Commission and the Electronic Retailing Association (ERA). In fact, we place our terms and conditions in full-size readable font right next to the ordering section, instead of hiding them at the bottom of the page (which is the FTC/ERA requirement).  We then go another step further, beyond the requirements, by placing a check box next to the order button, which states: "I am 18 years of age and agree to the Terms and Conditions".  The customer is not allowed to check out of the website unless this box has been checked.  Furthermore, we give the customer two direct purchase options, instead of just the free trial offer, allowing them to choose if they want to enter into the agreement, or simply buy the product with no terms or conditions. When a complaint has been made by a customer, stating they were shocked when they were billed, and never knew they enrolled themselves into such a program, we have to scratch our heads in wonderment.  This is a classic case where the customer attempts to pass blame on to the manufacturer, when in fact they entered themselves into a legal binding agreement - with their full knowledge and consent beforehand.  Customers are not forced to place an order, they do so freely on their own willingness, and should be accountable for their choices."        

 

8) Redstarworldwear -- SUNGLASSES-EYEWEAR 0

BILLGUARD: “Redstarworldwear is an online retailer of sunglasses and watches. They send out gift certificates “worth” $500 to unsuspecting consumers informing them that they have won a special prize. Joyful of the prize, the unsuspecting customer then goes to Redstarworldwear website and purchases as much as he can using his newly minted gift card. During the end of the checkout process the customer is informed that there is a separate shipping and handling fee that cannot be deduced from the gift cards value. The customer then enters his financial information in order to pay for the (that), which turns out to be a costly 9 percent of the order value. We were interested how valuable these supposed $500 gift certificates actually were so we had a look around eBay, they can be had for under $2!”

RESPONSE: The firm did not reply to two e-mails, but a section of its website offers an explanation for confusion over the gift cards, and makes clear consumers aren’t getting something for nothing.

“There is a 9% Service Fee (per item) that pays for all expenses that RedStar incurs to get the product into your hands. This 9% service fee includes: USPS First Class delivery, processing and handling and general overhead which includes; customer service, order processing, warehousing, labor, cost of goods and materials, profit and marketing.”

There are other complaints online about the firm’s gift cards.

 

9) Blizzard -- BLIZZARD ENT WOW SUB

BILLGUARD: “Blizzard, the hugely popular merchant behind the Warcraft series, is not a name that usually comes up in discussions on unfair charges. So we were surprised to learn of several complaints from our customers regarding unwanted charges from them. After investigating the matter we learned that Blizzard enables a phone billing option called PaymentOne PhoneBill. This billing option allows you to pay for Blizzard games and subscriptions by merely entering your phone number information in the account settings tab. Obviously, given the young age and lack of credit card availability to some its users, this option has a high potential for unwanted and unauthorized purchases by young family members.”

RESPONSE: Blizzard was unable to provide a response by press time.

 

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

Why would the well-heeled suburb of Gilbert, Ariz., spend a quarter of a million dollars on a futuristic spy gadget that sounds more at home in a prime-time drama than a local police department?

The ACLU caused a stir Monday with its extensive report of cellphone surveillance by local police departments, which routinely request location information and other data from cellphone providers, often under vague legal circumstances.

But one bit of information provided by Gilbert officials suggests that cops sometimes try to cut out the middle man. Buried in the 380 public records requests sent by the ACLU is a response from Gilbert which indicates that the town purchased a device that allows it to track cellphones on its own for $244,195.

---

"The Gilbert Police Department obtained a $150,000 grant from the State Homeland Security Program," the agency wrote to the ACLU in response to a public records request. "These funds, along with $94,195 of R.I.C.O monies, were used to purchase cell phone tracking equipment in June 2008 (total acquisition cost of $244, 195)."

 

Gilbert didn't offer additional details about the device to the ACLU, and Chief of Police Tim Dorn didn't immediately respond to requests for comment.

But several surveillance experts said the device sounds like a gadget that's sometimes called a stingray.  

The stingray, made by Harris Wireless Products Group of Melbourne, Fla., lets users set up what amounts to a fake cellphone tower and trick all phones nearby into connecting with it. That data can then be used to track the physical location of anyone nearby carrying a powered-on cellphone -- even if the citizen isn’t on a phone call. A stingray can also register other data, such as the phone numbers dialed by all phones while connected to it. The device reportedly cannot record or intercept the content of a phone call, so it does not act like a wiretap.

Still, the stingray is at the heart of a hotly contested criminal case involving an identity thief named Daniel David Rigmaiden, who allegedly stole $4 million through a fake tax return scheme. Federal authorities used a stingray to find Rigmaiden in California in May 2008, then sent him to Arizona for trial.

Perhaps Gilbert was impressed with the result -- it says it acquired its device one month later.

In September 2011, a federal court in Arizona heard Rigmaiden's request to receive all details about the government's secretive use of the surveillance technology. Federal prosecutors are resisting disclosure because they say it will jeopardize use of the critical law enforcement technology in other cases.

Rigmaiden's case, as yet undecided, is largely seen as a test of the constitutionality of stingray and related police surveillance technologies. Would use of a stingray constitute a search, and thus require application for a time-consuming search warrant? Or do cellphone users give up their expectation of privacy by turning on a phone and carrying it in their pocket? The issues were discussed extensively in this recent Wall Street Journal story.

Use of a stingray-like device raises even thornier issues than cellphone records requests, said Catherine Crump, the lawyer who headed the ACLU project.

"I think when law enforcement starts purchasing technology that allows them to track cellphones in that manner, it raises a whole host of questions about how that technology is being used that are even more serious when they track people through carriers," Crump said. "At least when a carrier is involved, there's a third party that may raise concerns if the request is of questionable legality. But when a law enforcement agency can do on its own surveillance, that raises even more serious questions about whether there is appropriate oversight."

No other local police department that responded to the ACLU's public records requests mentioned purchase of a stingray-like device -- one other community mentioned borrowing such a gadget -- but Crump said that's because she didn't specifically ask about them.

"If I had to write the requests it over again, I would,” she said. “We didn’t realize how big an issue these devices were at the time. We know that there are others purchased by other agencies around the country, mainly from press reports."

The Miami police department, for example, asked Harris for a price quote in 2008. The firm's response is still on the city of Miami's website. A more extensive price list from Harris can be found at this website. 

A spokesman for Harris Wireless said the company didn't comment on clients' purchases and referred questions to Gilbert's Police Department.

The use of fake cellphone towers by law enforcement has caught on outside the U.S., too. Britain's Metropolitan Police, which serves the greater London area and is that nation's largest police force, began deploying similar technology provided by England-based Datong PLC last year, according to The Guardian. The disclosure began a round of debate about civil liberties in Britain.

Matt Blaze, a computer science professor at the University of Pennsylvania and an expert on stingray-like devices, said they are a mixed bag.

"Certainly these devices are powerful surveillance tools that, if misused, have the potential to be quite invasive against the privacy of innocent people," he said.  "But, then again, so do many other law enforcement investigative methods -- physical searches, hidden microphones, informants and so on. The question is how they are used, how often they are used and the oversight mechanisms in place to prevent and detect misuse."

Devices like stingrays are technologically limited in scope, however -- they can only monitor a limited physical area in real time -- so Blaze is less concerned about them than he is the revolving door of data between private companies and law enforcement.

"I'm less worried about law enforcement agencies with stingrays and other targeted surveillance gadgets than I am about location and other kinds of tracking through the carriers, especially when done without strong legal oversight or without probable cause," he said. "While I do worry about abuse of these kinds of electronic surveillance devices, the fact that they are inherently rather targeted in what they can collect acts as something of a built-in safeguard. I'm more concerned, in the long run, about large-scale surveillance capabilities being included in our communications infrastructure."

Still, privacy researcher Chris Soghoian – who has written extensively on law enforcement use of cellphone technology for surveillance – said police use of the stingray device is among the most troubling privacy developments in years. Some phone companies allow police officers to use a website to download customers’ GPS location data easily, “from the comfort of their own desks,” he said, and charge as little as $5 for the information. With phone company record access that easy and inexpensive, there’s no need for stingray, he argued.

“The real issue is that this device is about allowing police to perform surveillance when the phone company would say no,” said Soghoian, who is Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University. “This is not about saving time and money … it’s about the fact that there’s no one to insist that the law be followed when a stingray is used.”

 *Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.