Wednesday, August 18, 2021

"Real" ID on your phone

 

In June 2021, Apple announced an upcoming update to its Wallet app that will give the ability to scan your State issued ID and save it with encryption securely within the app. The digital identification could then be used wherever accepted. And that’s the hold up at this point.

Four years ago I wrote a blog about the REAL-ID Act and a little history about how driver’s licenses became forms of identification. You can read that blog at "Real" ID

The post was closed with, “While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane”. Well here we are in the 2020’s and we can use our phones to digitally access more services and places everyday. The coronavirus pandemic pushed companies to contactless services which helped increase the use of digital tickets, keys, payment, and identification,

We can use digital boarding passes to board planes. Concert and sporting events have digital tickets. Pretty much every cash register has some sort or digital payment system. But the question still remains, can you use a digital ID as an official identification? Companies like Apple are providing the tools. Venues and other services have to decide how to adapt.

States exploring the use of digital driver’s licenses is growing. As exploration continues, individual state’s are starting to implement programs. Colorado was the first state to implement a functional program that officials say is accepted by law enforcement throughout the State. Louisiana, Oklahoma, Delaware, and Arizona all have programs. Maryland, Wyoming, and Idaho have test programs. Utah, Iowa, and Florida will be launching programs in the next year.

As state’s begin accepting their own digital licenses there will have to be reciprocity between all of the state’s, as there is currently with card based driver’s licenses. And then there is the federal government. While there is not currently a federal identification system government agencies will have to be prepared to accept the individual state digital ID’s. Apple is working with the TSA to develop policy to accept ID’s contained in its Wallet app. Once enough state’s go digital, Congress will probably pass some sort of legislation that recognizes digital ID’s contained on phones. 

Wednesday, June 9, 2021

Modern police work or invasion of privacy?


NOTE: This article was initially posted in June 2019 and has been updated with new and current information.

The Maryland legislature passed a new law in 2021 that further regulates how law enforcement uses commercial DNA databases to identify suspects. With this new law, Maryland joins Utah and Montana as the only states to limit police use of these databases. In 1994, the Maryland legislature passed the Maryland DNA Collection Act which authorized police to gather DNA evidence for certain criminal investigations. The Act was expanded in 2008 to included more crimes but also limited law enforcement from using State databases to search for relatives of a suspect, or familial matches. Maryland is the only state with such a limitation of state run databases.

Maryland’s new law will take effect in October 2021 and bars law enforcement from using commercial DNA databases to look for familial connections. Law enforcement will be required to exhaust all other avenues of identification and then make application to a judge. Police will also have to obtain consent from a person not suspected of a crime before comparing that person’s DNA to commercial databases. 
 
         _________________________________________________________________________________
 
In March 2019, Florida police identified a suspect in a 1998 cold case murder after a man submitted his fingerprints for a job application. Law enforcement had submitted unknown fingerprints from the murder scene to a National database. As fingerprints from crime scenes, criminal arrests, clearance, and background checks are submitted to the database they are checked against the fingerprints on file. Matches are then reported back to the submitting police departments.

Fingerprints

As detailed my blog, “National” Record Checks? there is not a national database of criminal records. There is, however, a database of fingerprints that matches to criminal records of individuals.  Maintained by the FBI and begun in 1924, the database contains the world’s largest database of fingerprints and associated criminal history. Up until 1999, the system was based on the manual collection, submission, and examination. Police would ink up a person’s fingers, roll out the prints on a card, and submit the card to the FBI. There, technicians would painstakingly, individually, examine the prints under magnification and check against known crimes or suspects. After which the cards were filed. When the system became digital it was possible to check the submitted prints against the entirety of the database. Unknown prints found at crime scenes could then been matched against previously submitted prints and suspects developed. If you have ever been fingerprinted your prints are stored in the system and checked against other submissions thousands of time a day. 

The Florida case happened that way. In 1998, police submitted latent prints collected from the murder site. For twenty years every fingerprint submitted to the FBI was checked against the 1998 submission. The killer had avoided being fingerprinted for two decades.

Familial DNA

DNA testing was first developed for use in paternity identification.  Police in England first used DNA in a criminal case in 1986. The first DNA conviction in the U.S. came in 1987. As with any new forensic test, court admissibility was tested early on. Over the years DNA identification has been accepted and the process of collecting and identifying made more efficient. What used to take weeks now only takes days.

In 2018, police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it. The profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family.  This method has been tagged as “genetic genealogy”.  After the familial match, through traditional police work, detectives were able to identify a suspect. 

Genetic genealogy also works to identify the victims of violent crimes. In 2019, Anne Arundel County Police identified the remains of a man who had been discovered in a trashcan during the construction of Marley Station Mall in 1985. Roger Kelso was believed to have been killed in the 1960s and buried in the woods where the mall would eventually be constructed. Police compared the victim’s DNA to samples in public databases to form the familial match. The long cold case is now active.

The same methods were used to identify the remains of a woman and children found buried in barrels in the woods of Allenstown, New Hampshire in 1985. Although law enforcement had long ago associated the victims to serial killer Terry Rasmussen they had never identified the victims. By using genetic genealogy police in 2019 were able to finally identify the victims as Marlyse Honeychurch and her daughters Sarah McWaters and Marie Vaughn.

As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

Genetic privacy

Ancestry and 23andMe are the largest consumer testing providers. Both companies have policies in place that prevents law enforcement from having direct access to the databases. However, customers of both companies, hoping to grow their family tree, can upload their personal results to public databases. This is where law enforcement has access to the DNA results. Ancestral DNA companies are working to find balances. While they do not want to allow complete access to databases for misdemeanor crimes, companies do allow access for violent crimes. As law enforcement finds success they will rely more on these DNA databases.

Opponents of this kind of police work feel that the use of relatives DNA on public databases constitute unwarranted searches and thus illegal under the Fourth Amendment. State legislatures are paying attention as Maryland and a few others have had bills introduced to bar police from using relatives DNA to track criminals.

Fingerprints, DNA, facial, hair, optical, these are all methods of identifying humans as individuals. All were new sciences at one time. All have made their way through the world’s courts as legal ways of making identifications. They are most certainly other scientific discoveries that will be added to the list. The question is and always has been, Where does the privacy of individuals get compromised in the name of justice?

Thursday, August 13, 2020

Reopening also means gaining public trust

 

No mask-NO Service

Everyday life four months ago was extremely different than July 2020. While we are not ordered to stay at home, it is suggested. Gatherings are still limited. Events like birthdays, weddings, and funerals are small private gatherings. Store shelves are, for the most part, stocked but there are still some items in which the shelf remains empty. 

 

Businesses small and large have had to adapt and overcome. Before everything shut down businesses quickly set up cleaning stations, Plexiglas shields, and tape on the floor. The temporary adjustments were hurried responses to keep employees and customers safe and stay open. Then everything stopped.

 

During closures, most businesses had time to adjust to coming restrictions regarding reopening. Temporary became permanent. “Behind the scenes” part of getting the economy going again were the efforts to create and install shields at customer interface points. Painter’s tape on the floors became printed stickers. Permanent signs explaining restrictions and warnings were manufactured. Face shields. And of course masks. The leaving home check of keys, wallet, phone has added mask. Which is also now apart of the employee uniform.

Masks

When COVID-19 began gaining momentum and entered into the pandemic phase the public and businesses went slowly. No one wanted to believe that restrictions and precautions were permanent. As the economy reopened it was realized that to stay open, and in some cases avoid fines business had to change. Temporary fixes had to become permanent. We now see permanent installations of shields, directional arrows to navigate, markings identifying where to stand, and in/out only doors. And of course masks.

 

Of all the changes we have seen from the pandemic the mask has been the most ubiquitous. Face coverings are our everyday life. They have sparked controversy. Started arguments about the improper or lack of wearing. They are now a point of fashion to be complimented. Masks are popping up in the impulse buy area at the checkout register and even vending machines. Masks have also become our non-verbal permission to enter and an invitation to leave. No mask – No service signs are posted in many storefronts. Businesses don’t want to turn people away, but they also don’t want to face the ever present risk of being shut down either.

Public trust

When stay at home orders were lifted and businesses began to reopen customers were leery about returning. Although we couldn’t wait to get out of our homes, we had to feel safe. The COVID virus was and still is a threatening menace. A big part of gaining a customer's trust is making them feel safe in your establishment.  To get ahead of competitors businesses had to try to be the first to explain the steps taken to keep customers safe. Not only what was being done to sanitize, but how, and how often. This has to be more than just words. Science has proven that we process visual data better than text or the spoken word. In fact, 90% of what we process is visual.  Customers have to SEE the action of cleaning and sanitizing in order to validate what is being advertised.  

 

Being in the grocery store and seeing an employee cleaning the carts or walking around, during business hours, cleaning door handles and contact surfaces goes a long way in convincing customers that the business is serious about their well being. On a recent went to a UPS store for their notary and overnight services this was evident. Of course, they had queue markers on the floor and Plexiglas at the registers, which would be expected. What was impressive was seeing an employee wiping down a public computer station with disinfectant after each use by a customer. Seeing the employee clean the keyboard and work area after a single use reinforces that business’ commitment in the eyes of the customer.

 

Demonstrating sound sanitation practices to the public will get them back and keep them coming back. With instant reviews being posted on multiple platforms, businesses not practicing safe procedures will spread quickly. At this point in time that is a quick way to lose customers and get shut down. Again.

 

Another good move to show how serious the company is taking health is transparency and decisive action. We’ve already seen businesses reopen only to be shut down again after a government agency finds a violation or an infected employee. Better to take the action yourself. Small businesses, especially bars and restaurants, have set this example. Setting up their own testing policies and discovering possibly infected employees, they have immediately shut down, publicized what happened, and the actions they are taking to rectify the issue. It hurts to close your doors but keeping the public trust is more important now than ever.

 

In addition to changes in sanitation and ensuring there are safe practices in place, there are other changes as well. How we conduct business has changed and will probably have long-term effects. Offices cleared, sending employees to work from home. After a few weeks, with no solution to the virus in sight, corporations announced that they would not be returning employees, adopting permanent work from home policies. Businesses have learned to adapt to stay in business. What we thought couldn’t be done or never thought of trying is successful.  

 

We are looking for a return to “normal” when we are living what our normal now is. 

Wednesday, May 6, 2020

Business Adaptability

How is small business adapting to COVID19?

NOTE: Since this article was posted it has been updated with new information.
 
When governors issued stay at home orders and business closings it was a shock to say the least. Businesses were deemed essential or non-essential, the latter being ordered closed for the foreseeable future with no re opening date. Small businesses of all sizes and industry are desperately hurting. It’s interesting to see how businesses have adapted to either reach their customers while closed or try to keep customers while operating under restrictions.

Businesses that provide personal services such as salons and barbershops do not have much choice. Restaurants were given a reprieve in that they could provide take out or delivery. Some businesses that were allowed to stay open are still seeing a decline in sales. People are just not going out. Even these businesses have had to become creative to develop more customers. One of the new buzzwords is contactless. Companies are using that description to reassure customers that you can obtain products without having to meet someone face to face. Businesses like hardware stores have begun offering curbside pickup to encourage shoppers that may not want to go inside the physical store. Ecommerce has increased especially for stores that are closed and have had to find other sales outlets.

A contactless marketing coup has been Little Caesar’s pizza portal. They offered in store contactless pizza pick up before contactless was a thing. They quickly adjusted marketing with the new terminology to point out their system of pizza delivery. Other delivery pizza companies are ensuring drivers wear gloves and masks, and leave the thermal delivery bag outside the door for the customer to retrieve the products. In addition to deals and sales there’s been other creativity to entice customers. Restaurants are offering ingredient kits to make your favorite menu item at home. Bakeries are selling cake and cupcake decoration kits. Gardening and craft projects, the list grows everyday of small businesses adapting to new marketing schemes.

What about when the restrictions ease? When everything reopens how are businesses going to change to reassure customers that it’s safe to patronize? As we’ve seen with the beaches around the country, when there’s a reopening some people are going to come out droves. Others will wait a few days or weeks to see what happens. And others may not return to restaurants and at all. A Washington Post-University of Maryland poll of 1,005 people found that Americans are wary to return to restaurants and retail.

Retailers will have to demonstrate what sanitization and distancing procedures are being taken to reassure customers that it is safe to visit. The stores that are open now are taking measures to sanitize. Grocery stores are limiting shoppers and installing shields at checkouts. Restaurants are limiting capacity and reassigning staff to compartmentalize duties to one person-one task. Other types of retail are installing shields, social distanced queue markers, and ramping up contactless pay devices. Others that didn’t normally wear gloves are now. And, of course, everyone is wearing masks. Store signs use to read-No Shirt, No Shoes, No Service. Now, No Mask-No Service!

Patrons have to know what is being down to ensure their safety. Receiving communications as to the efforts and seeing the physical efforts, employees wearing masks, limited capacity, shields at points of sale. all this goes a long way to reassure customers that they will be safe when shopping.

Some companies that sell services and some product based are able maintain operations by allowing employees to work from home. How will that change? Will companies move towards or relax work from home rules? If you’d Goolged the word zoom in January 2020 the search results would have been much different than they are in May 2020.  Now instead of the online dictionary definition (a more likely result) the first return is the website for the online video conferencing company. “Zoom” quickly became synonymous with web meetings. Japan’s business culture is having great difficulty with work from home. As technologically advanced as Japan is their business world is steep in tradition, requiring in person transactions and paper documents. 

What will go away and what will return to pre COVID? Sanitizing wipe downs, gloves, masks, and register shields will probably stay. Will we shake hands to close a deal? Or will elbow bumps be the new social norm of greeting and accords.

The deeper we go into the economic shutdown news of businesses adapting is breaking everyday. Here are a few approaches to rethinking how we do business. 

Still operating drive-in theaters are seeing a boom and entrepreneurs are looking to open new drive-ins. Music promoters are experimenting with drive-in concerts where venues will allow.

In addition to drive thru, Chick-Fil-A expanded curbside and added another feature. When the food is delivered to your car, it is carried inside of a plastic container. The customer then lifts their food bags out of the container. 

LYFT issued guidelines to reassure riders how they are ensuring clean and safe rides. https://www.lyft.com/blog/posts/lyft-launching-health-safety-program
A video of how Dutch restaurants are protecting employees and customers was released. https://m.youtube.com/watch?v=kz3oi4WIKl0

Thursday, April 16, 2020

Social Engineering Facebook

Social Engineering

NOTE: Since being published, this article has been updated with new information. 

If you’re on social media, specifically Facebook, you’ve seen the 21stcentury version of chain letters. Here of late there’s been lots of  “challenges”, quizzes, and tagging of friends to encourage them to keep the challenge going. List every country you’ve been to, list every state you’ve been to, favorite movies, pictures of pets, pictures of your spouse and/or your parents, and the most current- your high school senior photo, under #Classof2020.

Who knows who starts these but they catch on as cute or fun ways to pass the time on Facebook. They are also ways for social engineers to find out more than you want strangers to know. Using the short list above, how many total strangers would you exchange that information? Probably not many. But most people don’t have very secure social media accounts. They are completely open to public view. Simple searches, most likely by the ones who started these challenges, can find the responses to hash tags and/or using bots mine the information. Then using social engineering the hacker can construct quite a profile on you.

As if your basic profile information isn’t enough, add that to answers from the above examples. Now in addition to your name, age and/or exact date of birth, high school, university, town, they can add photos and names of parents, spouses, pets, etc. For example. Viewing someone's Facebook page who completed some of the more popular quizzes, one could determine the following.
Jane Doe
Born January 1, 1973
Lives in Anywhere, Iowa
Went to Anywhere High School and Iowa State University, graduating in 1994
Not married
Christian 
Her parents are John and Jeanine (Pictures)
Loves dogs, especially her German Shepherd Rover (Picture)
Has visited 15 U.S. states and Paris, Rome, and London (Pictures)
Loves movies, specifically classic romances
Lots of pictures of Jane and Check-ins at her favorite places (with dates and times)
All of this information is more than enough to construct passwords, answers to security questions, or even more nefarious real word activities.

Users feel comfortable within the confines of Facebook. Like with other cons these are perpetuated because of the element of trust. Trust that it came from a friend, so it must be OK. Or it’s only a harmless quiz about my favorite TV shows. Also, trust in the complacency that only your friends can see the responses. Once your friends start sharing then your information is exposed.

In addition to the cut and paste challenges there are external links to quizzes. The links take you to a third party site that runs the quiz and posts back to Facebook. Most have learned not to click on links in emails. Why would you click on a link within a Facebook post? Back to trust. A friend shared the post it must be safe.

Use social media wisely. Check your privacy settings. If you haven’t done so in awhile, change your password. Think twice before participating in cut and paste challenges and quizzes. You don’t want to be the one making the familiar post-Don’t accept any friend requests from me. I’ve been hacked!!

April 27, 2020 The FBI issued a warning not to participate in social media quizzes. The quizzes are based on "something you know; something you have; and something you are" all of which can be used to social engineer passwords.
FBI bulletin-https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/fbi-pittsburgh-warns-popular-social-media-trends-can-lead-to-fraud

Read other posts about privacy

Wednesday, February 19, 2020

Apple Employees Win Suit



A quick post to relay the results of a California court ruling.  
The California Supreme Court recently ruled in favor of Apple employees allowing them to be paid for after shift security searches. Apple requires employees of their product stores to be searched after their shift, checking for stolen company products. Employees filed a class action suit claiming that they should be compensated for the time required to complete the searches. Failure to comply with the search policy can lead to being fired.

A federal district court had earlier ruled in favor of Apple. Stating that the employees had to prove that they were being restrained from leaving. The case then went to the U.S. 9th Circuit Court, who returned the case to state court for an interpretation of state law regarding compensation. The California Supreme ruled in favor of employees and the case now returns to the U.S. 9th Circuit Court. The ruling, as of now, does not affect other states as it was not a federal court decision. However, once the U.S. Circuit Court considers California's Supreme Court decision it may rule in favor of employees. Compensation for requirements after an employee is "off duty" may be interpreted differently and cause a ripple effect through the U.S. regarding employee pay and overtime.

This is not the first time a California ruling has affected employee compensation. In 2018, The California Supreme Ruled that employers must pay employees for "off the clock" activities such as locking up, setting alarms, and other administrative duties. There is a federal rule called the de minimis rule that says that employees can be required to work small amounts of time, less than ten minutes say, that would be difficult to track administratively. However, California courts ruled that the federal rule had not been adopted under California wage laws and, therefore, did not apply.

De minimis Rule

The "de minimis" rule came from the Supreme Court in 1946, stating that employers, when considering amount of time worked, may disregard time worked over shift when it amounted to seconds or minutes. The U.S. Department of Labor adopted a similar rule under 29 C.F.R. § 785.47, which states, insubstantial or insignificant periods of time beyond the scheduled working hours may be disregarded. 

Under the Fair Labor Standards Act (FLSA) regulations, 29 C.F.R. § 785.11, if an “employer knows or has reason to believe that the work is being performed, he must count the time as hours worked.” The Portal-to-Portal Act, 29 U.S.C. §§ 251-62, amended the FLSA and relieves employers of the obligation to compensate an employee for activities such as: traveling to and from the actual place of performance of the principal activity and activities which are preliminary to or postliminary to the principal activity, which occur either prior to the time on any particular workday or subsequent to the time on any particular workday. 

This is a just a small sampling of the laws and precedents that would go into any court’s decision on compensation of employees after hours. There have been too many cases to cite here regarding compensation beyond work hours. Cases involving employee’s loading/unloading/resupplying company vehicles at home, answering phone calls, emails and texts. If California is the test, then the trend would lean towards the employee.

Small business owners have to take this into consideration as they apply policy. Whether for breaks, meal times, or after work communications, how employers pay employees may be changing.


Friday, January 31, 2020

Maryland bans the box

Maryland Bans the Box for private employers


NOTE: This article was initially posted in May 2013 and has been updated with new and current information.

As you may know, Ban the Box refers to removing the criminal convictions question from employment applications. Preferring that any discussion of criminal histories be done further along in the application process and in person. Hoping to make the process fairer for applicants.

In October of 2013, Maryland’s first Ban the Box law took effect. The law removed the criminal conviction question from State employment applications. At that time, there were only seven states with similar legislation.  Since then the Ban the Box movement has swept the nation with cities, counties, and states enacting laws. According to the National Employment Law Project, as of July 2019, there were thirty-five states and one hundred and fifty cities and counties that have Ban the Box laws. Thirteen states have laws that prohibit private employers from asking about criminal history on the application. As of January 1, 2020, Maryland became the fourteenth.

Maryland Private Employer law takes effect January 2020

The Maryland legislature passed a private employer Ban the Box law in 2019 only to have the law vetoed by the Governor. In one of the first acts of the 2020 legislature, the Maryland General Assembly voted to override the veto.

The new law states that, before the first in person interview, employers may not ask an applicant to disclose details about whether or not a criminal record exists. This law only applies to those employers with fifteen or more employees too include seasonal, temporary, and contractual employees.

So far only a few major corporations, such as Target and Walmart, have publically “Banned the box”.

Details of the laws procession through the legislative process can be found at http://mgaleg.maryland.gov/mgawebsite/Legislation/Details/hb0994/?ys=2019rs