Modern police work or invasion of privacy?

NOTE: This article was initially posted in June 2019 and has been updated with new and current information.

The Maryland legislature passed a new law in 2021 that further regulates how law enforcement uses commercial DNA databases to identify suspects. With this new law, Maryland joins Utah and Montana as the only states to limit police use of these databases. In 1994, the Maryland legislature passed the Maryland DNA Collection Act which authorized police to gather DNA evidence for certain criminal investigations. The Act was expanded in 2008 to included more crimes but also limited law enforcement from using State databases to search for relatives of a suspect, or familial matches. Maryland is the only state with such a limitation of state run databases.

Maryland’s new law will take effect in October 2021 and bars law enforcement from using commercial DNA databases to look for familial connections. Law enforcement will be required to exhaust all other avenues of identification and then make application to a judge. Police will also have to obtain consent from a person not suspected of a crime before comparing that person’s DNA to commercial databases. 

 

         _________________________________________________________________________________

 

In March 2019, Florida police identified a suspect in a 1998 cold case murder after a man submitted his fingerprints for a job application. Law enforcement had submitted unknown fingerprints from the murder scene to a National database. As fingerprints from crime scenes, criminal arrests, clearance, and background checks are submitted to the database they are checked against the fingerprints on file. Matches are then reported back to the submitting police departments.

Fingerprints

As detailed my blog, “National” Record Checks? there is not a national database of criminal records. There is, however, a database of fingerprints that matches to criminal records of individuals.  Maintained by the FBI and begun in 1924, the database contains the world’s largest database of fingerprints and associated criminal history. Up until 1999, the system was based on the manual collection, submission, and examination. Police would ink up a person’s fingers, roll out the prints on a card, and submit the card to the FBI. There, technicians would painstakingly, individually, examine the prints under magnification and check against known crimes or suspects. After which the cards were filed. When the system became digital it was possible to check the submitted prints against the entirety of the database. Unknown prints found at crime scenes could then been matched against previously submitted prints and suspects developed. If you have ever been fingerprinted your prints are stored in the system and checked against other submissions thousands of time a day. 

The Florida case happened that way. In 1998, police submitted latent prints collected from the murder site. For twenty years every fingerprint submitted to the FBI was checked against the 1998 submission. The killer had avoided being fingerprinted for two decades.

Familial DNA

DNA testing was first developed for use in paternity identification.  Police in England first used DNA in a criminal case in 1986. The first DNA conviction in the U.S. came in 1987. As with any new forensic test, court admissibility was tested early on. Over the years DNA identification has been accepted and the process of collecting and identifying made more efficient. What used to take weeks now only takes days.

In 2018, police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it. The profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family.  This method has been tagged as “genetic genealogy”.  After the familial match, through traditional police work, detectives were able to identify a suspect. 

Genetic genealogy also works to identify the victims of violent crimes. In 2019, Anne Arundel County Police identified the remains of a man who had been discovered in a trashcan during the construction of Marley Station Mall in 1985. Roger Kelso was believed to have been killed in the 1960s and buried in the woods where the mall would eventually be constructed. Police compared the victim’s DNA to samples in public databases to form the familial match. The long cold case is now active.

The same methods were used to identify the remains of a woman and children found buried in barrels in the woods of Allenstown, New Hampshire in 1985. Although law enforcement had long ago associated the victims to serial killer Terry Rasmussen they had never identified the victims. By using genetic genealogy police in 2019 were able to finally identify the victims as Marlyse Honeychurch and her daughters Sarah McWaters and Marie Vaughn.

As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

Genetic privacy

Ancestry and 23andMe are the largest consumer testing providers. Both companies have policies in place that prevents law enforcement from having direct access to the databases. However, customers of both companies, hoping to grow their family tree, can upload their personal results to public databases. This is where law enforcement has access to the DNA results. Ancestral DNA companies are working to find balances. While they do not want to allow complete access to databases for misdemeanor crimes, companies do allow access for violent crimes. As law enforcement finds success they will rely more on these DNA databases.

Opponents of this kind of police work feel that the use of relatives DNA on public databases constitute unwarranted searches and thus illegal under the Fourth Amendment. State legislatures are paying attention as Maryland and a few others have had bills introduced to bar police from using relatives DNA to track criminals.

Fingerprints, DNA, facial, hair, optical, these are all methods of identifying humans as individuals. All were new sciences at one time. All have made their way through the world’s courts as legal ways of making identifications. They are most certainly other scientific discoveries that will be added to the list. The question is and always has been, Where does the privacy of individuals get compromised in the name of justice?

Social Engineering Facebook

Social Engineering

NOTE: Since being published, this article has been updated with new information. 

If you’re on social media, specifically Facebook, you’ve seen the 21^stcentury version of chain letters. Here of late there’s been lots of  “challenges”, quizzes, and tagging of friends to encourage them to keep the challenge going. List every country you’ve been to, list every state you’ve been to, favorite movies, pictures of pets, pictures of your spouse and/or your parents, and the most current- your high school senior photo, under #Classof2020.

Who knows who starts these but they catch on as cute or fun ways to pass the time on Facebook. They are also ways for social engineers to find out more than you want strangers to know. Using the short list above, how many total strangers would you exchange that information? Probably not many. But most people don’t have very secure social media accounts. They are completely open to public view. Simple searches, most likely by the ones who started these challenges, can find the responses to hash tags and/or using bots mine the information. Then using social engineering the hacker can construct quite a profile on you.

As if your basic profile information isn’t enough, add that to answers from the above examples. Now in addition to your name, age and/or exact date of birth, high school, university, town, they can add photos and names of parents, spouses, pets, etc. For example. Viewing someone's Facebook page who completed some of the more popular quizzes, one could determine the following.
Jane Doe
Born January 1, 1973
Lives in Anywhere, Iowa
Went to Anywhere High School and Iowa State University, graduating in 1994
Not married
Christian 
Her parents are John and Jeanine (Pictures)
Loves dogs, especially her German Shepherd Rover (Picture)
Has visited 15 U.S. states and Paris, Rome, and London (Pictures)
Loves movies, specifically classic romances
Lots of pictures of Jane and Check-ins at her favorite places (with dates and times)

All of this information is more than enough to construct passwords, answers to security questions, or even more nefarious real word activities.

Users feel comfortable within the confines of Facebook. Like with other cons these are perpetuated because of the element of trust. Trust that it came from a friend, so it must be OK. Or it’s only a harmless quiz about my favorite TV shows. Also, trust in the complacency that only your friends can see the responses. Once your friends start sharing then your information is exposed.

In addition to the cut and paste challenges there are external links to quizzes. The links take you to a third party site that runs the quiz and posts back to Facebook. Most have learned not to click on links in emails. Why would you click on a link within a Facebook post? Back to trust. A friend shared the post it must be safe.

Use social media wisely. Check your privacy settings. If you haven’t done so in awhile, change your password. Think twice before participating in cut and paste challenges and quizzes. You don’t want to be the one making the familiar post-Don’t accept any friend requests from me. I’ve been hacked!!

April 27, 2020 The FBI issued a warning not to participate in social media quizzes. The quizzes are based on "something you know; something you have; and something you are" all of which can be used to social engineer passwords.
FBI bulletin-https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/fbi-pittsburgh-warns-popular-social-media-trends-can-lead-to-fraud

Read other posts about privacy

Juice Cleanse 

Cleaning Up Your Online Presence 

One Born Every Minute 

What did you just say? 

Juice Cleanse

While I am not educated in computer programming or repair I am knowledgeable and proficient enough to make computers do what I need and understand how that occurs. Because of my lack of formal training I never doubt what can be done with computers, I just assume that I do not know how to make it happen. Anything is possible. So when I hear of new smart devices or electronic conveniences that make our life easier, I figure it only a matter of time until someone compromises the security. 

In November 2019, the Los Angeles County District Attorney published a public service message warning travelers of using public USB charging stations.

http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff

How it works

Criminals either conceal a computer in charging stations or load malware onto the stations. Much like credit card skimmers at gas pumps. When someone plugs their device into the charging station via USB the criminals computer can access the device.  Or the malware is transferred to the device so that the criminal can access at a later time. 

There have been mixed reactions to the LA County DA report. But no one is saying that it can’t been done. More likely it is the effort versus the reward. Snopes.com reported, "While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread".

Best practice-Use your own charging cables with a transformer and plug directly into an AC outlet.

Lasers as keys

Another threat to smart devices or rather smart homes is lasers. Researchers at the University of Michigan have created attacks using focused light to manipulate smart speakers. From as far as one hundred yards researchers could transform their voice commands into light beams aimed at the speaker. Once beamed the speaker reacts as if someone were speaking to it.

The results of the discovery mean that criminals could trick smart speakers into opening garage doors, smart locks, lights, whatever security feature that is linked to the smart speaker.

In our brave new world one has to suspect that someone is always watching or listening. And no computer, mobile device, or now the things that charge them, are secure.

Find other posts on skimming, WiFi, and smart device security in my blog archive. 

What Real-ID means to Maryland drivers

Maryland Real ID

You may have seen news reports about the need for Maryland drivers to further document their identification and citizenship or risk confiscation of driver’s licenses. This isn’t hype. It is true and deadlines are fast approaching. If affected drivers do not update their status with the MD MVA, their license will not be considered valid. Which means a police encounter could result in the confiscation of your license and TSA will not accept the license as proper ID.

REAL ID Act

The REAL ID Act was passed in 2005 setting the benchmark for personal forms of identification and establishing minimum security standards for driver’s license issuance and production. The act prohibits federal agencies, like the TSA, from accepting driver’s licenses from states that do not meet the standards. The deadline set by the Act is October 1, 2020. After that date residents of all states will need a Real ID Act compliant driver’s license to pass through airport security. 

How does this affect Maryland?

Maryland began issuing Real ID Act compliant licenses in 2016 and is listed as a state compliant with the Act. The licenses feature the state flag as the backdrop and the Real ID star logo. The license has multiple security features to guard against counterfeiting and was touted at the time as the most secure license in the U.S. 

The problem? While Maryland issued a license that met all of the Real ID Act physical security features the MVA did not always require the license holder to submit proper documentation for proof of identity or citizenship. Now those with the new “Flag” license are in danger of either losing their license or not being able to pass through federal security. 

MD MVA estimates that over a million drivers have the new license but not the necessary documentation on file. Trying to alleviate a renewal nightmare Maryland officials have set staggered renewal dates in June and November 2019 to clear the backlog before the federal October 2020 deadline. Over sixty-six thousand drivers have deadline dates in June 2019 to provide documentation. 

Is your license compliant?

Those holding the older licenses with the blue banner and crab logo are not required to update their records and may maintain their licenses until they expire. However, after October 1, 2020, these style licenses will not be accepted by TSA or other federal agencies. Even if you have been issued a flag design license you may still need to update your documentation with MVA.

You should get a notice by email and/or mail notifying of the MVA need for documentation. Rather than wait for the MVA renewal notice you can check if your license is compliant at this link RealID Lookup . After searching your license number you will be told if anything further is required and what to do next.

Documentation

If you are required to update your records you will need,

1) Proof of age and identity-Original or certified copy of your birth certificate OR a valid U.S. passport

2) Proof of Social Security-Original Social Security card or W-2 form, or SSA-1099

3) Proof of Maryland residency-Two documents required: insurance card, vehicle registration, credit card bill, utility bill, or bank statement. Any must have your name, Maryland address and be from two separate entities.

This link has further information on Real ID FAQs .

Good luck!

Previous blog about licenses at "Real" ID .

Shut down Apps?

The thought for this blog post started with the idea of security regarding remaining logged in to mobile apps. The question being does that open any doors for hackers to access data on either other apps or your phone? It ended up going down quite a rabbit hole of security and hacking techniques that only go to show that cybercrime and security is ever-present and evolving.

Cross-Site Request Forgery (CSRF) has been a known vulnerability since 2001. According to The Open Web Application Security Project CSRF is defined as:

A type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. 

If you are logged in to sites and the cybercriminal can get you to visit one of their web sites or open an infected email or IM they then can make your browser send requests to the other sites posing as you. Thus, gaining access to whatever you have open. This kind of attack generally only occurs within the same browser. In other words, having clicked on a malicious site the attack could flow across any other sites you have open within that browser. Not jump to another browser say Safari to Firefox. An open browser could not transfer the attack to an open app as the two store their own credentials or cookies and do not share. The same goes for apps themselves. They store their own data. The malware would need a conduit to access other apps or your phone.

Heck of an opening to a business blog. Why do you need to know this? It is why it is important to log out of company websites and software either on your desktop or your mobile.

Developing security

Over the years sites and apps have become more security conscious. Shutting down your logon after a period of non-activity and/or making you log in every time. Sometimes a pain to log back in but it’s for your own security. With the addition of biometric features on mobiles, even the pizza ordering apps require a fingerprint to gain access. Games and social media apps/sites tend to keep you logged in. The term being “frictionless” because the developers want you to have easy access, at all times, to keep you engaged in their product.

We do a lot of browsing and an increasing amount on our mobile devices. Lots of times your thumbs get fat and you errantly click on the wrong thing. It doesn’t take much to click on the wrong link, even if you close it right away it may be too late. The same goes for links within emails. We get a ton of email to business accounts. It’s hard to distinguish every email between real and spam. Spam emails and links get opened. When employees are accessing company databases and files they are using those same computers to access their company email. Depending on computer use policies or adherence to the policy, employees may also be accessing their personal email accounts and browsing the web. This is when the company system becomes vulnerable to CSRF attacks and others.

Watering hole attack

It is what the name implies. A cybercriminal monitors a company’s employees to determine where they congregate, e.g.-restaurants, bars, etc. The criminal bets that one or more of the employees will access the “watering hole’s” website for menu information, reservations, etc. The criminal places malware on the establishment’s site. When an employee does visit the site the criminal then has access to the employee’s computer or phone. Any company files or databases that are open (logged in to) are now free game for the criminal.

None of this is or the precautions are new. The same security tenets we’ve heard over and over still hold true.  

Don’t open or click on suspicious emails or links in emails texts/IMs especially while logged into other accounts.

Don’t keep sites open-Logout

Change passwords frequently

Don’t use the same password for multiple sites

Don’t save passwords on your browser

Keep system security updated

I’m not a cybersecurity expert just a security conscious user. Hope that this information has been helpful.

Regarding the initial reason, I started doing this research, open mobile apps. It appears that it is OK to leave them open. Again most security conscientious apps like financial will time out and require login. So a criminal gaining access to your phone and then entering your bank account through your bank app is probably low.

Most risks to mobile apps occur at the server level or through poor app development, not actions by the user. Although using public WiFi (Wifi for dummies) is one of the biggest user faults to app security.

Research for the blog revealed information debunking an iPhone myth. Quitting apps does not help save battery life. The iPhone OS is designed for multitasking and places the app in suspension until needed. Closing and reopening the app actually causes the phone to use more power as it is starting the app from scratch. So keeping open frequently used apps doesn’t affect battery life.

Please feel free to share. Check the archives for other posts about privacy and online security.

How secure are apps?April 2018

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

Hey! That’s my WiFi!

Hey! That's my Wi-Fi!

Have you ever checked your home WiFi connection and noticed a long list of possible connections? Unless you live in the woods with few neighbors you’ll very likely pick up a lot. Sometimes you get a laugh at some of the crazy names your neighbors use and sometimes a start when you see NSA_Van_9.  The thing is, your router is also popping up on your neighbors' list.  

I did just that the other day and was wondering who else might be using my WiFi. Just like stealing cable in the old days, only not as personal a connection, someone close by could be sucking off precious signal strength. What I found wasn’t as shocking as much as a surprise.

Wi-Fi use

Slow WiFi is one indicator of someone using your signal. All depending on the plan you have with your provider and your own usage.  You can quickly check what devices are using your WiFi by logging in to your router. Once logged in you will be provided with a list of the devices currently logged on. A simpler way is to use a 3^rdparty app such as Who’s on my Wi-Fi. This app will use your Wi-Fi signal and provide a list of devices currently using the signal. It is not necessary to provide any personal or router information. The list is comprised of IP and Mac addresses. Once you have the list the task becomes identifying the devices. 

I used this app to search for devices that returned a list of twenty-five devices currently logged on. After running down the list and doing some light deciphering I was able to determine good news and a surprise. The good news-No foreign devices were located. The surprise? All the devices were mine! The search revealed twenty-five devices that did not include the devices that were not currently logged on and had Wi-Fi disabled. If everything were in use the total would be over thirty.

Internet of Things (IoT)

As determined in the post Locking Down the Internet of Things we have, over time, without plan or intent, created our own IoT. That happens in most households. Excluding phones, 74% of U.S. homes have at least one smart device. Few people plan to set up a smart home system, it happens in bits and pieces. A security camera and/or alarm system, new appliance, TV, thermostat, one device at a time your IoT builds. Then a smart speaker is added that is able to control some or all of the devices and your IoT smart home comes to life. Added already to the phones, tablets, and eReaders your WiFi list expands. 

Security

With all of the security breaches that seem to be a monthly news item, we have become numb to the warnings of password and network security maintenance. It is important to perform regular checks of our home system. Especially as we add smart devices to our homes. (Are you being watched?) Properly setup new devices and be aware of what access you are granting them. 

The Wi-Fi usage check is yet another added security check but one that should be completed every so often. Just like changing your smoke alarm batteries at the seasonal time change it doesn’t hurt to set up some calendar reminder to review your home network security. This quick WiFi check not only reveals possible hacking but also helps you to get a handle on the number of devices in your home that are accessing the Internet.

Have you detected someone stealing your WiFi?  Tell us about your experience in the comments. 

Please share. Refer to the blog archive for more posts about Internet security.

No Facebook?

On March 13, 2019, Facebook went down for over eight hours. Believe it or not, the world carried on. E-commerce didn’t crash and human social interaction continued. Facebook itself, however, could lose over 80 million dollars in lost revenue.

Facebook entered the scene in 2004. Since that time it has grown to be a company worth upwards of $500 billion with approximately 2.3 billion users worldwide. Along the way, it has either defeated or bought out rivals. Even the mighty Google is packing in its social media platform Google+. Even though Facebook has dominated the social media market something has to come along that’s better? Right? How long can one company continue to dominate the market?

Losing interest?

Interest in Facebook may be waning. Nearly 3 million users were loss in 2018, many using SnapChat, YouTube, or Instagram (Which is owned by FB). This is due in part to privacy issues that have been uncovered over the past several years. Early users of the platform were young adults. Facebook weathered a loss of users several years ago when “parents” starting using Facebook for personal reasons and to keep tabs on their kids. But over the years users returned or were replaced by new, younger users.

Tech investor Jason Calacanis launched a contest in 2018 called the Openbook Challenge. Calacanis is offering teams $100,000 to build a billion-user social network that would replace Facebook. You can get updates on the project here Open Book Challenge 

Will companies find another way?

Once Facebook exploded businesses realized they had to get in on the social media game. There are 80 million small and medium business pages on Facebook in addition to large corporations. Companies use Facebook like individual users, keeping followers up to date on the latest happenings. Once Facebook allowed advertising businesses could reach an even larger audience. When Facebook experiences outages, in addition to user dissatisfaction, it also causes revenue loss. Continued privacy issues and major outages will likely push personal and business users elsewhere.

Google and the other search engines offer myriad ways to highlight and advertise your business. If not taking advantage of these options now, companies would certainly gravitate in that direction. Whatever eventually does replace Facebook probably would allow advertising and business pages. Unless that replacement is truly a social media platform that disallows corporate infringement.

When Facebook does tank the world will continue. We’ve made it through when companies and media outlets that have been providing services for over a hundred years have packed it in. We’ll get through without Facebook.

The statistics used were found through general Internet searches and featured in the blog post 41 Facebook Stats That Matter to Marketers in 2019.

Please share. See the blog archive for more small business topics.

Locking down the Internet of Things

WiFi security on the Internet of Things

Have you gotten all of your new tech gadgets hooked up after Christmas? Seems like every gift that had a plug also had a phone app and connected to Wi-Fi. Throughout the year as new toys or even appliances enter your home, setting up individual devices isn’t that noticeable. But after Christmas rolls through and you start setting up all the new goodies it really makes you sit back and notice-You have entered the new age of a smart home. Without realizing it we have created our own attachment to the Internet of Things (IoT).

That's a lot of things

Leichtman Research Group in 2018 found that 74% of U.S. homes had at least one smart device. Statista estimates that there will be 42.2 million smart homes in 2019. Spending on IoT devices was $23.3 billion (yes, billion) and is estimated to be $75 billion by 2025.  While there are Bluetooth connections, the primary connection for IoTs is Wi-Fi. Statista reported that the average number of connected devices per person, worldwide, in 2015 was 3.47 and is estimated to be 6.58 by 2020. That is connected devices per person. Multiply that by people in your home and the for-the-common-good devices like appliances, cameras, plugs, bulbs, etc, and that’s a lot of connectivity. 

If you want to keep up with technology it is how it’s going to be. I didn’t set out to convert the ol’ analog home to “smart”. It just happened. Garage door opener, a new appliance here and there, TVs, Hey Google, Hey Siri, Alexa, before you know it you’re your home is smart. The router sent me a message, yes it communicates as well, that the network was getting full. You’re aware of connectivity for your phones and computers but forget about the other electronics-appliances/TVs/cameras/power strips/gaming systems/eBooks, etc-that are on all the time and trying to communicate with the mother ship. Not only are these devices taxing on your home network they are all portals for security breaches.

Anyone of these connected devices can be hacked at the source, through the controlling app, or the company that provides the service. All the more reason to review your home network security.  If you haven’t done so recently, with the onset of all your new tech wonderness, you’ll need to upgrade your Internet service.  Most times these types of upgrades come with new routers. 

Security

One of the first actions you should take on all routers and new devices is set up your own logins and passwords. Many people still use the default settings, which cybercriminals are aware. Changing this information will at least slow them down. I say slow down because, as we’ve seen, anyone can be hacked. At least changing the settings will offer some protection.

For all of your connected devices actually, read the setup instructions and pay attention to what you are agreeing to during the process. Data collection is big business and those companies want your data. As consumers get more privacy savvy the product providers are finding counteractions. I recently loaded an app that wanted access to my phone’s camera, microphone, location, and to send user data. Answering no to any of those requests denied the user access. Or sometimes certain features are denied or dampened if the user doesn’t agree to the terms.

Devices that listen, your phone, TV, Echo, Google home, are also collecting data and have been proven to also be recording your conversations. In the interest of improving their service, of course. Again, go through the setup and privacy menus carefully. Understand what the device, i.e.-manufacturer is asking you to allow.

Overall, you have to understand that if you allow “smart” devices into your home you are giving up privacy. It’s hard not to get caught up in the technology craze, but understand that what you’re getting yourself into.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

Smoke 'em if you got 'em? {Marijuana in the workplace}

Note: This article was originally posted in 2017 and has been updated with current information on the topic.

Oklahoma passed a medical marijuana bill in 2018 becoming the thirtieth state (Including Maryland) to do so. State by state the legalization of marijuana for medical and recreational purposes is gaining ground. The chances of employees being high at work are definitely increasing. Businesses are scrambling to adapt.

Decriminalization v. Legalization

So far thirteen states have decriminalized marijuana, allowing recreational use. Up from just eight in 2017. Those are Connecticut, Delaware, Illinois, Maryland, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New York, North Carolina, Ohio, and Rhode Island. Nine states have legalized marijuana for recreational use (Alaska, California, Colorado, Maine, Massachusetts, Nevada, Oregon, Vermont, and Washington) 

While this legislative activity is taking place on the state level, the drug still remains illegal under Federal law. In fact, it remains a schedule I drug alongside opiates and synthetics drugs. The court battles that were expected with the U.S. Justice Department after Colorado legalized marijuana have not occurred.

Decriminalization does not mean legalization. Decriminalizemeans that possession of small amounts no longer carries criminal penalties. Most states offer a civil violation or no violation at all. Legalizedmeans that marijuana is completely legal to possess. In this case, states have set limits as to the amount that can be possessed and qualifications regarding trafficking.

High on the job

A survey of 10,000 California cannabis users revealed 58% of working professionals use daily and 31% consume while working. (Eaze Insights)

Some businesses not only allow the consumption of marijuana at work, but they also encourage it. Those that do say that it helps employees with stress and anxiety promoting longer work days and creativity. It should be noted that these businesses are mainly in the legal cannabis industry or tech fields.

What is at odds are company drug policies and making accommodations for those with disabilities. Companies want to be inclusive but want to maintain standards as well as workplace safety. Medical marijuana users are looking to the American Disabilities Act for protection.

American with Disabilities Act

The American with Disabilities Act  (ADA) was signed into law in 1990. Succinctly, the ADA prohibits employers from discriminating against those who are disabled and requires employers to provide reasonable accommodations to a qualified individual with a disability to perform the essential duties of their job. Illegal drug use is not covered as a disability. However, the ADA does allow for the use of drugs taken under the supervision of a health care professional. Marijuana may be legally prescribed under state law but remains illegal Federally. Then there’s the Drug-Free Workplace Act of 1988 requiring that Federal contractors provide drug-free workplaces as a condition of receiving a contract.  The ADA states that employers can require employees to conform to the Drug-Free Workplace Act. Further, under the ADA drug testing is not considered a medical examination, allowing employers to test for the use of illegal drugs. 

What the courts have found is that while marijuana remains illegal under federal law the ADA cannot be applied to individuals with disabilities. However, state disability laws may apply in states where medical marijuana use has been legalized.

Court challenges

Rights of the employer and the employee vary state by state. As examples: Arizona, Connecticut, Illinois, Minnesota, and New York laws prohibit employers from discriminating against employees who use medical marijuana and must make accommodations, some further citing-unless the employee is under the influence at work. Florida’s recently passed law does not require an employer to accommodate on-site medical marijuana use. California passed Proposition 64 in 2016, which allows for the recreational use of marijuana. However, the law protects an employer’s rights to enforce workplace drug policies. Rhode Island’s law protects the employer’s right against accommodations for on-site consumption but protects the medical marijuana cardholder against hiring discrimination. 

A 2017 Rhode Island court case ruled that employers could not refuse to hire medical marijuana cardholders even though the person would knowingly not pass the employer’s pre-employment drug test required of all applicants. (Callaghan v Darlington Fabrics Corp., No. PC-2014-5680, Rhode Island Superior Court, May 23, 2017)

Another twist to the saga is the off-site or off-duty use of marijuana which may be legal in the specific state but against company policy. In one of the first court cases of off-site medical marijuana use, the Colorado Supreme Court heard the case of Coats v Dish Network in 2010. The court upheld the firing of a man who failed an employer random drug test for marijuana use. Briefly, in 2010, Dish Network fired a telephone operator who was also a medical marijuana patient after he failed a random drug test. Although the employee claimed that he never used marijuana at work nor was he ever impaired while at work. The case was the first to look at whether off-duty marijuana use, legal under Colorado state law, is protected by Colorado’s Lawful Off-Duty Activities Statute. The statute states that employers cannot fire employees for doing legal activities while not at work. Although medical marijuana use is legal in Colorado, the court ruled that its use is still illegal under Federal law. The ruling supported employer rights to enforce their drug policies. Since this case, courts in California, Oregon, and Washington have also ruled against employees. 

In July 2017 and went against the employer. In Barbuto v Advantage Sales and Marketing, LLC the Supreme Judicial Court of Massachusetts ruled in favor of an employee to use medical marijuana outside of work. The employee claimed that since they have an ADA qualified disability (Crohn’s disease) the employer must make accommodations for an employee to use medical marijuana off duty. The ruling was based on the state’s anti-discrimination law. The court rejected the employer’s argument that marijuana is illegal under Federal law and to allow accommodations would be unreasonable.

Maryland

Maryland is still getting going on its version of medical marijuana. The law was passed in 2013 and took effect in 2016. Dispensaries began opening in 2018. Maryland decriminalized possession of fewer than 10 grams of marijuana in 2014.  Marijuana is still considered illegal but possession of smaller amounts will result in a civil citation rather than arrest. Each year since there have been bills introduced to further decriminalize marijuana. In 2016, a law passed making possession of paraphernalia a civil offense. In 2017, those convicted of marijuana offenses may petition to have their records expunged. 

What to do, what to do…

While the use of marijuana is becoming more openly acceptable in society and states have either made it legal or decriminalized, businesses are still within their legal rights to set drug use policies and restrictions.

Confused? Don’t feel bad. It’s a tricky topic that is evolving almost monthly. Employer’s need to have hiring policies as well as policies to guide employees. These policies have to be living documents and open to change. Having employees and dealing with human resource issues is difficult, especially for small businesses. The rules are constantly changing. There will always be challenges to any policy or rule. You have to stay ahead of the curve and aware of what’s taking place. 

See the blog archive for other posts regarding workplace discrimination and medical marijuana.
Which came first... February 2017

Languages spoken? June 2017

Ban the Box update August 2016

Health History Discrimination May 2016
Medical marijuana in workplace May 2013

It’s Cyber Monday, Y'all!

Cyber Monday credit card security

It’s Cyber Monday, Y'all! Do you know where your credit card is? Of course, you do. It’s in your wallet, or purse, or poised on your keyboard, ready to be put into service. I should have asked do you know where your credit card number is? 

In 2017, according to the National Retail Federation, 81 million people in the U.S. shopped online on Cyber Monday.  About 15 million more than on Black Friday. The only way to snatch up on those cyber deals is to pay with a credit card. And pay we did. Business Insider reported that we spent six and a half billion dollars in 2017. Over $1.5 billion than on Black Friday that same year.

We’ve become trained to look for https or the little padlock to indicate we are dealing with a secure site. And that is true for the transaction. E-commerce is mostly protected by encrypted communications. The security issue here is saving your personal and financial data on the company’s website. Creditcards.com posted a story in 2017 in which they conducted a poll of credit card users. The poll found that 94 million Americans store their card information online

There may be encryption for the transaction but when you store your data you’re giving the site all the information a cyber thief needs. That data sits in a database on the company’s servers for who knows how long. See a previous post on this blog about Cleaning Up Your Online Presence. 

Storing your card information makes it much easier to check out but also exposes your data to hacking. Think about all the stories in the news this year alone about companies getting hacked. And if not directly then through third party vendors. It’s so common that we almost stop paying attention to the reports. If we do feel we’ve been affected, we change our password and move on. It’s become so a part of our lives we’ve become complacent about e-commerce and our privacy.

Tips

·     You have to use plastic to shop online. When you do use credit instead of debit. 

·     Best not to store your information, especially if it’s a little used site or one-time purchase. Type your card in each time. Don’t create accounts. Check out as a guest.

·     Research with whom you’re shopping. The bigger the company the better, to some extent. As opposed to smaller businesses that have less traffic and do not have the resources to support update to date and effective security. 

·     Considering having a card you use specifically for online shopping with a low limit

·     Monitor your accounts. Especially after a shopping spree or big shopping day like Cyber Monday.

Not trying to be Chicken Little. Just trying to remind people to take a beat and check their online shopping practices. Coming back from identity theft or online fraud is not an easy path.

Even though it’s not credit card related here’s another tip that could help protect your card. If you‘re shopping Amazon or looking at reviews on Yelp or TripAdvisor, run the link to the product through a review analytics site like Fakespot. 

The results will give you an idea about how reliable the seller is and if it a reliable company. If using Fakespot, after you find a product on Amazon copy the link from the search bar and past into Fakespot. The results will be a grade regarding the site and advisement on whether you should proceed or not.

Please feel free to share. Visit the blog archive for more posts about Privacy. https://mazzellainvestigations.blogspot.com/search/label/privacy