Steve Rubel

Bob Sullivan

Jeff Fox

As Wall Street renders its opinion of the social media behemoth’s upcoming initial public offering, msnbc.com will host a discussion about Facebook’s key product – your privacy. Can sharing coexist with privacy? How should consumers balance the desire to connect with the need to protect precious details about their personal lives? Should government regulators do more? Are privacy advocates crying wolf? A recent survey suggests most Facebook users don’t trust the company. Do you? What questions do you have?

The Red Tape Chronicles’s Bob Sullivan will moderate a discussion about social media -- including Facebook and other services, like Google Plus -- and privacy issues with:

• Steve Rubel, executive vice president for global strategy and insights at Edelman, the world’s largest independent public relations firm. He’s also a frequent social media commentator.
• Jeff Fox, technology editor at Consumers Union. He was responsible for this month’s Consumer Reports cover story on Facebook and privacy

You can log into the Google+ Hangout on Friday at 4 p.m. ET/1 p.m. PT at http://redtape.msnbc.com/privacy.  Post questions/comments there or via Twitter using hashtag #talkprivacy

Or visit msnbc.com's Google Hangout. 

Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer?  Jamie McClelland and Alfredo Lopez can tell you.

Their recent run-in with the men in black – the result of a spate of email bomb threats to the University of Pittsburgh -- offers a rare glimpse into the collision between free speech rights and the benefits of anonymity on one side with the needs of law enforcement to act quickly in the face of real threats on the other.

Their tale ends with an odd twist: FBI agents, caught on video, returning the server only four days after it was seized from a co-location facility in New York City. At the moment, no one knows why the FBI would take that unusual step. FBI Special Agent Bill Crowley said the agency wouldn't comment on either the seizure or the return of the server.

Federal investigators and local officials in Pittsburgh were scrambling last month as bomb threats targeting the University of Pittsburgh piled up. Within days, 46 such threats were logged, causing massive disruption as students and teachers were continually evacuated from building after building.  Parents and school officials pressured law enforcement to solve the case. For some reason, the FBI thought a server in a small facility in New York City might contain a crucial clue.

McClelland was on a conference call in MayFirst/PeopleLink's Brooklyn office -- which is in the same building where Lopez and his wife live -- on April 11 when he saw two men in suits standing at the door.

"I thought they were Jehovah’s Witnesses, but I joked with people on the call that it was the FBI," he said.  Moments later, it was no joke.

The agents flashed their badges and asked if they could come in; McClelland refused.  They asked if they could step into the vestibule. He refused again.

"I had had some rudimentary training,” he said. “It certainly had occurred to us that we might some day get a visit from the FBI given the nature of what we do. But this wasn't what I expected. I was surprised at how easy it was to say ‘no’ to them...There was no intimidation, none of that. The agent appeared more nervous than me, and I was pretty nervous."

Standing outside, the agents then showed printouts of a few emails with full headers to him, saying they were related to the Pittsburgh bomb threats. At that point, McClelland hadn’t  heard about the threats, so he said he didn't know anything about them. They asked if he knew anything about ECN.org, a server which appeared in the e-mail headers. Again, he said “no,” truthfully.

"I asked if I could have copies of the emails. The agents said “no.” But I then asked if I could get pen and paper and write down details of what we were looking at. They let me do that," McClelland said. "I then asked them if they thought our server was compromised. But they couldn’t tell me anything. So I asked for their business card and told them we would research it."

The agents left, but McClelland’s day had only just begun. What was ECN.org? Why did the agents show up unannounced? And most important, what would happen next? He was sure that wasn't the end of it.

"When you are visited by the FBI, even when it goes relatively easy like it did, your entire life gets put on hold as you deal with all the implications," he said. McClelland called Lopez and other leadership team members, and then called the Electronic Frontier Foundation for legal help.

“There were three hours of calls to run through things and make sure we had everything covered," he said.

Initially, Lopez and McClelland assumed that one of their members had been hacked, and the account used for illegal purposes. Simply patching whatever security hole existed could end the problem. But a visit to ECN.org indicated there was a much more complex issue.

ECN stands for the European Counter Network, an independent Internet service provider in Europe. It shares much the same mission as MayFirst/PeopleLink. On ECN.org, the provider offers anonymous email services through a service called "Mixmaster." Using Mixmaster, email users can achieve nearly undefeatable anonymity -- multiple servers pass messages from one to the other, each time stripping out header information and replacing it with false data, making it nearly impossible for investigators to "trace" the message to the original sender. 

ECN had subcontracted space on RiseUp's New York City server; RiseUp had in turn subcontracted that space from MayFirst/PeopleLink.  It now appeared that the FBI believed someone connected to the Pittsburgh bomb threats had used ECN's anonymous email capabilities, which led to FBI agents knocking on the door at Alfredo Lopez's home office.

"If you had asked me before this happened if one of our members ran an anonymous remailer, I would have said, 'probably,' " said McClelland. "That's exactly the kind of thing we want to support and we want to protect."

When correctly configured, anonymous remailers leave no trace at all. There are no log files to check, no other server "fingerprints." After making sure the server was running properly, McClelland called the FBI agent on the business card and told him all he knew about ECN, which essentially was nothing.

"We told him we suspected there was an anonymous remailer, there's nothing else we can tell you," he said. "We decided that was our best strategy ... to minimize disruption to our members. We didn't want to risk going to the next level of escalation."

The strategy failed.  The next day, MayFirst/People Link received a subpoena demanding that the organization answer a series of questions about its server. With help from the EFF lawyer, they sent the responses on Monday, April 16.

"At that point, we thought everything was OK, that we were done, and ready to move on," he said. 

Then on Wednesday, April 18, at around 6 p.m., things took a turn for the worse.

"I got a call from a tech who said, 'Jamie, the server isn't responding.' So he went to look for it in the rack and found that it was gone," McClelland said.

Later, Lopez and McClelland would learn that the FBI had produced a search warrant when it showed up at the XO Communications Manhattan server farm, where the MayFirst/PeopleLink server was housed, which gave agents the right to take the box. But at the time, they could only guess what happened.

"We filled out a help ticket that said, 'Our server is missing.'  We've never done that before," McClelland said.  "I can't emphasize enough that we received no communication from the FBI. From a human point of view, that is atrocious. But from a legal point of view, they don't have to do any more."

The impact was immediate, and devastating, for both MayFirst/PeopleLink and RiseUp. Hundreds of mailing lists, websites and email accounts were immediately knocked offline.

“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” Devin Theriot-Orr, a spokesperson for RiseUp, said  in a statement at the time. “This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails.”

While Lopez was scrambling to find a way to get the organizations back online, a camera with motion detection capabilities was installed at the server facility by an assistant.

"We thought it was a little like shutting the barn door after the horse ran out, but we did it anyway," he said McClelland said.

Generally, when FBI agents seize computers as part of an investigation, they're not returned for months, or even years. But within a week, a worker in the server room noticed that the motion detector camera had been activated on April 23. When he looked at the video, the tale took an even more unusual turn.

The video shows two men in suits -- apparently FBI agents -- placing the server back in its rack.  But the box isn't merely dropped off. The two appear to be plugging it in, and then watching the machine for a few minutes, perhaps looking to see if it is operating correctly.

Why would they do that? The FBI refused to answer a question about that.

But Lopez has a theory. There's only one way to defeat most anonymous email services: to compromise the computer that processes the emails with special software -- a virus -- that could defeat the anonymizing software.

"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind." 

MayFirst/PeopleLink later posted the FBI agent video online. The agency hasn't commented on it.

The server has not been returned to service; the organization is currently auditing the machine to see if it has been tampered with.

"I can tell you that's the burning question in my mind. We are planning on doing a full diagnostic on server to see if we detect anything on server," McClelland said. 

But even if it hasn't been tampered with, Lopez said he's outraged that U.S. federal agents would compromise Internet access for global groups fighting for democratic rights while hunting for evidence that doesn’t exist.

"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime," Lopez said. "This is serious … for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."

The MixMaster service was uninterrupted by the server seizure; anonymous messages were simply routed through other servers.

MayFirst/PeopleLink and RiseUp both told their members that no identities were compromised during the FBI seizure -- all data on the server is encrypted and there's no reason to believe the encryption was compromised. Still, U.S. government action against anonymous Web services could have a dangerous chilling effect, fretted Lopez.

"In some parts of the world, privacy and anonymity are a matter of life or death," he said. "These services are used for important work, and in many countries, they are the only way to communicate without putting yourself in serious danger."

The Electronic Frontier Foundation issued a statement last week accusing the FBI of "overreaching."

"The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails," wrote Hanni Fakhoury. "So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless."  

Lopez, who has two children in their 30s, said he understands why parents in Pittsburgh were concerned for their children's safety during the repeated bomb scares.  But he warned that repression often begins with "people who mean well."

"These people making the threats, these are jerks, nobody wants to protect them," he said. "But what do you give up when you give up freedom in exchange for the illusory feeling of security?  You can't trample people's rights because when you do, the terrorists have won."

The Pittsburgh bomb threats stopped on April 21. No bombs were found. There have been arrests in connection with the incidents, but authorities are still investigating.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

Legislation that would give workers broad protection from the prying eyes of employers was introduced in both houses of the U.S. Congress on Wednesday. Both bills would make it illegal for employers to force workers or candidates to divulge social media passwords, similar to legislation nicknamed SNOPA, which was introduced last month. But the new Password Protection Act, sponsored by Sen. Richard Blumenthal, D-Conn.. goes even further, extending such limitations to smart phones, private email accounts, photo sharing sites and any personal information that resides on computers owned by the workers.

But Blumenthal's proposal -- and its companion in the House, introduced by Rep. Ed Perlmutter, D-Colo. -- is narrower in some ways than the Social Networking Online Protection Act(SNOPA) introduced April 27 by Rep. Eliot Engel, D-N. Y. SNOPA extended similar protections to elementary, high school and college students. Under the Password Protection Act,  students would not be protected.

Still, Calabrese said his organization will work to include students before any proposal reaches a vote in Congress.

"Students are clearly the target of a lot of social media monitoring," he said. "We think students should have the same rights as everyone else. We'd like to see the best of both of these pieces of legislation combined."

Blumenthal, who has been publicly critical of firms that have requested employee Facebook passwords, said legislation is needed to protect workers.

“Employers seeking access to passwords or confidential information on social networks, email accounts or other protected Internet services is an unreasonable and intolerable invasion of privacy,” Blumenthal said in a statement. “With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation, which I am proud to introduce, ensures that employees and job seekers are free from these invasive and intrusive practices.”

Bradley Shear, a Maryland lawyer and activist who has helped draw attention to the issue, said he "applauded" the efforts of legislators who introduced the Password Protection Act, but was also concerned that students not be left behind as the legislation works its way through committee.

"Hopefully all the different interested parties will come together to find a solution that covers everyone," he said. "This is something that won't go away unless it's handled now."

The Facebook password issue has been bubbling up for years — in 2009, a Maryland state employee complained that he was required to provide his Facebook password during a job interview. But the subject has gained much more attention in recent weeks, after several news reports, including an msnbc.com investigation.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

Buying a smart phone from a third-party, discount online retailer might seem like a shrewd move, but a $50 discount could cost you $400 later if something goes wrong, in addition to any early termination fees charged by the carrier. That means consumers who buy from big-name third-party retailers like Target or Radio Shack could end up facing up to $750 if they prematurely cancel service. It also means consumers might be hit with a big bill from an unexpected place.

Ohio consumer Chris Eash found this out the hard way when an innocent mistake involving a handset return to a RadioShack retail store led to weeks of pestering by a company named Simplexity, which powers online cellphone sales at some of the nation's largest retailers, including RadioShack.com and Target.com.

Simplexity's proposition might sound simple: Consumers accept a discount in exchange for promising to pay a hefty fine if they cancel or change service within the first 181 days. But a glance online shows many complaints from consumers who are confused when hit by the fee.  

Simplexity does disclose the fee prior to purchase, but it takes some work to find it. On RadioShack's mobile sales Website, for example, the fee is revealed via a link labeled "instant savings terms and terms of purchase," on the final page of the cellphone checkout procedure. Users must click on that link and read through a pop-up window to learn that their credit cards will be charged $400 if the carrier indicates service is changed within 181 days.

But as Eash learned, Simplexity can be very aggressive about getting its bounty from consumers when anything goes wrong. He visited RadioShack.com in March and decided to buy a 4G Motorola phone, then went to his local store to actually make the purchase. When he got home, he realized that the salesman had given him the wrong handset -- the 3G version -- and he went back to the store the next day to return it. At the store, he was told the 4G phone was only available at the Radio Shack Website. He was also told by Verizon that if he returned the 3G phone before buying the 4G phone online, he would lose his phone number.  So within about 48 hours, he ordered the 4G online, ported his number to it, then returned the 3G at the store.

Within days, Simplexity -- the retailer behind RadioShack.com -- contacted Eash and said he owed $400 because he'd changed the number associated with the 4G phone when it was sold. He hadn’t done anything wrong; he only had one phone handset, and he was honoring his contract. But no amount of pleading could deter the collectors, he said. The saga dragged on, with each firm blaming the other.

"I got a notice from Simplexity ... (saying) that since I haven't paid the $400, they are going to charge the debit card I used for my purchase," he said. He canceled his debit card to avoid the charge, but Simplexity then threatened his credit report. "I have spent hours on the phone with both Verizon and Simplexity trying to get them to work it out with no luck. Both say the resolution is up to the other company.  It's come down to ‘Give us $400 or we crap on your credit record.'"

Operators told him that, essentially, if Verizon didn't pay Simplexity its bounty for getting him to sign up as a new customer, he'd have to pay it.

At the end of his rope, he contacted msnbc.com. We contacted Verizon, which escalated his problem with Simplexity. Eash was then contacted by a Simplexity official who apologized and promised to fix the mix-up. The official indicated there was honest confusion because the number associated with the phone purchased from Simplexity had been changed, and that resulted in a “charge-back” from VerizonWireless.

The e-mail also explained that Simplexity must charge a hefty fee when phones are deactivated to avoid consumers simply purchasing their discounted phones and then canceling service and using a different provider.

Eash was satisfied, but the experience left him with serious reservations about using online discount cellphone retailers.

"Without some serious string pulling, I would have never talked to (the final Simplexity official) and would still be fighting with Simplexity,” he said. “I told him he had a company that with the exception of one person ... shows very little regard for their customers. I would strongly urge anyone considering buying a cellphone online to make sure this company is not the one behind the curtain pulling the levers.  They operate many store brand cellphone web sites that have absolutely no connection to the store on the page."

Simplexity did not respond to questions about Eash’s complaint or about its business model, which also involves selling phones directly to consumers through its WireFly.com Website.

Tom Pica, a spokesman for Verizon, said he couldn't comment on an individual consumer's account, but added that the firm has not received many complaints from consumers who purchased their devices from Simplexity.

"We have high standards for our authorized agents and the service they provide to our customers," he said.

Neither Target nor Radio Shack responded to requests for comment by press time.

If you’ve never shopped at a third-party online cell phone retailer, dual fees for prematurely ending a cell phone contract may be new to you. But they are common.  Amazon, for example, offers deep phone discounts but charges $250 if the service is disconnected or canceled before 181 days have passed, in addition to any carrier fees. Letstalk.com, which operates Walmart’s online cellphone sales, also charges $250, describing the charge as an “equipment subsidy recovery fee.” Such fees first caught the attention of the public – and regulators – in 2010, when Google added a hefty early termination fee to initial buyers of its pricey Nexus One phone.  After inquiries from the FCC, the fee was reduced from $350 to $150.

(ShopNBC.com also uses Simplexity to fulfill cell phone orders. Msnbc.com is a joint venture of Microsoft and NBC News)

Still, some consumers are apparently confused by Simplexity’s charges, and have lodged numerous complaints on Websites. Nearly all of them are accompanied by a note from a Simplexity official offering to clear up the matter.

One writer on ComplaintsBoard.com sounded desperate in a post titled, "I want my $600 back."  That consumer said he or she had purchased two Droid phones and returned them, only to be hit with a $600 charge. A writer named "WireflyKSCorpHQ" wrote back and offered to help and later posted a note saying the matter was resolved.  Another writer added, " I just received a text message (Alert) stating a withdrawal of 600.00 from Simplexity. I don't even know who they are or how they have my account number! Were you able to solve this issue? Is there any way I can receive my money back?" WireflyKSCorpHQ again offered to help.

Simplexity acknowledges questions about its discounts at a page on the Wirefly Website titled "How can Wirefly offer such great deals" Is it a scam? What's the catch?"

On the page, Simplexity explains that it passes commissions it receives from cellphone network operators on to consumers and why it must recover the commissions if consumers cancel service. It also brags about the price clarity it offers consumers.

"Cellphone rebates can be confusing and most people don’t like them. That’s why Wirefly has not offered rebates on any products since 2007," the page says.

The page doesn't to mention that in 2006, Wirefly.com, under previous ownership while named InPhonic Inc., was sued by the Washington, D.C., attorney general's office after more than 2,000 complaints about unpaid  rebates were received by the local Better Business Bureau office. The complaints were also the focus of an msnbc.com story. At the time, the firm was accused of creating near-impossible rebate terms, such as requiring consumers to file for rebates 180 days after service started, but no later than 210 days.

InPhonic, which at the time claimed to be the largest independent online cell phone retailer, settled that case in late 2006, agreeing to pay the rebates. The following year, the firm filed for bankruptcy. WireFly.com and other assets of the company were purchased by the Philadelphia-based private equity firm Versa Capital Management, which created a new firm named Simplexity. A spokesperson at the time told the Washington Post that the new company would not engage in any rebate programs in a story titled, "Rebates for customers of InPhonic in peril, again." Also at that time, InPhonic CEO David Steinberg said he would step aside.

But several members of the current Simplexity "Leadership Team" also worked at InPhonic, according to the Simplexity website. On that page, InPhonic is described only as "a publicly traded Internet retailer."

Simplexity maintains an A rating at the Better Business Bureau, though that agency's site says there have been 662 complaints filed against the firm in the past three years -- all of them "closed." That generally means the firm has responded, though it does not guarantee that consumers are satisfied with that response.

The only direct connection between Simplexity's current business model and InPhonic's troubled rebate model is the magic 180-day mark at which authorized resellers get to keep their bounty from mobile providers for signing up new customers.  What Simplexity is doing now is in some ways the reverse of a rebate program – rather than making consumers wait 180 days to receive a $100 or $200 check, the firm is crediting the consumer immediately and grabbing back that money in the event that the deal goes sour before 180 days. As long as consumers understand the risk they are taking by accepting Simplexity/Wirefly's discount, bargains can be had. Things do happen, however, and it’s worth considering if $50 today is worth a possible $400 bill tomorrow.

Eash was so scarred by his experience, and the hidden traps he landed in, that he says he would never do it again.

"My advice: Buy directly from the service provider and NEVER from a third party. In the long run it may be a LOT less expensive," he said.

 *Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

A New York Congressman has introduced federal legislation nicknamed "SNOPA" that would make it illegal for employers and educational institutions to require a potential or current employee, or a potential or current student, to divulge personal online information as part of the hiring, enrollment or discipline process.

The bill, with a full name of the Social Networking Online Protection Act, was introduced Friday by Rep. Eliot Engel (D-N.Y.). 

"As you know, social media and networking has become such a widespread part of communications in our country, and around the globe. However, a person’s digital footprint is largely unprotected," Engel said in a letter to Congressional colleagues asking that they support the proposal, which was obtained by msnbc.com from Engel's office.

"There have been countless examples of employers requiring an applicant to divulge their user name and password as part of the hiring process. Additionally, some universities, and even secondary schools, have required the student either divulge their personal information, or grant the institution access to the personal account by ‘friending’ the student."

The legislation would ban employers from requiring that employees or job candidates share social networking passwords or "other means of accessing a private account"; it would also ban post-secondary schools from disciplining students for failing to provide such access, or from discriminating against applicants who refuse to provide such access. Local educational agencies would also be banned from requiring login credentials.

"These coercive practices are unacceptable, and should be halted," Engel said in the letter. "We have to draw a line between what is publicly available information, and what is personal, private content. I think we would all object to having to turn over usernames and passwords for email accounts, or even worse, to bank accounts. User-generated social media content should be no different."

The Facebook password issue has been bubbling up for years — in 2009, a Maryland state employee complained that he was required to provide his Facebook password during a job interview. But the subject has gained much more attention in recent weeks, after several news reports, including an msnbc.com investigation.

This is not Congress' first attempt to crack down on the practice. In March, the House of Representatives shot down an amendment to a pre-existing FCC reform bill that would have given that agency the right to regulate on the issue. But Engel's legislation is the first federal legislation that would hit the issue head on.

Bradley Shear, a private lawyer in Maryland who has been the public face of efforts to stop the practice, said Engel's legislation was "an excellent bill" that would protect both employers and employees, along with both schools and students.

"It gives employers and schools a shield against legal liability, so no one can claim that they should have been monitoring social media...and I think because it protects both sides, it has a better chance at success than previous efforts," said Shear, who worked with Engel to craft the bill. "It's a really well thought out solution to this very young, challenging problem and I hope it gets bipartisan support."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

A California lawmaker wants cellphone firms to report how often they release consumer location information to law enforcement officials, but the industry says it will fight the measure, according to a letter posted by the American Civil Liberties Union.

The California legislative proposal, which would form cellphone companies to make detailed reports available on the Internet, could have national implications, as it could be imitated by statehouses around the country. And any system implemented to accommodate that state's law could apply to many of the nation's consumers, any time they interact with California consumers.

The issue of local cops' getting detailed information from cellphone providers has garnered greater national attention this month, after the ACLU released the results of an extensive study.  More than 200 local police agencies shared details about their data-gathering habits in response to a series of Freedom of Information Act requests. In a special report, msnbc.com examined thousands of data request invoices received by the ACLU.

State Sen. Mark Leno, a Democrat, introduced legislation this year that would require mobile companies to publicly disclose the number of law enforcement location-related requests they receive annually. It would also prohibit disclosure of such information without a warrant — policies around the country vary.

The wireless industry trade group CTIA sent a letter to Leno on April 18 saying it opposes the legislation.

"The provider reporting requirements create unduly burdensome and costly mandates on providers and their employees and are unnecessary," said the letter, which was signed by Jamie Hastings, CTIA's vice president for External & State Affairs. "It is ... unclear what useful purpose such reports would serve. As wireless providers are constantly working to respond to ever-changing consumer demands, it is doubtful that diverting provider resources away from meeting these demands to comply with these reporting mandates would best serve wireless consumers."

The telecommunications group also said the warrant requirement may "create confusion" and "hamper (wireless firms') response to legitimate law enforcement investigations."

The ACLU, which says it wants to create wider public discussion on the issues surrounding cellphone location information, posted the CTIA letter on its website Monday. It criticized the trade group for opposing the legislation.

"Wireless companies should be doing everything in their power to protect the privacy of customer location information and making sure it cannot be misused, not opposing a crucial privacy bill that would ensure proper oversight for police access to the sensitive location data that these companies collect about us," Nicole Ozer, an ACLU policy director in California, wrote in a blog post on Monday.

She took issue with the industry's assertion that a reporting requirement would be burdensome, saying cellphone firms must already keep track of that data. She noted that the CTIA letter said telecom employees are "working day and night to assist law enforcement," and she said that was misguided.

"Our location data — where we go and what we do — is sensitive information. Wireless companies should be working day and night for us — their customers — not for law enforcement," she wrote.

In a follow-up statement to msnbc.com, the wireless industry association said its objection was chiefly with the additional reporting burden the law would place on cell phone firms, and not on the privacy rights issues. 

"There is a lot of misinformation on our position on California's mobile privacy bill," the trade group said in a statement, signed by Hastings. "While we are opposed to SB 1434, our opposition is focused on its provision that places reporting burdens on carriers rather than on the prosecutors who make these requests. ... Our opposition to (the legislation) in no way should be considered as a degradation of the wireless industry’s commitment to its customers' privacy."

Hastings also said that wireless carriers shouldn't have to be in the business of vetting the legality of cellphone records requests.

"It is up to the legislature and the courts to strike the appropriate balance between a citizen's privacy and law enforcement's legitimate need for information," Hastings' statement said. "While I want to be absolutely clear that our members are 100 percent committed to protecting our customers and their privacy, CTIA does not believe that wireless carriers should be expected to seek court review of the legality of the subpoenas and court orders they receive seeking location information."

Law enforcement use of wiretaps, location information and so called "pen trap and trace" data, which shows whom a caller is talking with, has increasingly become a controversial issue for privacy advocates. The ACLU report released April 2 offered the first glimpse of how often such data is used by local cops. Federal agencies are supposed to report annually how often they use such investigative techniques, but repeatedly, the Justice Department has failed to provide such reports to Congress, which was reported by Wired.com earlier this year.

There is precedent for disclosure of such data. Google voluntarily provides information about law enforcement requests on its "Transparency Report" website.

Stronger state laws are needed to provide a check and balance on police use of revealing mobile phone information, and annual reports would call attention to any sudden increase in use of the data.

"It’s time to update California privacy law so it matches our modern mobile world and keeps our personal information safe from misuse," Ozer wrote.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

Ruthless ID thieves are robbing identities even from the grave, a new study has found.

Nearly 2.5 million dead people are victims of identity theft every year, according to a data analysis by fraud prevention firm ID Analytics being made public Monday.

The study offers the first hard data about a little-understood aspect of ID theft that can cause unnecessary pain and suffering to family members already dealing with loss.

ID Analytics works with dozens of credit-granting companies, such as banks and cellphone providers, to find common patterns among fraudsters as they fill out credit applications. The firm has unique insight intro fraud trends, as it screens more than 1 billion such applications annually. For this study, it considered 100 million applications filed during the first three months of 2011 and compared Social Security numbers and other information in those applications against the Social Security Administration's Death Master File, which tracks the identities of people after they die.

Stephen Coggeshall, chief technology officer at ID Analytics, recently crunched those numbers to look for evidence that criminals were exploiting SSNs attached to the deceased. The results showed a wide-scale problem, much larger than previously believed.

Roughly 800,000 deceased Americans are deliberately targeted by criminals each year, the study claims.

In those cases, an imposter armed with a deceased person's SSN, name and birthday tries to fully assume the dead person's identity. ID Analytics has no information about whether or not the attempts were successful, Coggeshall said — only that the personal information was used on an application during a fraud attempt.

Meanwhile, SSNs attached to 1.6 million more dead adults find their way onto thieves' fraudulent applications through random selection, he said. Many criminals simply guess at SSNs when filling out fraud applications and accidentally use one that's already been issued to someone who's now dead. ID Analytics calls them "identity manipulators" who make arbitrary variations on their own personal information to avoid fraud detection tools and randomly pick an SSN associated with a deceased person.

"This study brings to light a significant problem, as we see fraudsters intentionally using identities of the deceased at the rate of more than 2,000 per day," Coggeshall said.

Imposters who exploit the dead are after the same things that all ID thieves crave: theft of cellphone service or the ability to open up new credit cards or take out loans, Coggeshall said.

There are obvious advantages for criminals when using a dead person's personal information. If the fraud is initially successful, because the normal channel for discovery — a consumer who notices unauthorized charges or accounts on his or her credit history — doesn't exist. Family members or others disposing of an estate can discover the fraud through the arrival of unexpected bills, but the usual hurdles for recovering from such fraud are even higher when a third party must call and ask for corrections.

Fighting ID theft of the dead should be easier than most other forms of identity fraud. The Social Security Administration frequently updates the Death Master File, which now contains about 40 million SSNs. Firms that issue credit should routinely check their applications against this simple list; several inexpensive products offer this service, and the file is available in several forms online (there's even an app). But clearly, that kind of screening isn't happening, Coggeshall said. Otherwise, criminals wouldn't be trying to exploit the dead so frequently.

Ironically, if companies don't check SSNs against the Death Master File, it becomes a great source for criminals to obtain identities and SSNs to be exploited.

"We have no sense of where criminals are getting the numbers, but a certain portion of them probably are coming from public sources, like the Death Master File," Coggeshall said.

The study also hinted that seriously ill people are being targeted by criminals. There were 2 million cases of SSNs' being used in credit applications, with the SSN holder dying within the next two months.

"Certainly a good deal of this is not suspicious, but some fraction of these applications may be the misuse of the identities of the dying," Coggeshall said.

RED TAPE WRESTLING TIPS
Family members already dealing with a tragedy have plenty to worry about, but identity theft of the dead is a reality they must consider, he said.

"While this is clearly a problem for businesses, surviving family members can also be the victims of this identity fraud as they are left to manage the estates of their deceased loved ones," Coggeshall said. "It's important for people to monitor their deceased family members' identities for at least one year."

It's possible for a third party, such as a spouse, to get a credit report for a deceased person, but it's not trivial. The bureaus will want a death certificate as proof the individual has died, and they'll want some evidence that the requester has a right to see the information — such as a marriage license or an order showing he or she is an executor of the estate. That person can request that a "deceased — do not issue credit" notation be placed on the report, but certain hiccups can occur. If a credit account, such as a loan, is in both spouses' names, a "deceased" flag can occasionally cause confusion.

There's a good discussion of this issue on Experian's website.

More details on how to freeze a loved one's credit report are available at this BankRate.com story.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

The war on drugs has gone digital; but is it also a war on cellphone users?

That’s just one of the questions raised by an msnbc.com investigation into use of cellphone tracking data by local police departments across the nation. Msnbc.com built a database of thousands of invoices issued by cellphone network providers to cities after cops asked for caller location and other personal information between 2009-2011. The invoices were first obtained by the American Civil Liberties Union and released to the public earlier this month.

The database offers perhaps the first blow-by-blow accounting of several cities’ use of cellphone tracking as a crime-fighting tool and the potential blow to civil liberties that the requests represent.

While 200 cities responded to the ACLU, three cities -- Tacoma, Wash., Oklahoma City, and Raleigh N.C. – provided enough detail to paint a picture of how cellphone tracking data is being used in mid-sized police departments around the nation. Categorizing the thousands of pages of invoices supplied by the three municipalities provided some insight into why cops use cellphone locations and call records to investigate crimes and how much the carriers earn responding to these requests.

The tension between the war on drugs and privacy is most readily apparent in Tacoma, Wash., where the most frequent reason that police requested cellphone data over a two-year period was to investigate drug dealing, the analysis indicates.

In Tacoma, while many of the 139 requests for cellphone data from Jan. 1, 2009 through June 30, 2011 involved serious crimes –  including 37 murder investigations –  the most frequent charge listed as the reason for the request is “UDCS,”  or unlawful distribution of a controlled substance.  No additional details about those 51 requests, or the crimes behind them, were available. Police officials from Tacoma did not respond to requests for comment.

The bills run up by local detectives requesting cellphone data aren’t small. Tacoma spent $17,496 checking cellphone records during that time span or nearly $1 for every 10 residents. Police in Oklahoma City spent $9,033 on cellphone records checks during one three-month stretch last year, according to the data compiled by msnbc.com.  In Raleigh, officials made an average of one location “ping” request from just one carrier -- Sprint -- every three days during the second half of 2011. 

“Location data for cops is like a kid in a candy store,” said Mark Rasch, former head of the Justice Department’s Computer Crime Unit.  “It’s a wonderful investigative tool which is highly intrusive of personal liberty and our rules on privacy, and rules governing access to this are not only antiquated but confusing and conflicting.  Add to that a profit motive by carriers, and lack of sufficient oversight on law enforcement access to the records, and you have a prescription for, at a minimum, violations of civil liberties.” Rasch is now a consultant with Virginia-based cyber security firm CSC.

The ACLU notes that much of the cellphone location data is obtained without a warrant, meaning no probable cause hearing before a judge is required.  Many cops counter that subpoenas are always issued – and sometimes refer to these as court orders -- but Rasch said that’s a misnomer. They are often little more than a request form.

“Cops can have a pile of blank subpoenas in their desk drawer,” he said. Carriers normally consent to subpoena requests, but legally they don’t have to. If they refuse, a law enforcement agency is then required get a judge’s order to enforce the subpoena, a step that’s rarely taken, he said.

Tacoma officials deserve credit: Of the 200 cities that responded to the ACLU’s Freedom of Information Act requests, Tacoma’s documents provided the most detail and included an easy-to-read summary page. Research on other cities was far more laborious, and required sampling, which is why this report is limited to three months of Oklahoma City’s invoices from April to June of 2011, and six months of Raleigh’s invoices from July 1-Dec. 31, 2010.  For consistency, the date used for all records indicates the date the invoice was filed, not the date of the crime or the date that police requested the data.

The study involves only local cops; federal authorities file their own cellphone location requests and wiretaps, which were not considered in this report.

It’s important to note that many invoices did not include an amount. In Tacoma, about half the amount entries for the 139 requests were left blank. It’s unclear if that means the request was filled for free or if the data entry was incomplete. That means the dollar totals published here could be far lower than the actual amount paid by the city.

If Tacoma’s experience is typical  – which isn’t clear – cellphone companies are earning millions of dollars fulfilling local law enforcement’s cellphone records requests. If Tacoma’s rate of nearly $1 per 10 citizens were extrapolated nationwide, cellphone companies would have billed local cops roughly $30 million from mid-2009 to mid-2011.

There are about 25,000 municipalities in the United States. Most have their own police force, and that total wouldn’t include county and state law enforcement agencies. If each one averaged $1,000 in requests – far less than Tacoma’s $17,496 –  that would total $25 million. Cellphone companies, as we’ll see below, have real expenses associated with data lookups, and they often fulfill life-or-death requests for free. Still, with $2,500 invoices being sent to towns across the country, it’s clear there is real money being made.

“I think that this data confirms that cellphone trapping is a routine law enforcement practice, not only for serious crimes but for more routine crimes ,” said Catherine Crump, the ACLU lawyer who ran its investigation. “It is integrated into the law enforcement’s everyday arsenal, and that makes understanding what data law enforcement uses, and making sure that this complies with the Constitution, all the more important. … This is first look we have to see how pervasive  this practice is.”

Raleigh, Oklahoma City details
Raleigh and Oklahoma City offered less complete data, but enough information to provide a glimpse of the kind of requests being made.

In Raleigh, we narrowed the study to one carrier – Sprint – for the last six months of 2010. Here’s what we found: Police made 59 requests, or about one every three days, and spent $2,300 over the six-month period, according to the data. Activity was most intense in the summer, with 17 requests in July costing $660. The vast majority of these requests were simple location “pings,” that cost $30 each, but there were some requests for voice mail and “picture mail” retrieval, which also cost $30.  The Raleigh invoices included scant detail, with only one bill including a hand-written note that said, “att. Murder.” 

“Other than noting that our investigative procedures comply with all applicable statutes, I don’t believe there’s anything I can add,” said Jim Sughrue, a spokesman for the Raleigh Police Department.

Oklahoma City police took the opposite approach, spending a lot on only a few requests. From April to June, 2011, the city received $9,033 in bills for data requests that went far beyond Raleigh’s location pings. One bill Oklahoma City received from Cox Communication totaled $2,500 for 60 days of “pen register/trap and trace” activity, which would ordinarily indicate police learned call details (but not call content) for every call placed to or from a target phone. That invoice, by the way, indicates a full wiretap costs $3,500 from Cox.

During this three-month span, the city made nine other requests for 24 days or longer of pen register/trap and trace data, including four additional requests for 60 days of data. Verizon billed the city $2,446 for five separate invoices dated May 13.

Capt. Dexter Nelson, spokesperson for Oklahoma City, said his department had gone to court and obtained permission for every cellphone records request invoice viewed by msnbc.com.

“In each of the cases in that document those were criminal investigation in which someone went before either a state or a federal judge to explain that case and the need to obtain that information … (and) to provide probable cause or reasonable suspicion,” he said.

The invoices indicate they are for subpoena compliance, but Nelson said carriers require a judge’s order to perform the more invasive pen register/trap and trace operation.

Nelson said he did not know if the invoices related to a single police investigation, or multiple investigations.

“Typically those are narcotics  cases, or it could be robbery, or it could be homicide. It could be any number of different types of investigations,” he said.

One back-and-forth e-mail discussion found within the city’s invoices between T-Mobile and police officials over pricing for the records requests offers insight into the kind of negotiations that occur between cops and carriers over data cost.

“The fees set are $100 per day for this tracking tool, capped at 10 days charge, or $1,000 per month. This is substantially less that our competition charges for their ‘per-ping’ GPS-base system, and again, there is no charge for non-criminaI/E-911 emergency support,” Michael McAdoo, T-Mobile’s director of law enforcement relations, wrote to city officials on June 6, 2008.

When city officials complained that some emergency requests – such as a life-or-death request to find a lost hiker or a missing child – and other communications should be free, then city Communications Technology Manager Lucien Jones made his case with sarcasm in a June 8, 2009, email.

“Let me see if I understand this: If a guy has an argument with his wife, pushes her down and runs off with her cellphone, we can track that phone free,” he wrote. “But if an armed robber kills his victim and takes their cellphone, and continues to commit a string a robberies, then the attempt by dispatchers and patrol officers to correlate 911 data of the next robbery with cellphone location data constitutes an "investigation," and we gotta pay $100 bucks a day .... Oh, but if the killer develops shame and depression and threatens suicide, then it’s free.”

McAdoo of T-Mobile offered this retort on June 10.

“In the first scenario with the guy who pushes his wife and takes her cellphone, we would only assist in tracking this person if served with a valid … ‘reasonable and articulate facts’-type court order to do so,” he wrote. “We would have no "reasonable belief of a threat to life or serious bodily injury" to allow us to legally locate this person as an emergency exception. In your court order, the judge would likely order reasonable compensation and our charge would be $100/day.  In the second scenario, we would immediately respond without an order as we would have a belief that, if left unchecked, this series of crimes might escalate into another killing, and yes we would charge $100/day for that response. In the third scenario--or in any suicide-prevention call from a  PSAP -- we would (and do many times each night) attempt to locate the person immediately and do so free of charge. And in any other lost hiker/missing motorist/missing juvenile/wandering Alzheimer's/Iost medivac helicopter/capsized boater/stranded mountain climber/etc. event, we would immediately assist at no charge (and do so probably hundreds of times each week), unlike some other national carriers which charge $100 per ‘ping.’”

Request by carrier, other data from Tacoma
The clearest picture of what goes on in medium-sized U.S. cities comes from Tacoma, however.

While there are a couple of big-ticket requests, many are for around $30. For example, in 2010, 10 of the 38 requests were for quick-hit, single $30 location "pings."

AT&T fulfilled the most requests – 45 – while Sprint and T-Mobile each filled 36, and Verizon 15.  There were also single requests filled by Facebook and MySpace.

After drug crimes and murders, there were 16 assault-related requests, seven robbery-related requests, five rape-related requests, four involving an endangered child and two related to finding a material witness.

There was also one invoice filed regarding a crime labeled “theft of a city laptop.” No additional information was available.  

Other information in the Tacoma data:

There is $850 bill from AT&T for a robbery/rape investigation in late 2009.  That's $100 for "location activation" and 30 days of daily tracking at $25 each. Just like consumers, law enforcement agencies get hit with setup fees.

The biggest single bill in Tacoma is for $1,300: 13 days of “E911 locator” at a flat $100 per day in mid-2010. The listed crime is UDCS, or "unauthorized distribution of a controlled substance."

Rasch said he wasn’t surprised by the volume of requests. If anything, he thought the numbers were low.

“I can’t imagine any case where location data wouldn't be important. The temptation to use and overuse this data is very strong,” he said.

He also said he’s not opposed to its use.

“It's not that (I) don't want them to have the data. In some cases, we want them to have it faster,” he said. “But we want it to be accountable. We want legal standards, procedural standards, and we want more openness about what they are doing.”

Both Rasch and Crump, the ACLU attorney, expressed  mixed feelings about the carriers’ earnings from law enforcement request, which are clearly substantial but might not be profitable. Both said they wouldn’t want carriers to charge any less, because the fees act as a natural barrier to abusive data gathering.

“The amounts give a good sense of how massive (the carriers’) facilities are for processing and handing over this customer data,” Crump said. “But it is good that carriers charge. If this were free, there would be a lot more of it.”

Rasch pointed out that U.S. officials and citizens haven’t yet settled on the debate about whether location data is private or public information, further confounding the constitutional issues raised by police cellphone tracing requests.

“FourSquare is doing this 50,000 times a day,” he said. “This data just involves cellphone carriers – there are dozens, if not hundreds, of other people know where you are – EZ Pass, Google, and so on. There are plenty of other ways for authorities to find you.”

He favors a system that would require cellphone carriers to inform customers – even after the fact – that law enforcement has obtained their location or cellphone call data.  And while he’s in favor of its use for investigating serious crimes, he said routine use of cellphone data to enforce the law could lead down a slippery path.

“Once you say that criminals have no rights, where do you stop?” he said. “For example: You claim your car as a deduction on your federal taxes. Would it be OK for the IRS to subpoena cellphone records to see if you are correctly logging your miles?”

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

Bob Sullivan / msnbc.com

Giselle Sedano looks over flood-related paperwork at a coffee shop near her midtown Manhattan office.

Giselle and Zenayda Sedano of Cranford, N.J., never had a chance of keeping the rampaging waters of the Rahway River out of their home when Hurricane Irene roared through northern New Jersey in August. Now they are wondering if they ever had a chance to get any of the $21 million that the Federal Emergency Management Agency sent to help New Jersey’s flood victims.

We first met the Sedano sisters a day after the hurricane hit on Aug. 28, causing the Rahway River to breach containment and wreak havoc in their suburb of Cranford, where about one in five homes were damaged. They were picking through all of their worldly belongings and looking for something, anything, that wasn’t completely waterlogged. 

Now, more than eight months later, they are wondering why they didn’t receive any federal disaster aid to flood-proof their home, which is only about 100 feet from the river, while some of their neighbors who live farther from the water are getting nearly $200,000. Other Cranford residents are asking similar questions.

“There are homes in plain sight of mine that were selected which I will have to witness get elevated. But I'm right next to the river. I just don't understand," Giselle Sedano said. "It’s so hard waking up every day not knowing what’s going on."

The controversy highlights the challenges that FEMA and local officials face as they try to plan ahead and minimize future flood disasters.

Msnbc.com profiled the Sedano sisters in August when writing about the towns hit hardest by Irene. Giselle is a hedge-fund analyst and Cornell graduate; Zenayda works in the pharmaceutical business and is a Rutgers graduate. The two successful 20-somethings pooled their resources to buy a home in 2009, soon after they graduated from college, so they could move with their parents to Cranford.

Their parents came from Peru in the 1980s with nothing other than the clothes in their suitcase. Irene left the entire family in a similar fate; mom, dad, and the two sisters had little left outside the clothes they took when fleeing to a nearby hotel right before the Irene hit.

Nearly six months to the day after the storm, New Jersey Gov. Chris Christie announced that FEMA had awarded the state $21.6 million through its Hazard Mitigation Grant program. The money was promised to seven municipalities hit hard by the storm; Cranford received $3.1 million for "the elevation of select dwellings."  At around the same time, some Cranford residents began receiving phone calls saying they'd been selected for elevation grants. Others, including the Sedanos, heard nothing.

Like dozens of other Cranford residents, the Sedanos had responded to a notice last fall from the township indicating they'd like to participate in the elevation grant program. It's not cheap; even with the grant money, residents have to pay 25 percent of the cost.

Neighbor Kristen Wolansky also requested elevation aid, but she said the township never even acknowledged receipt of the request.

"There was no confirmation that your name was received. The information was just submitted into a void," she said.

The list of lucky homeowners isn't public -- "winners" were notified only by phone call, said Wolansky. But she and another frustrated Cranford resident, Steve Gorski, have pieced together a map based on conversations with neighbors. While unofficial, it shows several homes around the Sedanos' house receiving aid.

It makes sense for FEMA to flood-proof homes that are subject to repeated disasters. Like most flood victims, the Sedanos paid to participate in the National Flood Insurance program – in their case, the premiums were $2,015 annually. Elevating homes -- or purchasing them outright and making them into parkland -- is cheaper in the long run than continuing to pay pricey settlements every 10 or 20 years.

But there's not nearly enough money to buy out or elevate every home in danger -- only about 1 in 10 homes statewide in risky areas will receive funds from the $21 million FEMA grant, New Jersey state officials say. That means there's always a lot of disappointment when flood relief grants are doled out.

But the process for picking winners and losers raises questions. Ultimately, local officials decide which residents get the aid. There are complex considerations, such as preserving the character of neighborhoods, which are best left to local officials. But that also leaves them open to criticism and accusations of political patronage.

Compounding the problem are privacy requirements surrounding the process. Because participation is optional, and residents can decline the aid, the list of selected homeowners remains a secret until contracts are signed to begin work. That also means families like the Sedanos have no real avenue for appeal.

Bob Sullivan / msnbc.com

Giselle and Zenayda Sedano in August 2011.

FEMA’s Hazard Mitigation Program has benefitted communities around the country. The state of Vermont received post-Irene buyout and elevation grants of $19.8 million, for example.  But the program also has a spotty history. More than $1 billion was set aside for land acquisitions and home elevations after Hurricane Katrina in Louisiana, but arguments over how to implement the program delayed the awarding of any grants for two years – and by 2008 – three years after the monster storm -- only 14 grants were paid out. Claims of contractor fraud also complicated that awards process.

By that measure, the post-Irene grant process is moving swiftly in New Jersey. Still, the Cranford secret has been kept for a while -- the homes picked by Cranford officials had to be included in the town's initial application for aid, which was filed sometime in the fall, according to state officials.

FEMA directed questions about the New Jersey grant process to state officials; the governor's office directed questions to the state’s Office of Emergency Management.

Mary Goepfert, spokeswoman for that agency, explained the process to msnbc.com.

"The homeowners have to stay private because if they don't participate, and their name is on a list … their home would be severely devalued," she said.

Goepfert said local officials must show that the choice of winners is "financially advantageous" -- that is, a buyout or elevation project must be cheaper than expected future insurance payouts. But otherwise, home selection is entirely up to municipalities, she said.

"For instance, it might make more sense to buy out three, four, five or six houses in the same neighborhood than it would to buy a house here and a house there,” she said.

But what if a resident who wasn't selected feels the process was unfair?

"That's a question for the municipality," she said.

Cranford Mayor David Robinson said he understands why some residents might be frustrated, but said the municipality initially tried to get enough money to elevate about 50 homes and was told by federal and state authorities to tone down its application.  Right now, 18 homes are slated to get elevation aid, and another five are selected as alternates in case others back out.

"We're going to go neighborhood by neighborhood and try to get all of them elevated," he said. "It's just a matter of which homes get first priority. That's what we really focused on." The town plans to apply for additional elevation grants in the future, he said.

This time, municipal officials looked at prior loss history, past flood claims and other data when picking the homes, he said, admitting that some of that data is incomplete.

"We've also found instances where people may have had private flood insurance, and we discover that's a blind spot not included in (our) loss data," he said. "We're working hard to fix that. ... (This time) we focused on homes closest to the river and going neighborhood by neighborhood with the loss data that we had." 

While the 18 "winning" homeowners and 5 alternates have been informed, he said there is no process to tell disappointed homeowners that they weren't picked, or why.

And how should a homeowner like Sedano feel if they feel left out, while neighbors benefit?

"If it's a next-door neighbor, maybe the explanation was that their loss data didn't fit into the cost-benefit analysis that was being worked on at that point," he said. 

The "losers" must simply trust that the selection was fair. The data -- and the reason for the selections -- remains private.

There is one public curiosity about Cranford's aid grant. The other six cities that were promised post-Irene grants all elected property buyouts; Cranford was the only municipality to pick home elevation.  That can be far less disruptive for homeowners, of course, because they don’t have to move. Elevation benefits the town's tax coffers, too, Goepfert said.

"With a buyout, those properties are written off from the tax ratable base," she said.  "But why Cranford chose elevation, you'd have to ask them."

Bob Sullivan / msnbc.com

The Sedano sisters pick through the belongs outside their flooded Cranford home in August 2011.

Mayor Robinson said no one in the town expressed interest in a buyout.

All this mystery might be over soon. Goepfert said post-Irene aid was fast-tracked, and she hoped contracts for construction and buyouts would be signed within a month. Then, the list of winners and losers will be made public, she said.

For now, the Sedanos are slowing putting their lives, and their home, back in order. Most of the basic reconstruction of their home has been completed, and the family has moved back in, albeit with sparse furniture. They celebrated Easter Sunday at home this past weekend, their first meal in their rebuilt dining room since the flood.

"There were a few tears during dinner," Giselle said.

But the view of the river out their window, which once brought a sense of tranquility, now only brings trepidation. And until the list of to-be-elevated homes is published, the Sedanos are forced to wait and wonder why they weren't chosen.

"We find it totally unfair. Our home is directly in front of the river," Zedayna said.  

Here’s a handy list of credit card charges that consumers have complained about during the first part of 2012. Do any of them appear on your credit card? Read on to find out why you should probably pull out your statements and check them.

There’s a steady stream of new and clever ways for frustrated consumers to find each other online, make collective noise and get satisfaction. Among the more intriguing is BillGuard.com, which does for your credit card bill what a spam filter does for your email. 

Members sign up and let BillGuard scan their credit card statements for potentially fraudulent charges, billing errors or hidden, unexpected fees. The firm then asks consumers if they wish to tag the charge as suspicious. As soon as enough consumers say there’s a problem with a charge, all BillGuard members are warned and a suspicious-report web page is generated.     

Founder Yaron Samid, a startup vet who was part of the team behind Register.com, said he got the idea for BillGuard after he nearly was taken in by an automated fee that appeared on his credit card bill.

“Two years ago, I found out I was paying $10 a month for a post-transaction coupon scam after my wife bought concert tickets,” he said “When I Googled the charge, I saw countless blog posts, complaint boards and tweets screaming about the same "hidden fee." Turns out millions were duped by the same scam and were complaining about it online and to their banks. So why wasn't I told?”

Samid and partner Raphael Ouzan, a financial data security expert, set out to build a system that would harness “collective consumer knowledge” and allow credit card users to share this kind of information with each other. BillGuard also monitors other complaint-related websites and social media services for signs that a company might be misbehaving.

Customer surveys show that about 90 percent of credit card users fail to scan their bills carefully each month, so a proactive alert system is essential, he said.

To see if the system really works, we asked Samid to share with us 10 potentially problematic charges that BillGuard warned consumers about in the first quarter of 2012.

Then we contacted the 10 companies involved to see if the warnings were warranted. We’re publishing 9 of the 10 here – the tenth requires additional investigation.

The list is varied, ranging from a small company that’s sending out $500 gift cards with a catch, to a magazine empire that’s generating complaints through the way it signs up new subscribers. Several themes run through the list, including the dreaded “negative option,” which relies on consumer laziness to pile on monthly charges, to the third-party “data pass,” which leaves many consumers wondering, “How did this company get my credit card number?”

BillGuard’s statements, and the company responses, are listed below. Next to each company name is the charge as it’s listed on most consumers’ credit card bills, which is clickable to BillGuard’s complaint page about the company. Check your credit card bills to see if any of these items appear, and consider disputing them.

1) ShoeDazzle - SHOEDAZZLE.COM, INC. SANTA MONICA CA

BILLGUARD: “This hugely popular merchant was flagged by a user of ours who alerted us to their dubious usage of a negative-option membership model in order to charge you monthly. Upon your first purchase, ShoeDazzle “subscribes” you to their service. From that point on, you’ve agreed to be charged $39.95 every month unless you log into ShoeDazzle and click a “skip this month” link. Don’t “skip” in time, and you’re charged. In other words, you have to take action to avoid being charged. The terms and conditions explaining this subscription service are hidden at the bottom of the checkout screen in the fine print. Based on our findings and our users’ complaints about this unethical membership practice, we now propagate this information to our entire user base.”

RESPONSE: ShoeDazzle, which made a name for itself in part because of its affiliation with Kim Kardashian, says it no longer requires customers to subscribe to its service and no longer assesses a monthly charge. The firm announced the change in late March.

“Under the old model, we did communicate the process in a How It Works video, in Terms and Conditions, via email upon purchase, through our Client Service team,” said John Tabis, vice president of strategy at ShoeDazzle. He then invited us to forward any complaints that BillGuard received to him. “We are always seeking ways to improve, and we appreciate the feedback.”  

2) Zbiddy -- ZBIDDY.COM 877-403-6981 FL 

BILLGUARD: “Zbiddy is a penny auction site. Participants must pay a fee in order to place a bid. Every bid placed extends the allotted auction time. Due to their high profitability and cheap set-up costs, penny auction sites have been growing steadily over the past few years. Zbiddy was a relative newcomer to the scene a few months ago but has already garnered a reputation for practicing shill bidding (bids placed with intent to inflate auction price) in order to drive up prices and extend auction length. We found this out when we were monitoring the trending scams on Google.”

RESPONSE:Two e-mails to ZBiddy’s customer service were answered only by auto-generated responses, like this:

“We have received your request. Your email is very important to us. We will answer your specific query within the next 24-48 hours. Answers to most of your questions can be found out by visiting our FAQ section. Best regards, The ZBiddy Customer Loyalty Team.” One week after the first e-mail, we hadn’t received a response.

UPDATE, April 23, 2012: Seth Dillon of ZBiddy contacted msnbc.com and offered the following response:

"I've reviewed and responded to the complaints on the BillGuard website. Thank you for bringing those complaints to our attention. .. (It) is not accurate that we have a reputation for shill bidding. ... ZBiddy does not now - nor have we ever - engaged in any unethical bidding practices to artificially inflate the cost of items on our site. With respect to the complaints about unauthorized charges, please note this reply, which has been posted on BillGuard: "To place bids and win products on Zbiddy, you must first register and purchase a bid package. This process is standard across the penny auction industry and is not exclusive to Zbiddy. If you have questions about the registration process, or if you were unaware that you were being charged at the time of your purchase, please contact our Customer Service department at 1-888-406-6509. Our friendly agents are standing by to take your call and help resolve your issue. The Customer Service Desk hours are Monday through Saturday from 8 a.m. to 12 a.m. ET."

3) Scoresense -- OTL*SCORESENSE.COM 800-679-6327 TXAP15CTE

BILLGUARD: “What Scoresense claims to offer are 'free' credit services such as credit score, credit monitoring etc., .... What actually happens is the following: The user feels safe in giving Scoresense their financial information in order to receive their 'free' credit report and usually fails to notice that the 'free' report lasts for a limited time, (after) which Scoresense uses the supplied financial information of the user in order to charge him monthly for a membership service.”

RESPONSE: A customer service representative who answered a telephone call told us to write to customercare@scoresense.com. An email sent to that address was answered only with an automated response: “Thank you for your email inquiry to ScoreSense.  Emails are typically responded to within 3 business days. If you have an urgent matter or wish to cancel your account please contact customer care toll free …” After 48 hours, we hadn’t received a response.

4) TWX/Synapse --- TWX MAGAZINE SUBSCRIPTIONS

BILLGUARD: “TWX/Synapse uses a data pass model in order to trick consumers into costly subscriptions. What happens in data pass models is the following: Consumers buy a product at a participating third-party merchant. The merchant may be a physical grocery store or an online shop. During or after the checkout process the consumer is offered a free trial for magazines of his choice. Assuming that the company offering him the magazine subscription does not have his financial information and that he is entering a 'no-risk' trial period, the user signs the dotted line. What he does not realize is that the financial information he supplied to the participating third-party merchant is passed on to TWX and will later be used to charge him for the magazines once the free trial ends, without any notice between the trial and paid periods.”

RESPONSE: “Our customers are incredibly important to us, as millions of them enjoy our services. Terms are disclosed clearly, including verbally if the sales environment is face to face.  Additionally, if consumers for whatever reason are dissatisfied, we work very hard to settle any issues to their complete satisfaction.  We have an A+ rating with the Better Business Bureau for these and other reasons. Please attribute to a Synapse Spokesperson.”

5) LendNet -- LENDNET 101

BILLGUARD: “Short-term daily loans is are a growing field. The lender typically offers a short-term loan for very high interest rates. In this instance, the merchant offers to find you a suitable short-term loan provider. LendNet is in essence a middle-man. In order to find you a good loan provider LendNet requests your financial information.  It then uses the supplied information to bill you for a service fee ranging from $30 to $50. You need to have super-human vision and at the very least a law degree in order to find this fee in the fine print of the terms and conditions. In addition to this sneaky fee, some users have also reported that they were subsequently given a loan from a third party without prior consent to the loan terms or conditions resulting in monstrous interest rates. 

RESPONSE: The website is now down; e-mails sent to it were returned as undeliverable. There’s a host of complaints about the site in other locations online, including this one.   

6) FreeShipping.com -- IC FREESHIPPING.COM

BILLGUARD: “FreeShipping.com offers to supply you with free shipping from various merchants for a flat monthly fee. The problem is that FreeShipping works with multiple third-party merchant affiliates who unknowingly subscribe you to a membership. During the checkout process with the third-party merchant there is a small button at the bottom of the page, usually opted in by default, and unless you notice it and opt-out, your financial data is passed on to FreeShipping and you are a monthly paying member.”

RESPONSE: Thomas Caporaso, FreeShipping.com CEO, said BillGuard’s description of the service was “simply untrue.”

“There is no way that we can collect any billing information from the user without them physically entering it into our member registration form,” he said. “When people register for FreeShipping.com, they must enter all of their information into our signup page, including their credit card number and billing address. The terms of the offer are presented clearly, immediately next to where they would enter their credit card information, explaining that they may cancel at any time within the 30 days with no charges to their card, and that after the 30 days are over, the subscription converts into a paid membership at $12.97 per month. They are also required to check a box agreeing to the terms of service before we are able to process their trial.  Lastly they may cancel at any time after that with no additional billing from us.”

Many of the complaints generated against FreeShipping.com involve third-party websites sharing consumer information with the service. Caporaso said those consumers are also informed of the cost.

“Regardless if the member goes directly to Freeshipping.com or through a third-party merchant the enrollment process is the same as outlined,” he said.

There are many complaints about FreeShipping.com across the web, such as at this page. To support its complaint about Freeshipping, BillGuard also pointed to this lawsuit against the firm, and noted that there are 341 complaints about the company on ComplaintsBoard.com, and 66 complaints on Scambook.com.

7) Cellulean -- CELLULEAN.COM

BILLGUARD: “A free sample of a miracle diet product! Unfortunately, as some of our users learned, unless you call them and request to opt out within a few days of placing your free trial order you are sent a second package for the pricey sum of $75. The main reason most users do not call to cancel their subscription is that they never knew they were enrolled in one to begin with. Cellulean requests your financial information during the checkout process of the free trial supposedly to cover the shipping costs. What they are actually after is your financial information so they may bill you monthly for their product.”

RESPONSE: An operator at Cellulean’s customer service center told us to write an e-mail to CEO Patrick Leddy. He sent this response: 

"Our website and offer meets all legal guidelines set forth by the Federal Trade Commission and the Electronic Retailing Association (ERA). In fact, we place our terms and conditions in full-size readable font right next to the ordering section, instead of hiding them at the bottom of the page (which is the FTC/ERA requirement).  We then go another step further, beyond the requirements, by placing a check box next to the order button, which states: "I am 18 years of age and agree to the Terms and Conditions".  The customer is not allowed to check out of the website unless this box has been checked.  Furthermore, we give the customer two direct purchase options, instead of just the free trial offer, allowing them to choose if they want to enter into the agreement, or simply buy the product with no terms or conditions. When a complaint has been made by a customer, stating they were shocked when they were billed, and never knew they enrolled themselves into such a program, we have to scratch our heads in wonderment.  This is a classic case where the customer attempts to pass blame on to the manufacturer, when in fact they entered themselves into a legal binding agreement - with their full knowledge and consent beforehand.  Customers are not forced to place an order, they do so freely on their own willingness, and should be accountable for their choices."        

8) Redstarworldwear -- SUNGLASSES-EYEWEAR 0

BILLGUARD: “Redstarworldwear is an online retailer of sunglasses and watches. They send out gift certificates “worth” $500 to unsuspecting consumers informing them that they have won a special prize. Joyful of the prize, the unsuspecting customer then goes to Redstarworldwear website and purchases as much as he can using his newly minted gift card. During the end of the checkout process the customer is informed that there is a separate shipping and handling fee that cannot be deduced from the gift cards value. The customer then enters his financial information in order to pay for the (that), which turns out to be a costly 9 percent of the order value. We were interested how valuable these supposed $500 gift certificates actually were so we had a look around eBay, they can be had for under $2!”

RESPONSE: The firm did not reply to two e-mails, but a section of its website offers an explanation for confusion over the gift cards, and makes clear consumers aren’t getting something for nothing.

“There is a 9% Service Fee (per item) that pays for all expenses that RedStar incurs to get the product into your hands. This 9% service fee includes: USPS First Class delivery, processing and handling and general overhead which includes; customer service, order processing, warehousing, labor, cost of goods and materials, profit and marketing.”

There are other complaints online about the firm’s gift cards.

9) Blizzard -- BLIZZARD ENT WOW SUB

BILLGUARD: “Blizzard, the hugely popular merchant behind the Warcraft series, is not a name that usually comes up in discussions on unfair charges. So we were surprised to learn of several complaints from our customers regarding unwanted charges from them. After investigating the matter we learned that Blizzard enables a phone billing option called PaymentOne PhoneBill. This billing option allows you to pay for Blizzard games and subscriptions by merely entering your phone number information in the account settings tab. Obviously, given the young age and lack of credit card availability to some its users, this option has a high potential for unwanted and unauthorized purchases by young family members.”

RESPONSE: Blizzard was unable to provide a response by press time.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

Why would the well-heeled suburb of Gilbert, Ariz., spend a quarter of a million dollars on a futuristic spy gadget that sounds more at home in a prime-time drama than a local police department?

The ACLU caused a stir Monday with its extensive report of cellphone surveillance by local police departments, which routinely request location information and other data from cellphone providers, often under vague legal circumstances.

But one bit of information provided by Gilbert officials suggests that cops sometimes try to cut out the middle man. Buried in the 380 public records requests sent by the ACLU is a response from Gilbert which indicates that the town purchased a device that allows it to track cellphones on its own for $244,195.

Gilbert didn't offer additional details about the device to the ACLU, and Chief of Police Tim Dorn didn't immediately respond to requests for comment.

But several surveillance experts said the device sounds like a gadget that's sometimes called a stingray.  

The stingray, made by Harris Wireless Products Group of Melbourne, Fla., lets users set up what amounts to a fake cellphone tower and trick all phones nearby into connecting with it. That data can then be used to track the physical location of anyone nearby carrying a powered-on cellphone -- even if the citizen isn’t on a phone call. A stingray can also register other data, such as the phone numbers dialed by all phones while connected to it. The device reportedly cannot record or intercept the content of a phone call, so it does not act like a wiretap.

Still, the stingray is at the heart of a hotly contested criminal case involving an identity thief named Daniel David Rigmaiden, who allegedly stole $4 million through a fake tax return scheme. Federal authorities used a stingray to find Rigmaiden in California in May 2008, then sent him to Arizona for trial.

Perhaps Gilbert was impressed with the result -- it says it acquired its device one month later.

In September 2011, a federal court in Arizona heard Rigmaiden's request to receive all details about the government's secretive use of the surveillance technology. Federal prosecutors are resisting disclosure because they say it will jeopardize use of the critical law enforcement technology in other cases.

Rigmaiden's case, as yet undecided, is largely seen as a test of the constitutionality of stingray and related police surveillance technologies. Would use of a stingray constitute a search, and thus require application for a time-consuming search warrant? Or do cellphone users give up their expectation of privacy by turning on a phone and carrying it in their pocket? The issues were discussed extensively in this recent Wall Street Journal story.

Use of a stingray-like device raises even thornier issues than cellphone records requests, said Catherine Crump, the lawyer who headed the ACLU project.

"I think when law enforcement starts purchasing technology that allows them to track cellphones in that manner, it raises a whole host of questions about how that technology is being used that are even more serious when they track people through carriers," Crump said. "At least when a carrier is involved, there's a third party that may raise concerns if the request is of questionable legality. But when a law enforcement agency can do on its own surveillance, that raises even more serious questions about whether there is appropriate oversight."

No other local police department that responded to the ACLU's public records requests mentioned purchase of a stingray-like device -- one other community mentioned borrowing such a gadget -- but Crump said that's because she didn't specifically ask about them.

"If I had to write the requests it over again, I would,” she said. “We didn’t realize how big an issue these devices were at the time. We know that there are others purchased by other agencies around the country, mainly from press reports."

The Miami police department, for example, asked Harris for a price quote in 2008. The firm's response is still on the city of Miami's website. A more extensive price list from Harris can be found at this website. 

A spokesman for Harris Wireless said the company didn't comment on clients' purchases and referred questions to Gilbert's Police Department.

The use of fake cellphone towers by law enforcement has caught on outside the U.S., too. Britain's Metropolitan Police, which serves the greater London area and is that nation's largest police force, began deploying similar technology provided by England-based Datong PLC last year, according to The Guardian. The disclosure began a round of debate about civil liberties in Britain.

Matt Blaze, a computer science professor at the University of Pennsylvania and an expert on stingray-like devices, said they are a mixed bag.

"Certainly these devices are powerful surveillance tools that, if misused, have the potential to be quite invasive against the privacy of innocent people," he said.  "But, then again, so do many other law enforcement investigative methods -- physical searches, hidden microphones, informants and so on. The question is how they are used, how often they are used and the oversight mechanisms in place to prevent and detect misuse."

Devices like stingrays are technologically limited in scope, however -- they can only monitor a limited physical area in real time -- so Blaze is less concerned about them than he is the revolving door of data between private companies and law enforcement.

"I'm less worried about law enforcement agencies with stingrays and other targeted surveillance gadgets than I am about location and other kinds of tracking through the carriers, especially when done without strong legal oversight or without probable cause," he said. "While I do worry about abuse of these kinds of electronic surveillance devices, the fact that they are inherently rather targeted in what they can collect acts as something of a built-in safeguard. I'm more concerned, in the long run, about large-scale surveillance capabilities being included in our communications infrastructure."

Still, privacy researcher Chris Soghoian – who has written extensively on law enforcement use of cellphone technology for surveillance – said police use of the stingray device is among the most troubling privacy developments in years. Some phone companies allow police officers to use a website to download customers’ GPS location data easily, “from the comfort of their own desks,” he said, and charge as little as $5 for the information. With phone company record access that easy and inexpensive, there’s no need for stingray, he argued.

“The real issue is that this device is about allowing police to perform surveillance when the phone company would say no,” said Soghoian, who is Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University. “This is not about saving time and money … it’s about the fact that there’s no one to insist that the law be followed when a stingray is used.”

 *Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

UPDATED April 1, 11:35 p.m. ET

Global Payments Inc. hinted on Sunday night that about 1.5 million consumers were impacted by the massive credit card hack that first came to light on Friday -- fewer than the 10 million that was initially reported.  

In a statement, the firm said "less than 1,500,000 card numbers may have been exported" by hackers who had access to its payment processing system. "Cardholder names, addresses and social security numbers were not obtained by the criminals." 

It also said hacker access was limited to the North American portion of its network. 

Even without names or Social Security numbers, the so-called "track 2" that the firm admits was taken for each account would be enough for criminals to make fraudulent online purchases or perhaps clone credit cards to commit real-world fraud. 

The data leak was first revealed on Friday, when MasterCard and Visa confirmed that law enforcement officials were investigating a major theft of U.S. consumers' credit card data. The computer security expert who first reported the theft said at the time that it might involve as many as 10 million accounts, making it one of the largest known credit card heists.

"MasterCard is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk," that association said in a statement. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization." 

In what is said to be an unrelated incident, Visa's network was knocked offline for about 4 minutes on Sunday afternoon. Visa, in a statement, blamed a technical glitch for preventing consumers from making transactions from 2:40 p.m. until about 3:20 ET. 

Payment processors  -- "middle men" that handle transactions between retailers and banks -- have long been a target of identity thieves because of the enormous amounts of data they control. In 2008, Princeton, N.J.,-based Heartland Systems was hacked, exposing tens of millions of credit card account numbers to theft.

The theft was first reported by well-known computer security journalist Brian Krebs on his blog, KrebsonSecurity.com.  He reported that hackers had access to the then-unknown processor's data from Jan. 21 through Feb. 25, and were able to siphon off enough data to easily create counterfeit cards. His sources called the leak "massive."

Visa, in a statement, also acknowledged the data theft but said its own systems were not hacked.

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands," the firm said. “Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."

Gartner security expert Avivah Litan said she's been told that the stolen data is already being used on the street by identity thieves.

"I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently," she said.

She's been told that investigators believe the data theft originated in New York City.

"From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud," Litan said in her blog post on the topic.

MasterCard said none of its computers were hacked as part of the incident.

"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the association added in its statement. "If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.... It is important to note that MasterCard's own systems have not been compromised in any manner. "

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

Verizon and AT&T have agreed to stop “cramming” consumers' telephone bills with unauthorized third-party charges, Sen. Jay Rockefeller announced Wednesday. The move comes after a Senate investigation revealed last year that consumers were hit with $10 billion in fraudulent charges due to the practice over the past five years.

A TODAY show/msnbc.com investigation in July  revealed how extensive and frustrating cramming is, with maddening, mysterious $10 or $20 charges appearing every month on millions of Americans' phone bills.

The investigation relied on a report commissioned by Rockefeller that found that three telecom firms - -- Verizon, AT&T and CenturyLink/Quest -- earned $650 million as their cut of cramming charges levied by third-parties since 2006.

"AT&T made the right decision to end cramming by August," the West Virginia Democrat’s office said in a statement on Wednesday.  "Something had to be done.  And while the decisions of AT&T and Verizon are a step in the right direction, I still believe we need to pass a bill that bans this abusive practice once and for all.”

“AT&T has decided to discontinue most third-party billing on our customers’ landline accounts,” Michael Balmoris, an AT&T spokesman, said in a statement to msnbc.com. "We currently receive cramming complaints for only about one out of every thousand bills that contain third-party charges.  However, due to continued concern over the possibility of unauthorized charges, we have decided to take this additional step and eliminate third-party billing for most types of services.”

Verizon spokesman Bill Kula also confirmed the change, saying in an email: “On March 19, Verizon’s wireline business began notifying its billing aggregators (or “clearinghouses”) and carriers that it is going to cease providing third-party billing services for so-called 'miscellaneous' or 'enhanced' services. All billing of those services will be phased out by the end of 2012.  … Verizon wireline will continue to provide billing services for third party charges that generally relate to telecommunications or information services that use our network.”

Separately, Verizon earlier this month agreed to settle aclass-action lawsuit related to cramming, and agreed to refund 100 percent of victims' money for any unauthorized third-party charges consumers suffered from April 27, 2005, through Feb. 28, 2012.

Cramming has vexed consumers and generated mountains of complaints since 1995, when land line providers began making it easy for third-party firms to sell add-on services like voice mail through local phone bills. 

The problem is it's too easy for third parties to attach unwanted items to consumers' bills:  Previous investigations have found firms frequently trick consumers into signing up using sweepstakes entries or cashing small checks that also serve as authorization forms. In other cases, the third-party firms simply lie about getting authorization, a scam called “phantom billing.” Last year, Illinois Attorney General Lisa Madigan testified that usage rates for the unwanted services could be as low as 1 percent.

"Committee staff has found hundreds of egregious examples of cramming," the Rockefeller report found. "Third-party vendors have enrolled deceased persons in their so-called services and charged family members' telephone bills for it. They have charged telephone lines dedicated to fire alarms, security systems, bank vaults, elevators and 911 systems. Senior citizens' telephones have been enrolled in web-hosting services, even though they have never used. A children‘s hospital was charged for a celebrity tracker e-mail service that provided daily celebrity news feeds, photo, and videos. A national bank‘s telephone lines were charged for credit protection plans."

Perhaps nothing illustrates how out of control cramming had become as well as AT&T's own victimization.

"Committee staff confirmed that third-party vendors associated with one hub company crammed at least 80 of AT&T‘s own telephone lines with charges for services such as voicemail, sometimes for periods as long as 18 months," the report said.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

Dan Clements

This hacker shopping list appeared recently on what appears to be a Russian-based website offering credit reports for sale. Prices are based on the victims' credit scores.

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

Dan Clements

This bulletin board post, intentionally cut off to be incomplete by msnbc.com, shows a hacker discussing how he allegedly defeats credit report website security.

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.

The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.

The report comes as that new agency is about to take on regulation of he credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.

The survey takers were not scientifically sampled, so the results should not be extrapolated nationally. But they do offer insight into the struggle ID theft victims face when trying to recover from the damage inflicted by their imposters.

Pestered with pitches
The news wasn't all bad for the bureaus -- 68 percent of respondents said they were somewhat or very satisfied after their interactions with credit bureaus.  But there were plenty of complaints.  Chief among them: Victims are pestered with pitches when they are simply calling for help.

"They kept trying to sell me a fraud alert package and I often had to ask to speak to a manager to get them to put a freeze on my credit reports," said one victim quoted in the report.  Another complained:  "It was very difficult to avoid marketing." Several said that, as a result of the pitches, they ended up buying services they felt should have been free.

"Several consumers in the focus groups complained that they felt pushed into paying for additional services while placing their fraud alert,” the report said. One complained that when attempting to obtain a credit report, the respondent was tricked into signing up at a fee-based credit report website.

'They should be helping you'
But at least those folks got through the phone mail tree and reached a live person.  Many victims complained to the FTC that they "spent too much time navigating automated menus and being placed on hold."  One of three victims who called looking for help said it was either somewhat difficult or very difficult to get a human being on the phone.

"That's because operators are spending too much time selling things people don't need," said Ed Mierzwinski, head of the Public Interest Research Group, a public interest advocacy organization. "The bureaus are supposed to keep your information accurate. When you call to complain, you are a victim of their failure, and they should be helping you, not pitching you to buy their product that won't help you anyway.”

In 2000, the FTC fined the three bureaus a total of $2.5 million for failing to answer consumer phone calls in a reasonable amount of time, something they are obligated to do under federal law. The FTC didn't say whether it was considering a similar action in light of the complaints in the report, but it did issue a warning to the bureaus.

"Given these incidents, the Consumer Financial Protection Bureau, which has examination and rulemaking authority in this area, may want to address these practices," the agency said in its conclusion. "In addition, to the extent any marketing of identity theft protection products involves unfair or deceptive practices, the commission retains authority to bring enforcement actions to protect against such conduct."

Credit bureau TransUnion said that it takes consumer rights seriously.

"TransUnion was the first credit reporting company to establish a Fraud Victims Assistance Department," said spokesman Clifton O'Neal in a statement to msnbc.com "We established (it) in 1992.  Consumers calling (the number) are always presented with the option to speak to a fraud specialists to assist them and answer any questions.  In addition, consumers can easily place and remove fraud alerts and credit freezes online at TransUnion.com."

Equifax and Experian didn't immediately respond to requests for comment.

Confusion
There were plenty of other signs of dissatisfaction in the FTC report, including confusion over consumer rights. Many consumers didn’t know they could request that ID theft-related items be blocked from credit reports, for example. Others didn’t know the difference between free annual credit reports provided to anyone at http://AnnualCreditReport.com, and the free credit report that ID theft victims can obtain when they call a bureau to report the crime.  Such confusion also leads to unnecessary purchases, the report suggested.

Only 51 percent said they had received the free credit report they'd asked for from all three credit bureaus after reporting the crime. Some victims said they had to wait "weeks or months," and about 10 percent said none of the three sent a report.

"(One) participant did not receive the credit report until after the 90-day fraud alert had expired," the report said.

The biggest complaint involved trouble getting errors fixed: 29 percent said mistakes that landed on their credit reports were not corrected. 

"(It) was easier for the thief to change my info on my credit report than it has been for me to change it back. It's still not right," said one victim.

Tortuous process
Even consumers who were eventually able to beat back mistakes said the process was torturous. One in four said three to five phone calls were required to fix errors, and about the same number said they were "very dissatisfied" with the process -- the highest dissatisfaction rating in the survey.

 "(If) your identity is stolen it becomes a full-time job to get it fixed. Everybody, credit cards, banks, CRA want to pass the buck," said one victim quoted in the report.

Mierzswinski, who's testified about credit bureau misbehavior before Congress repeatedly during the past 20 years, said he's seen all these complaints before. But he's optimistic that the new consumer agency's power to regulate and sanction the bureaus offers a real chance to address some of the recurring consumer issues.

"All of us have been disappointed that the bureaus have really skated for a long time and gotten away with a lot of sloppy practices," he said. "The Federal Trade Commission never had the big guns, but the CFPB does. ... We think it will be an exciting time."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

Denise Richardson had three kids, worked the night shift and had little spare time to take classes that would earn her the high school degree she never received as a teenager.

Nearly 1 million Americans try to get their high school equivalency credentials every year, and she wanted to join their ranks, so the Wisconsin mother went online to learn about the process. After clicking her way through a few ads, she found one that looked promising: For around $500, she would get a series of practice tests mailed to her. Then she could take a test online and, if she passed, she’d get that coveted diploma. 

A few weeks later, after working through the practice tests and struggling through a five-hour online exam, she was told she had passed. Soon, she had her diploma. Then, last fall, she proudly took the diploma and transcripts to nearby Blackhawk Technical College and enrolled in classes. A few days later, she got a call from an admissions officer with bad news.

Richardson is one of 39 million U.S. adults who don't have a high school diploma and are therefore blocked from college and many employment opportunities. There's only one way to "test" out of high school -- through the General Educational Development (GED) program that's operated by the GED Testing Service, a joint venture of the American Council on Education and a private firm named Pearson VUE. And there's currently no way to take the test online: You have to sit, SAT style, in a hard chair in front of a proctor and pass the test's five components.

But as with so many industries, the digital world has added confusion to the process and left the door wide open for scam artists. Imposters abound online, promising simpler ways to get a GED or a high school diploma, the offers sweetened by promises that online tests mean the applicants never need to leave their homes. Those who are duped into doing that are almost always disappointed, as those degrees are not recognized by state education departments or the federal Department of Education. More importantly, colleges and employers don’t accept the degrees.

Victims like Richardson are usually out anywhere from $200 to $1,200 and they face embarrassment when they try to use their diploma. For many, it's also a tough setback on an already tough road.

"I wanted it so bad and I figured … it was something online where I could do it on my own time, and working third shift, I couldn't go to school during the day and come home to the kids at night and help them with school work, so it was a perfect opportunity,” Richardson said. “That's where they got me.”

This week, the American Council on Education is warning consumers about an explosion of fake high school equivalency scams and, with the GED Testing Service, has filed a lawsuit against a string of websites it says offer false hope and false degrees.

"(Victims) are getting something not recognized by employers, not recognized by colleges," warned Randy Trask, president and chief executive officer of GED Testing Services. "They pay their money, they get their credential, they try to get into college or they try to get a job only to find out that it was a fraudulent credential. … It’s not worth the paper it was printed on."

It's unclear how many victims have been taken nationwide, as there's no central clearinghouse for victims. But there are piles of complaints at local Better Business Bureaus and state attorney's general offices across the country. A simple Web search shows just how many questionable high school degree programs compete for victims.

“It’s likely there are thousands of people, if not more, who have been affected by scams like this,” said GED Testing Service spokeswoman Cassandra Brown. The service has recently launched a website to encourage victims to come forward to help determine how extensive the problem is.

The pool of potential targets is particularly vulnerable, said Trask.

"It's quite frankly a target rich environment,” he said. “There are lots of people who know they need (a degree). They have a sense of urgency about how quickly they want to get it, and they're a logical victim. If they see something that requires less work, why would they go through the process if it requires more time and they think they're going to be getting the same thing?"

The lawsuit has already had an impact. Visitors to SenfordHighSchool.com -- one page alleged in the lawsuit to have sold imposter GEDs -- now see a stark warning that the site was disabled by a federal court order on March 9. Anyone who placed an order with the site is instructed to contact a lawyer listed on the page.

The original GED test was first administered in 1942, during World War II, and was designed as a way to get veterans ripped from their childhoods quickly back into the educational system and on a path towards college or a career that required a high school degree. Since 1942, 17 million people have been granted GED credentials.

GED Testing Service has been able to successfully sue rogue online operators who abuse the GED trademark. But the Web is teeming with similar sites that tempt potential GED test-takers with online studies  that lead to diplomas rather than the  equivalency credentials granted by the GED Testing Service.  Such online studies aren't accepted by most colleges either, further confusing the issue and sometimes skirting the edge of the law.

"I think as Americans we should all be incensed that people are taking advantage of adults that are really just trying to get out of the path that they headed down," Trask said. "They want to turn their life around, they want to provide for their families.”  

Only state departments of education can give entities the authority to grant high school diplomas.  Potential students should check with their state office before enrolling in any program for a high school degree.  The national Department of Education website has a handy list of links to state offices.

Richardson’s story has a happy ending. She went to a local GED testing center and shared her story. She got no refund – the website she paid for her fake degree had disappeared – but she eventually sat for the real test, passed it and enrolled in college.

“A lot of people say now I’m too cautious because I don't like to do anything on the computer anymore,” she said. “It feels really good that I’m in college and taking up two degrees. ... I couldn’t be happier.”

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

A section of the Seattle school sports waiver which warns parents that participation may lead to kids losing the ability "generally to enjoy life."

If someone handed you a form that said your child might lose the ability "to generally enjoy life", would you sign it? If you are the parent of a child playing sports in school, you probably have already done so.

Parents of school-age kids know too well that life is a steady stream of waiver forms and other kinds of paperwork.  Who has time to read all the fine print? 

Fortunately, the child of a co-worker did just that recently, and called my attention to the following language on a waiver form sent home by the Seattle School District for prospective track and field athletes.

 "I am aware that track & field is a high risk sport … involving many risks of injury," it said.  It then delineated a long list of potential horrible outcomes, such as brain damage, blindness, paralysis and, of course, death.

The kicker, however, was the following line: "Competing in track & field may result not only in serious injury but a serious impairment of my future abilities ... generally to enjoy life."

Well, that covers it.

The dad and I had a few laughs about inclusion of such a Draconian phrase, but just for fun, I Googled it  and found thousands of school sports waivers that include precisely the same language, like some legalese virus.

Kids in every one of those school districts, and their parents, are being told that playing sports may prevent them from generally enjoying life. This discovery led to much speculation about how far our society has fallen, and about the fine job that lawyers do in ruining the fun of just about everything.

But as with so much that you read in fine print, there is an explanation. Meet the man who essentially invented the legal term "generally to enjoy life": He's a Chicago-based economist named Stan V. Smith.

When someone is injured in a car accident, a workplace mishap or in any other circumstance where blame is assigned by a civil court, you probably know that the defendant must pay for the injured party's medical expenses.  And you might know that the defendant could also have to pay for future lost wage potential.  But, according to Smith, those injured through negligence -- or worse -- face all sorts of other future life costs. Suppose an avid amateur cello player is hurt in a car accident and is no longer able to play her instrument. She hasn't lost future wages, but something that she loved has been taken from her.  To Smith, the way to make that person whole is to compensate her for the lost enjoyment of being an amateur musician. Smith calls this "hedonic damages," named after the Greek word for pleasure.

Smith, as an economist, is constantly honing formulas that lawyers can use to arrive at fair price tags for loss of life enjoyment. There's even something called an LPL, or Lost Pleasure of Life, scale, that Smith helped develop.

SmithEconomics.com

Stan V. Smith

While this concept might sound foreign, it's not new, and it’s not really controversial.  Smith first provided expert testimony on hedonic damages in a 1985 wrongful death lawsuit in an Illinois federal court, winning "enjoyment of life" compensation for the victim's family.  The decision was not only upheld by an appellate court, the justices singled out his testimony as an "invaluable guide to the jury."  Courts around the country have, to varying degrees, been awarding hedonic damages -- sometimes referred to as “LEL damages,” for loss of enjoyment of life -- to plaintiffs ever since.

Ever those trial-lawyer-hating conservatives don’t dispute the concept. In his first opinion as a Supreme Court Justice, Clarence Thomas authored a noncontroversial 9-0 decision granted hedonic damages to a plaintiff who was mistreated in a VA hospital, for example.

When I talked with Smith, he was unaware that his famous phrase had made its way into thousands of school waivers around the country. He had mixed feelings.

"I think it's good that people are recognizing we have a quality of life, and we have to pay attention to that. To the degree that this is raising consciousness about that, it's positive," he said.

Of course, these waivers are not intended as pamphlets for parents and students to learn about their legal rights. They are small print designed by district lawyers with one goal in mind: to shrink the size of any future payout a jury might award an injured student. (Can't you hear it now? "Members of the jury, Johnny and his parents knew that by joining Math Club he might lose enjoyment of life.")

That disturbs Smith.

"This is a cover your butt thing,” he said. “It's a very blunt statement that is ominous and threatening. ... They are shoving it in the parents' faces and implicitly saying, 'Crap happens.' "

Smith thinks such warnings certainly have a place in school waivers. But he wishes they were accompanied by an equally clear statement that districts will work hard to minimize risk and keep kids safe.

"I think it would go a long way if schools or organizations would take responsibility and say, 'We will take precautions and set forth reasonable standards,’" he said. "Wouldn't that be nice to hear the other side of this?"

Theresa Amato, who runs a Website devoted to outing fine print called FairContracts.org, said she's seen similar issues with school districts and other kid-oriented organizations before. They often purchase contract templates from legal form sellers, then have a district lawyer tweak it to suit their needs. That explains why these kinds of contracts are so similar around the country, she said.  Also, Amato noted, districts probably feel pressure from insurance companies to include such sweeping language.  

She's not concerned about how a parent's signature on such a waiver would impact a jury trial  -- entities can't use small print to avoid responsibility for negligence, for example.  But she is worried that the language could have a chilling effect on injured parties and prevent them from bringing cases in the first place.

"One parent might say, 'Gee, honey, we signed this paper,' and not sue," she said.  "But on its face, that phrase is ridiculous."

Have you been asked to sign a contract or waiver for your kids with absurd language?  Enter it below.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

If you've ever felt overwhelmed by deciding what brand of toothpaste to buy or what flight to book, two marketing professors think they know why.

"Decision quicksand," a painful element of 21st century life, ironically strikes hardest when people face trivial choices, say researchers Aner Sela of the University of Florida and Jonah Berger of the Wharton School, in a paper to be published later this year in the “Journal of Consumer Research.”

While struggles to pick a new job or a select a mate might seem to demand the most deliberation, decision quicksand strikes even harder over trivial choices.  Little decisions cause a big problem precisely because they are surprisingly hard. Faced with too many options, consumers unconsciously connect difficulty with importance, and their brains are tricked into heavy deliberation mode, the researchers say in their paper, “Decision Quicksand: How Trivial Choices Suck Us In."

The challenge of too many choices -- a bane of life in the age of information overload -- arises in part because people fail to recognize decisions as relatively unimportant.

"Why do we agonize over what toothbrush to buy, struggle with what sandwich to pick, and labor over which shade of white to paint the kitchen?” the authors ask. “… Instead of realizing that picking a toothbrush is a trivial decision, we confuse the array of options and excess of information with decision importance, which then leads our brain to conclude that this decision is worth more time and attention."

But something else is going on, they contend:  our brains are ruled by an unconscious force that mistakes difficulty – any difficulty -- for importance.

To test their theory, the researchers set up numerous experiments. In one, volunteers were asked to select a flight using an online service.  Half the volunteers were forced to use a site with a small, hard-to-read font.  That one extra hurdle added nearly 50 percent to their deliberation time.  When told that the trip was short, so flight choice didn't matter as much, deliberation choice time spiked even more. (The researchers controlled for added time that could be blamed on simple difficulty reading.)

Decision struggles can be blamed for many poor outcomes – couples’ spats in the grocery store, or at the video rental place come to mind. But there are longer-term consequences.  Research shows that time spent in decision quicksand before a choice correlates with dissatisfaction after the fact.  And of course, there’s all that wasted time and emotional energy.

If you are still debating whether or not you should read on, of if you should "like" my columns on Facebook (YOU SHOULD), the authors offer some simple advice:

*Set decision rules and stick to them. In other words, start with a time limit that reflects the true importance of the choice. For example, "I will book a flight in 5 minutes, no matter what."

*Delegate unimportant decisions:  “Honey, you pick the toothpaste.”

*Breaks can also help. Spending time away from a decision-making process can free the brain from an obsessive loop. "Even minor interruptions, short breaks, or momentary task switching can change information processing from a local, bottom-up focus to a top-down, goal-directed mode," the authors say.

Have you spent way too much time on a relatively unimportant decision recently? Tell us below.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

A 12-year-old Minnesota girl was reduced to tears while school officials and a police officer rummaged through her private Facebook postings after forcing her to surrender her password, an ACLU lawsuit alleges. 

The claims are the latest in a string of tales showing that even password-protected, private online activities might not be safe from curious government agencies and schools. (See last week’s story)

The girl, whose identity is withheld in the lawsuit, came home "crying, depressed, angry, scared and embarrassed" after she was intimidated into divulging her login information by a school counselor and a deputy sheriff, who arrived in uniform, armed with a Taser, the lawsuit alleges.

"(The student now) fears that the school could make her give up her passwords at a moment's notice, at any time, for any reason," the lawsuit claims.  It also alleges that password prying is standard practice at the Minnewaska Middle School, which the student still attends. "(Officials) have compelled other students to disclose their private information and have accessed students' online accounts on multiple occasions," it states.

Officials at the Minnewaska Area School District -- which is about 125 miles northwest of Minneapolis -- say the ACLU's version of events is "one-sided," and that the school acted to "prevent disruption," according to a statement e-mailed to msnbc.com by Superintendent Gregory Ohl. 

"The district is confident that once all the facts come to light, the district's conduct will be found to be reasonable and appropriate," it said.  

When asked if the district has obtained other students’ login information, he responded, “We feel this is not accurate.”

The lawsuit raises the complicated -- and quite unsettled -- legal quandary that balances students' constitutional rights with schools' needs to maintain order and a positive educational environment. For example, can schools punish students who publicly criticize school officials on their own time using social networks?

Federal district courts have handed down contradictory decisions on that issue. Facing a chance to settle the matter, the U.S. Supreme Court in January declined to hear three cases on the issue.

But private social media criticism, intended only for a limited audience behind a password or a privacy wall, raises a different legal issue, said Teresa Nelson, a lawyer for the ACLU in Minnesota.  

"The notion that it was a search of her private Facebook content ... the Fourth Amendment applies," she said.  "The government has to have a really good reason to do that kind of search," and would need a court order in most cases, she said.

Monitor 'was mean to me'
According to the ACLU's version of events, the girl had moved and entered a new school as a 6th-grade student in the fall of 2010. In early 2011, she felt targeted by a school monitor and posted an update to her friends-only Facebook wall saying she "hated" the monitor because "she was mean to me," using her own computer and while off campus.

Soon after, she was called into the principal's office -- he had obtained a screen shot of the post -- and given detention.

The student subsequently posted another update to her page related to the incident: "I want to know who the f%$# told on me," the complaint says. Again, she was called to the principal's office, and this time was suspended for "insubordination" and banned from a class ski trip.

In March, the student had a second run-in with school authorities.  The parent of another student had complained that the girl was talking about sex with that student.  The 12-year-old was called out of class by a school counselor and eventually brought into a room with several school officials and the sheriff's deputy, where the password demands began.

The ACLU claims that the school never asked the girl's parents for permission to examine her private Facebook space. The school district doesn't dispute that it obtained the girl's password, but does say it had parental permission.

"Any viewing of (the student's) Facebook account was done with the express consent of her parents," it said in the statement to msnbc.com.

In the First Amendment fight over online criticism related to school, districts and parents are relying on legal interpretations of an outdated 1969 Supreme Court decision knows as “Tinker,” which gives students wide latitude to criticize.  That decision famously gave us the phrase, "Students don't shed their constitutional rights at the school house gates."  The opinion offers little guidance about rights on the other side of a firewall or a Facebook password, however.

The Tinker case basically found that students can say what they want as long as the speech doesn't cause a disruption at school.  But can a school's ability to punish students extend to activity conducted entirely off school grounds?

Dozens of cases over the last decade have failed to hash out the online version of this debate.  In one, a Pennsylvania student who was suspended for making a MySpace page that mocked a principal was granted a reprieve because the U.S. Court of Appeals found it wasn't disruptive. In another, a West Virginia student's suspension was upheld after she created a MySpace page where students were encouraged to discuss if a fellow classmate had herpes. 

Legal confusion
Even though the National School Boards Association asked the U.S. Supreme Court to hear appeals on these two cases in an attempt to break what seems like a legal tie, the nation's top court demurred, leaving behind a lot of legal confusion.

"Things are complicated," said the ACLU’s Nelson. "Kids have been criticizing school officials since there have been school officials. ... If kids had been venting about teachers at McDonald's no one would care."

One important distinction noted by Nelson: While she believes demands for a student's Facebook password were a clear Fourth Amendment violation, there's no constitutional issue raised by a school official learning about a private communication that's volunteered by another student. In other words, students' private Facebook chatter is only as private as the participants make it.

The ACLU of Minnesota offers a rights handbook to students who use social media. While it's specifically applicable only to Minnesota law, its principles are universal.

The pamphlet notes that while school officials in most cases cannot force students to reveal their Facebook login information, officials can search for evidence of violations "if they have reasonable individualized suspicion" about an ongoing violation of school rules. 

And while free speech rights may prevent schools from banning students from classes because of non-disruptive but critical Facebook posts, those legal protections do not extend to extracurricular activities. In other words, football players and math club members can be kicked off their squads for anything a school official deems against policy.

It's important to note that while Facebook's terms of service say members cannot give out their passwords or otherwise allow others to view private areas of their accounts. But those same terms say members must be 13 years old to join.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

What would you do if you found a smartphone on the subway or at a coffee shop? If you're like most Americans, you'd rummage through the phone looking for photos, emails and even private banking information. And the chances are only 50-50 that you would try to return the phone.

Computer security firm Symantec Corp. recently conducted an elaborate, first-of-its-kind study on lost smartphones and shared the results exclusively with TODAY and msnbc.com. The company set a trap for human nature, then sat back and watched. The results were not pretty.  

Symantec researchers intentionally lost 50 smartphones in cities around the U.S. and in Canada. They were left on newspaper boxes, park benches, elevators and other places that passers-by would quickly spot them. But these weren't just any phones -- they were loaded with tracking and logging software so Symantec employees could physically track them and keep track of everything the finders did with the gadgets.

Symantec Corp.

Symantec Corp. researchers left this cell phone on a newspaper box in New York City -- then used logging software and GPS to watch what happened next.

To spice up the test, the phones had an obvious file named "contacts," making it easy for any finder to connect with the phone's rightful owner.   But the phones also offered tempting files, with names like "banking information," and "HR files."  

Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were checked by 60 percent. And a folder labeled "private photos" tempted 72 percent.

Collectively, 89 percent of finders clicked on something they probably shouldn't have.

Meanwhile, only 50 percent of finders offered to return the gadgets, even though the owner’s name was listed clearly within the contacts file.

"I wasn't surprised, but I wish I had been,” Kevin Haley, director at Symantec’s security response team, said of the unscientific test. “At the end of the day people’s curiosity is so strong, if you present them with the opportunity, they will do it. You would have hoped most people would have made every effort to return the phone."

It's important to note that most, if not all, of the finders weren’t criminals and did not wake up the day they found the lost phones with the intention of rummaging through someone else's personal information. But the temptation created by finding such a device was apparently too much for most of them -- even for some Good Samaritans who tried to return the phone. The story of one lost phone illustrates this point.

On Feb. 2 at 3:05 p.m., Symantec “lost” a phone in a bathroom at Santa Monica Pier in California. A finder tried to access the phone's contacts application 18 minutes later. Moments later, the finder accessed files labeled “passwords,” “cloud-based docs” and “social networking.”

GPS data indicates the finder moved the phone into a nearby restaurant, then into a mall, and an hour later, to a dog park.  At around 5 p.m., the finder opened the Contacts application three times, even there were only two entries listed in it – and one, clearly including an e-mail address and phone number for the owner.

Then the finder continued rummaging around the device, started the File Manager application, and explored files on the gadget's SD card. 

The phone then made its way through downtown Los Angeles, eventually settling in East L.A., where the finder opened the passwords file three times.  Then, online banking, social networking, contacts, private pix, remote admin and other files were opened in rapid succession. Soon after, the device was plugged into a computer for recharging, and then finally reset to original factory settings, wiping all the logging software off the gadget.

Symantec Corp.

This map shows where one finder moved the phone; a chart on the right shows what apps and files were accessed.

But a guilty conscience eventually won out with this finder. On Wednesday, Feb. 8, nearly a week after the gadget was lost, the finder wrote an e-mail to the  supposed owner. It read:

"Hi. I found your phone at the Santa Monica Pier last Thursday (Feb. 2). I used it for like a week but now I feel bad and want to return it. I'm really sorry. :/  What do you want me to do to return it to you?"

Some might consider the 50 percent return rate a victory for humanity, but that wasn't really the point of Symantec's project. The firm wanted to see if -- even among what seem to be honest people -- the urge to peek into someone's personal data was just too strong to resist.  It was.

"The most stunning thing to me were the people that attempted to open bank account information -  four out of 10 finders. That's, a lot," Haley said.

Another tale of a phone lost near Rockefeller Center in New York City at 4 p.m. on Feb. 2 illustrates this point well.

The finder moved the phone some six blocks north, then repeatedly opened and closed the contacts application, again containing only two entries. One can imagine the finder struggling with his or her conscience like the “Lord of the Rings” character, Gollum, deciding what to do.  Between 4:30 and 6:30 p.m., the finder opened most of the other applications, and took many more glimpses into the “contacts” file. At 10:30, activity on the phone stopped.

Symantec Corp.

This phone was left in a bathroom near Los Angeles.

Suddenly, at 4:03 a.m., the phone was used again by its finder -- this time to peek a view of the “HR salaries” file.

"It's like they woke up out of a deep sleep and said, 'Hey there's salary information on that phone. Let me see if I can access it,'” said Haley.  

At 6:30 a.m., the finder opened the calendar, private pix, social networking, online banking, HR salaries, remote admin, corporate e-mail and passwords. For the rest of the day, there was near continuous rummaging through the phone, including the eventual launch of File Manager to see the entire phone's contents. 

"It's relentless. He can't get into online banking so he goes back to the file that has passwords in it, checks the passwords again and tries again,” Haley said. “He tries to log in remotely to the computer, can't get on so he goes to password to get the password and tries again."

By nightfall, activity on the phone stopped, and it remained relative dormant until it was moved to New York City's Chinatown area at 5:35 a.m. Feb. 9 -- one week after it was lost -- and wiped clean, probably for sale on the black market.

Scott Wright, president of Security Perspectives Inc, helped design the research for Symantec.  One statistically insignificant finding he called attention to: the return rate in Ottawa was 70 percent, highest in the study. The lowest return rate – 30 percent – was in New York City.

“Curiosity is a very powerful thing, especially on a mobile,” he said. “The most surprising thing is how obsessed people became with finding personal information off the phones, with accessing e-mail, accessing social network, private pictures. … People didn't give up. They just kept trying again and again over the course of a week to get access to this data and that really surprised me.”

RED TAPE WRESTLING TIPS

The lesson here is obvious: studies show that half to three-fourths of smartphone users don’t password-protect their phones.  That’s an invitation to disaster. While most corporations force users to password-protect their phone, many personal users think entering a password is a hassle that interrupts their texting habits. 

One lost phone would quickly change that perspective.

After the steady drumbeat of identity theft and lost privacy stories, why would consumers still choose to put their smartphones at risk?

“People haven't thought it through,” Haley said. “Maybe before they had a smartphone, losing an old cell phone was devastating but there wasn't much information on it.  Maybe it’s like the frog in a pot of cold water that’s eventually boiled –  it wasn’t that bad losing their old phone, so people haven't thought through how much information is now on their smart phones and what could happen if they lost it. We hope this research shows what could happen and sticks out in people's minds.”

Even if you are glass-half-full person, and think a lost phone would find its way back to you, if you don’t use a password you’re still putting your data at great risk.

“The moral of the story is that people may offer to give you your device back, but you shouldn't assume they haven't accessed any of their personal or corporate information on the device,” Wright said.

Of course, PIN-protecting your phone may prevent a Good Samaritan finder using “contacts” to find you. So Haley recommends placing contact information on the outside of the phone, perhaps on the case.

Also, consider technology that allows you to wipe the smartphone’s memory clean in case it’s lost. There are also services like Apple’s MobileMe, which let you locate the phone through a Web page; several commercial services offer similar products. 

If you find a phone, the best thing to do is quickly turn it in to the nearest authority – a police officer or the lost & found at the mall, for example. If you really want to gain good gadget karma, and you can determine the service provider, walk it into a nearby Verizon, T-Mobile, Sprint or AT&T store and turn it in there. It’s easy for stores to look up the phone’s serial number and get contact information for the rightful owner.

You might look up the owner on the gadget and send him or her an email. But be realistic about your own human nature. If you don’t think you could resist taking a peek at personal information on the phone, you are probably best handing it off to someone else instead.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

If you think privacy settings on your Facebook and Twitter accounts guarantee future employers or schools can't see your private posts, guess again.

Employers and colleges find the treasure-trove of personal information hiding behind password-protected accounts and privacy walls just too tempting, and some are demanding full access from job applicants and student athletes.

In Maryland, job seekers applying to the state's Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through wall posts, friends, photos and anything else that might be found behind the privacy wall.

Student-athletes in colleges around the country also are finding out they can no longer maintain privacy in Facebook communications because schools are requiring them to "friend" a coach or compliance officer, giving that person access to their “friends-only” posts. Schools are also turning to social media monitoring companies with names like UDilligence and Varsity Monitor for software packages that automate the task. The programs offer a "reputation scoreboard" to coaches and send "threat level" warnings about individual athletes to compliance officers.

A recent revision in the handbook at the University of North Carolina is typical:

"Each team must identify at least one coach or administrator who is responsible for having access to and regularly monitoring the content of team members’ social networking sites and postings,” it reads. "The athletics department also reserves the right to have other staff members monitor athletes’ posts."

All this scrutiny is too much for Bradley Shear, a Washington D.C.-lawyer who says both schools and employers are violating the First Amendment with demands for access to otherwise private social media content.

"I can't believe some people think it's OK to do this,” he said. “Maybe it's OK if you live in a totalitarian regime, but we still have a Constitution to protect us. It's not a far leap from reading people's Facebook posts to reading their email. ... As a society, where are we going to draw the line?"

Aside from the free speech concerns, Shear also thinks colleges take on unnecessary liability when they aggressively monitor student posts.

"What if the University of Virginia had been monitoring accounts in the Yeardley Love case and missed signals that something was going to happen?” he said, referring to a notorious campus murder. “What about the liability the school might have?"

Shear has gotten the attention of Maryland state legislators, who have proposed two separate bills aimed at banning social media access by schools and potential employers. The ACLU is aggressively supporting the bills.

"This is an invasion of privacy. People have so much personal information on their pages now. A person can treat it almost like a diary," said Goemann, the Maryland ACLU legislative director. "And (interviewers and schools) are also invading other people's privacy. They get access to that individual’s posts and all their friends. There is a lot of private information there."

Maryland's Department of Corrections policy first came to light last year, when corrections officer Robert Collins complained to the ACLU that he was forced to surrender his Facebook user name and password during an interview. The state agency suspended the policy for 45 days, and eventually settled on the “shoulder-surfing” substitute.

"My fellow officers and I should not have to allow the government to view our personal Facebook posts  and those of our friends just to keep our jobs," Collins said to the ACLU at the time.

Agency spokesman Rick Binetti confirmed the new policy, but wouldn't comment on it or the proposed law which may ban it.

It's easy to see why an agency that hires prison guards would want to sneak a peek at potential employees’ private online lives. Goemann said that prisons are trying to avoid hiring guards with potential gang ties -- the agency told the ACLU it had reviewed 2,689 applicants via social media, and denied employment to seven because of items found on their pages.

"All seven of these individuals' social media applications contained pictures of them showing verified gang signs (signs commonly known to law enforcement which are utilized by gangs)," the Department of Corrections told the ACLU  in response to questions it asked about the program. It stressed the voluntary nature of social media inspection, noting that five of the 80 employees hired in the last three hiring cycles didn't provide access.

For student athletes, though, the access isn't voluntary. No access, no sports.

"They're saying to students if you want to play, you have to friend a coach. That's very troubling," said Shear, the D.C. lawyer.  "A good analogy for this, in the offline world, would it be acceptable for schools to require athletes to bug their off-campus apartments? Does a school have a right to know who all your friends are?"

There have been many high-profile embarrassing moments born of the toxic combination of student-athletes and Twitter. North Carolina defensive lineman Marvin Austin tweeted about expensive purchases on his account two years ago, then became subject of an NCAA investigation about improper conduct with a player agent. The incident led, in part, to the school's aforementioned aggressive social media policy.

So it’s not surprising that many schools want to keep a careful eye on what students are posting online.

But avoiding an uncomfortable moment is not a good enough reason to squash free speech, Spear says. Plenty of settled case law in the U.S. sides with students' rights to express themselves publicly, he said, including numerous cases involving student newspapers.  Public displays of protest are also protected: A landmark 1969 Supreme Court decisions known as Tinker vs. the Des Moines School District said school officials couldn't prevent students from wearing armbands protesting the Vietnam War as long as they weren't inciting violence.

Colleges have legitimate concerns about the things students post on social media accounts, but they should "deal with that issue the way they deal with everything else. They should educate," Shear said.

"Schools are in the business of educating, not spying," he added. "We don't hire private investigators to follow students wherever they go. If students say stupid things online, they should educate them ... not engage in prior restraint."

Goemann also noted that the rush to social media monitoring raises an often overlooked legal concern: It's against Facebook's Terms of Service.

"You will not share your password ... let anyone else access your account or do anything else that might jeopardize the security of your account," the site says in its policies. 

Frederic Wolens, a Facebook spokesman, wouldn't comment on the Maryland legislative proposals, but he said many of these school and employer policies appear to violate the site's terms.

"Under our terms, only the holder of the email address and password is considered the Facebook account owner. We also prohibit anyone from soliciting the login information or accessing an account belonging to someone else," he said in a statement to msnbc.com. Wolens said Facebook has yet to take a position on collegiate social media monitoring.

Social media monitoring on colleges, while spreading quickly among athletic departments, seems to be limited to athletes at the moment. There's nothing stopping schools from applying the same policies to other students, however.  And Shear says he's heard from college applicants that interviewers have requested Facebook or Twitter login information during in-person screenings.

The practice seems less common among employers, but scattered incidents are gaining attention from state lawmakers. The blog Tecca.com last year showed what it said was an image of an application for a clerical job with a North Carolina police department that included the following question:

"Do you have any web page accounts such as Facebook, Myspace, etc.?  If so, list your username and password." 

And the state of Illinois has followed Maryland's lead and is considering similar legislation to ban social media password demands by employers. 

But Shear says a patchwork of state laws isn't good enough when the stakes are this high.

"We need a federal law dealing with this," he said. "After 9/11, we have a culture where some people think it's OK for the government to be this involved in our lives, that it's OK to turn everything over to the government. But it's not. We still have privacy rights in this country, and we still have a Constitution."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.  

Victims of child identity theft and their parents are left with an obvious question when they discover the crime: Why would anyone grant credit to a child?

The answer, for those who find it, is perhaps even more infuriating: Creditors often have no way to know an applicant is a child. Lenders, for example, usually have no idea how old the rightful holder of a Social Security number is. The nation's credit bureaus often don't know either. 

A new Child Identity Protection program implemented by the Utah state attorney general's office and the credit bureau Trans Union may be able to change that.

"For the first time, parents can proactively protect their children from being victims of identity theft," said Richard Hamp, the assistant attorney general for Utah who helped create the program. "We're really excited about it."

The program is currently open only to parents in Utah, but both Utah authorities and Trans Union are already in talks with other states to make it available nationwide.

Prior to Utah's Child Identity Protection program, concerned parents couldn't do much to protect their kids' credit until after they suspected their kids' identities were stolen. Even then, the available options were often frustrating. Parents could ask a credit bureau if there was an open credit file using their kids' personal information and request that it be closed and the erroneous information expunged. If no credit file existed, they would receive an unsatisfying "no file" response, and be left to wonder if a criminal would open one in the future. 

Hard data on the incidence of child identity is hard to come by, because the crime can go undetected for a decade or more – until the child turns 17 and applies for credit or a college loan. But there are plenty of indications the crime is on the rise. A study released by fraud-fighting firm ID Analytics in 2011 found that 140,000 kids each year are hit by the fraud; another 500,000 sets of parents and children are "inappropriately sharing" Social Security numbers, hinting at an even more widespread problem, ID Analytics found.

Hamp was an early advocate of credit freeze laws passed by dozens of states that forced the nation's credit bureaus to offer identity theft victims to "lock" their credit reports from any applications for credit. Seeing the rise in fraud against kids, Hamp began working on legislation that would require the credit bureaus to let parents lock their children's Social Security numbers about two years ago.

"But Trans Union called and said they'd work with us on a voluntary basis. You don't need to legislate," he said. "I took them up on it."

Utah already had a leg up in creation of this kind of system, having launched its Identity Theft Reporting System website several years ago. Victims use the system, known as IRIS, to report the crime, and it includes a robust authentication system using various state databases, such as driver's license records. Hamp agreed to use IRIS to authenticate parents who wish to enroll children in an anti-ID theft program. That made Trans Union's part of the work much easier.

After Utah verifies the identity of the parent and collects a child's personal information, state authorities send the child's SSN and age to the credit bureau. Trans Union then places the information in its "high risk fraud database." If a child ID thief tries to use a kid's SSN while applying for credit, the lender gets a pre-programmed warning message.

"Initially I wanted a message that said, 'This number belongs to a kid,' but this allowed them to tap into a system they already had and get it done quickly," Hamp said.

Trans Union and Utah officials held a launch ceremony for the system in late January.

"We do recommend every parent enroll their children," said Steven Katz, senior director of consumer operations for Trans Union. "There is no downside to it."

Enrollment is free. Kids are automatically removed from the high-risk database on their 17th birthday, he said. Trans Union has agreed that none of the information entered into the system will be used for marketing purposes.

"The intention of this program is to assist parents and guardians in preventing ID theft among children, and that’s all the data will be used for," he said. Trans Union will consider sharing the data with the nation’s other credit bureaus, he said, much as the bureaus share fraud alert information now.

Parents who worry that Trans Union might misuse the data shouldn't allow that to keep them from using the program because "they don't give their kids' data to Trans Union, they give the data to us," Hamp said. "We retain all rights to the data."

The program isn't perfect, however. ID theft expert Linda Foley, who runs IDTheftInfoSource.com, said she's worried that the system only stops credit-based ID theft.  It's powerless to prevent creation of fake driving licenses, for example. Such a system risks "giving parents a false sense of security," she said.

Also, because so much of child identity theft is committed by parents, there's a fundamental flaw in the way the program is set up, she said.

"Since parents enroll kids, those stealing from their kids will not be interested in this opportunity. It needs to cover all children," she said.

Still, Hamp believes the Child Identity Protection system is a big step in the right direction, and he's urging all parents to consider it. Already, about 1,000 children have been registered, Hamp said. He plans on bumping up participation by partnering with school districts students can be registered en masse.

"I'm really excited about this," he said. "Instead of having to fight Trans Union, we came up with a mutually acceptable resolution. Is it perfect? No. Are there still going to be problems? Yes. But it's the best thing available for parents to protect their kids."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.  

When the expression "red tape" was invented, they had phrases like this in mind: "Request to Inspect or Receive Copies of SF 278/OGE Form 278 Executive Branch Personnel Public Financial Disclosure Reports or Other Covered Records."

This is a story of what it takes to find out how much Newt Gingrich earned giving speeches last year.  Gingrich isn't hiding the information, which was filed with the Office of Government Ethics recently. It's simply being held hostage by red tape. 

NBC News Deputy Political Director Domenico Montanaro looked at Gingrich's amended financial disclosure, made available on Tuesday, and found on Page 2 references to "Annex A," where the candidate was supposedly to list his paid speeches. But Annex A was nowhere to be found. Montanaro e-mailed the Office of Government Ethics to ask for help. 

A Franz Kafka novel ensued.

Montanaro, long since pre-registered with the Federal Election Commission to receive public financial disclosure releases, was told he had to fill out "Form 201" with the Office of Government Ethics and directed to a page on agency’s website.  But the form was in .pdf format and, while it could be filled out electronically, the changes could not be saved. Instead, Montanaro found, he had to print it out.  But the completed form also could not be sent via fax back to the agency. It had to be electronically scanned and emailed to a special inbox at the Office of Government Ethics.

Upon receipt of the email, the agency promised to mail -- as in, dead-tree mail -- the elusive Annex A.

To review: getting access to Gingrich's disclosure required a visit to a website, an email, downloading a .pdf, filling it out, printing it, scanning it, emailing it and then waiting for a first-class letter. 

Perhaps this kabuki dance helps keep the struggling U.S. Post Office in business, but in the age of Twitter, it's an awfully convoluted process to get a piece of information. And it makes you wonder about the spirit of financial disclosure rules.

Montanaro told the agency what you all must be thinking now. Why isn't this important public information simply placed on a website for all to see?

"Pardon my frustration, but OGE really doesn’t make this easy. … It’s really not the most efficient way for either me as a journalist to report or for an office of ethics to serve the public in a timely way. As a result, neither of us is serving readers or viewers in the best way we can," he wrote to "ContactOGE," the contact address he was given to place his request. "I know it’s not your fault, nameless email address. But an innovative, red-tape loathing staffer in your office might want to think about how to streamline this process and make a name for themselves -- maybe even you, ContactOGE."

As for that important information: Montanaro is still waiting.  We’ll update you when the Pony Express arrives with it.

Of course, the point of this tale isn’t to tell you that an NBC reporter was inconvenienced. You would have had the exact same experience if you tried to get the disclosure information. This is a story about the failure of transparency.

Archives.gov

You too can own a genuine piece of U.S. government red tape. Or, you could just live it every day.

“I find it a little ironic the agency that’s set up to encourage government ethics makes this more difficult than it should be,” Montanaro told me. “They could be doing more productive things with their time than spending more than a week helping a reporter with something.  They could be investigating ethics. … I think the people who work there have good intentions, but it seems so often than these government agencies set up with the right intentions wind up getting mired in red tape.”

By the way, in case you are curious, the term "red tape" has many mythical origins, but the National Archives believes it has the right answer: red ribbons were used to bind piles of government documents dating back to the Civil War. Opening the files required someone to "cut through" the red tape.

Lucky for you, it's now possible to buy your very own sliver of government red tape, encased in plastic, from the National Archives eStore. Price:  $45. Apparently, red tape isn’t cheap.

(Financial disclosure: Several years ago, seeing the name of my blog, an official at Archives sent me one for free. It sits proudly in my office)

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.  
*Follow Domenico Montanaro on Twitter.

Facebook is apparently getting a lot more unfriendly.

Users are getting a lot more selective, deleting comments, photo tags and even friends at a record rate, according to a new study released Friday by the Pew Internet and American Life Project.

Pew is calling this phenomenon "the pruning" of social networks, and the study includes findings like this: 63 percent of users have unfriended people from their friends users. Another 44 percent have deleted comments made by others from their profile page, and 37 percent have removed tags from photos.

"Social network users are becoming more active in pruning and managing their accounts," says the report, written by Mary Madden, senior research specialist at Pew.

Users are also taking an active role in keeping their private information private, with 58 percent of users saying they use high-level privacy settings so only friends can view their pages. Women are far more restrictive, with 67 percent using the tightest privacy settings, compared to 48 percent of men. They lock down their accounts despite the fact that half of all users say they have "some difficulty" using the privacy controls.

The research seems to suggest that U.S. adults, who have so far shown little appetite for actively managing their personal privacy, are starting to get the hang of it.

"Social science researchers have long noted a major disconnect in attitudes and practices around information privacy online. When asked, people say that privacy is important to them; when observed, people’s actions seem to suggest otherwise," the report noted. The shift to more privacy on Facebook seems to belie this long-standing trend.

Perhaps regret has something to do with that.  The report found that 11 percent of Facebook users say they've posted something that they regret on a social network. Men are twice as likely to say so (15 percent to 8 percent). Users 50 and older, at 5 percent, are much less likely than young adults under 29 (15 percent), to express such regret. 

One area where there was a surprising lack of age gap: Overall privacy settings. While 23 percent of users 65 and over choose fully public settings, 22 percent of users 18-29make the same choice.

"The choices that adults make regarding their privacy settings are also virtually identical to those of teenage social media users," the report said.  "Private settings are the norm, regardless of age."

Young adults are more likely to "unfriend," however at 71 percent, compared to just 41 percent for the oldest users.

The Pew report is based on a survey of 2,277 U.S. adults conducted in May, and has a margin of error of +/- 3 percent.  In nearly all "pruning" related categories, and within nearly all age groups, use of privacy-related tools gained ground since the last time Pew conducted the study in 2009. Back then, only 30 percent of all users had untagged a photo, compared to 37 percent in 2011; and 56 percent had unfriended someone, compared to 63 percent in 2011. 

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.  

You already have an "insurance score." You have an "Employment Credit Score."  There's even a "MedFICO," which attempts to predict whether you’ll actually pay your doctor’s bills.  Now that a "Facebook score" has been invented,  I expect a "Grocery Habits score" and a "Music Taste" score to arrive any time now.

These scores probably hurt you more than help you, and in ways that are kept secret from you.  To borrow a phrase from today's big pop-culture story, American businesses are suffering from "Score-sanity."  And you are suffering the consequences.

In case you missed it, researchers at three U.S. colleges say they've figured out a way to predict future job success by scoring applicants' Facebook profile pages. This wasn't a mere exercise in finding embarrassing college photos. The profs created five categories that map to character traits which often lead to success at work: Conscientiousness, emotional stability, agreeableness, extraversion and openness. Then, people were boiled down to a "personality score," which may as well be called a Facebook score.  Surprise! The score did a decent job of mapping to employee reviews six months later.

We already know that U.S.-based hiring managers routinely browse Facebook while screening applicants (something that is illegal in Germany). A scoring system that automates that process, and promises to take human error out of it, will be just too tempting. 

Today is not the day to debate the wisdom of the “Moneyball-ization” of America, the wisdom of our newfound romance with everything and anything that fits into a database.  My main concern with Facebook scores -- as it is with insurance scores -- is the lack of transparency. Odds are that you pay more for your auto insurance than you should if your credit score is low. How much more? No one knows, because the U.S. Supreme Court has ruled that auto insurance companies don't have to tell you. Insurers have decided that credit scores are a good predictor of future insurance claims, and punish drivers based on that.  But they don't have to tell them what the low-score penalty is.

Soon, some workers will face mysterious troubles getting past the first round of interviews, and have no idea why.  The cause could be an embarrassing photo in a social media profile. But based on this new research, it could that they don't discuss classic literature often enough in their timeline, or they don't have 700 friends. 

Study after study shows that while Americans claim to care about privacy, they don't.  Fewer than 10 percent change their behavior in an attempt to preserve their privacy; another  third essentially believe: "I have nothing to hide so why should I care?" 

Your Facebook score is the answer.

Professor Daniel Solove of George Washington University, who studies the intersection of privacy and policy, has found that most young Facebook users aren't worried about the things they post online because they have a naive faith that it won't hurt them later in life.  They believe no hiring manager would hold some random Tweet against them. They are wrong.  An HR department facing a stack of 100 resumes for one job would love a numerical tool that could automatically whittle the pile to five or six.  HR departments already do some of this whittling based on credit reports.

When young people tell me they have nothing to hide, I often ask them about their music  tastes. Most use iTunes, and increasingly use subscription services like Spotify. These firms know everything about their music tastes.  It is a very small leap to imagine these companies selling this data to employment background firms, which might then find a correlation between the bands that subjects listen to and their likelihood they'll habitually be late to work. Suddenly, a private allegiance to Megadeth could become a debilitating problem for an innocent worker who would have no idea why the rejection letters won't stop.

"No fair," folks often reply.

"But quite legal," I respond. Due to a quirk in the law (thanks to a very embarrassing Supreme Court nomination proceeding for Robert Bork), video rental records cannot be shared and sold in this manner. Thank God, otherwise Netflix would have done this long ago.  But music, social media posts, blog comments -- all these things are fair game to be sold, shared, jammed into a spreadsheet, and used to raise your health insurance rates or block you from a promotion.  Bought a lot of ice cream in 2008-2013? Watch those health insurance rates rise in 2020.

Maybe that's a good thing. To be fair, some people with higher credit scores do pay less for auto insurance because of this system. We can bicker about the wisdom of data mining and correlations. But we can't bicker about this: None of this is transparent.  No laws are in place to make sure this is fair.  No one has debated the wisdom of allowing social network activity to influence employment prospects (while other societies have decided against it). And most important, no one has made the rules clear for consumers.

There is a model for this. In the credit world, when consumers are denied a loan because of a low credit score, they are entitled to receive a "notice of adverse action." They are also entitled to see a copy of the credit report used in the decision.  Now is the time to think about regulations to ensure such consumer rights in this even-expanding world of "Score-sanity."  If someone's job prospects are hurt by the number of Tweets they publish on the New York Yankees, they should know. They should be entitled to a copy of their "Facebook Score" and the report that goes with it. 

I know companies which create such reports view them as proprietary, as the secret sauce they sell, and they fear that if consumers learn how the system works, they'll try to game the system. Tough. We’re talking about lives and livelihoods here. 

Correction: An initial version of this report said HR departments use credit scores when considering applicants. They use credit reports without a credit score.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.