TIME Security

What to Know About the Ashley Madison Hack

LONDON, ENGLAND - AUGUST 19:  The Ashley Madison website is displayed on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site AshleyMadison.com dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley Madison.com offline permanently.  (Photo by Carl Court/Getty Images)
Carl Court—2015 Getty Images The Ashley Madison website is displayed on August 19, 2015 in London, England.

The company is now offering a big bounty for any info

Avid Life Media, the parent company of hacked extramarital affairs website Ashley Madison, has placed a bounty on its attackers’ heads. After hackers leaked troves of data about Ashley Madison’s users, Avid Life wants to figure out whodunnit. And it’s prepared to pay hundreds of thousands of dollars for information about the guilty party.

Here’s what you need to know about the Ashley Madison hack and the bounty:

What did hackers take from Ashley Madison and why?

The Ashley Madison hackers have posted personal information like e-mail addresses and account details from 32 million of the site’s members. The group has claimed two motivations: First, they’ve criticized Ashley Madison’s core mission of arranging affairs between married individuals. Second, they’ve attacked Ashley Madison’s business practices, in particular its requirement that users pay $19 for the privilege of deleting all their data from the site (but, as it turns out, not all data was scrubbed).

How money much is Avid Life Media offering for tips?

Ah, cutting to the chase. The sum is $500,000 for information leading to the capture of the perpetrator (or perpetrators). But Avid is a Canadian company, paying out the prize in Canadian dollars. In American greenbacks, that’s about $377,000.

When did the company announce the reward?

Toronto Police Services Superintendent Bryce Evans announced the bounty during a Monday press conference, saying: “Today I can confirm that Avid Life Media is offering a $500,000 reward to anyone providing information that leads to the identification, arrest, and prosecution of the person or persons responsible for the leak of the Ashley Madison database.”

So what do we know about the hackers so far?

We know the person or group calls itself “Impact Team,” which is new to the cybercriminal scene as far as anyone can tell, at least under that monicker. If anyone involved in the investigation has any clue about Impact Team’s true identity, then that information has yet to be publicly disclosed.

Any other leads?

Back in July when the company received its first threats, Avid Life Media CEO Noel Biderman said his team was closing in on the culprit, who he said he believed to be somebody who did contract work with the company.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman had told investigative cybersecurity reporter Brian Krebs. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

But Biderman seems to have dropped that narrative — we haven’t heard much in the way of that assertion since.

Has anyone else proposed any theories?

Oh yes. Earlier this week, antivirus software pioneer John McAfee, who has a reputation as a renegade in the security community, laid out his own conclusions, the result of his analysis of the dumped data and Impact Team manifestos. He believes the data was stolen by a former female employee.

Not everyone is convinced by McAfee’s analysis, though. A writer at Gizmodo, for instance, found it to be “subjective,” “offensive,” and “obscenely sexist.” You can read McAfee’s reasoning here.

Ouch. So that’s really all we have to go off of?

There’s another lead I haven’t mentioned. Dan Goodin over at Ars Technica has a good rundown. Basically, we know a few details about the server that was used to host the leaked file containing the emails of Biderman, the company’s CEO. It’s operated by a Dutch Internet service provider called Ecatel Ltd. As Goodin explains, for those with a technical bent:

The box seeding the torrent was located at 94.102.63.121. Police and private investigators working feverishly to identify the people who hacked Ashley Madison and published user profiles, transactions, credit-card data, and a wide range of other sensitive data will almost certainly try to perform a forensic analysis of the physical server. They undoubtedly will want to know how the server was accessed. If the hackers didn’t use Tor or a similar anonymity service, the investigators may be able to collect clues from the IP address used to log in to the box.

You may remember, that’s one of the same ways the FBI concluded that North Korea was behind the Sony hack.

Is there any hope of finding these hackers?

Maybe, but no one can say for sure. Lots of cybercriminals get away with plenty of bad stuff, especially if they’re located far outside the reaches of Western law enforcement. But other bounty programs have seen success, like Microsoft’s [fortune-stock symbol=MSFT”] takedown of the infamous Rustock spam email botnet. That came with a $250,000 prize.

Who should we contact when we’ve cracked the case?

This slide from the Toronto police’s presentation should answer that:

Ashley Madison police contact

 

TIME Social Media

Facebook ‘Spam King’ Faces 3 Years in Prison

Social Media Illustrations
Bloomberg/Getty Images Privacy setting shortcuts are displayed on Apple Inc. iPhone 6.

He's been spamming since the fax machine days

So-called “Spam King” Sanford Wallace has admitted to using around a half-million Facebook accounts to send more than 27 million unsolicited messages on the social network, Bloomberg reports.

Wallace pled guilty to charges of fraud and criminal contempt; he faces up to three years in prison and a $250,000 fine for his activities.

The notorious spammer was found to have violated a court order banning him from Facebook by logging onto the site while onboard a Virgin Airlines flight in 2009. He violated the court order again in 2011 by maintaining a profile under the name “David Sinful-Saturdays Fredericks,” according to an FBI press release.

Wallace has been a pest for consumers for decades. Throughout the mid-90s, he spammed people through fax, then through e-mail, according to Ars Technica. He gained such notoriety that his critics named him “Spamford”–a domain he later registered, despite protests from SPAM foodstuff maker Hormel. He also dabbled in spyware and MySpace spamming, which resulted in a lawsuit in 2007.

TIME Autos

How Carmakers Are Banding Together to Fight Hackers

Chrysler Issues Recall On 850,000 Sport Utility Vehicles
Joe Raedle—Getty Images 2014 Jeep Cherokees are seen on a sales lot on April 2, 2014 in Miami, Florida.

After some high-profile incidents

As automobiles become more connected to the Internet, drivers will become more vulnerable to hackers. That’s why major automakers are teaming up to try and make sure their cars can’t be hacked.

Companies like Ford, General Motors and Toyota are working through the Alliance of Automobile Manufacturers and the Association of Global Automakers to create an Information Sharing and Analysis Center, reports Automotive News. The data-sharing center should be operational by the end of the year, that publication reports.

Computer hackers targeting vehicles have made several big headlines in the past year. Just last month, it was reported that hackers were able to disrupt a Jeep Cherokee being driven by a Wired journalist. In theory, hackers can manipulate advanced car functions like automated parking to affect vehicles’ movement, a potentially massive safety issue.

 

TIME Security

Toronto Police Investigating Possible Ashley Madison Suicides

Hackers Release Confidential Member Information From The Ashley Madison Infidelity Website
Carl Court—Getty Images A detail of the Ashley Madison website on Aug. 19, 2015.

After hackers leak info about users of cheating website

Toronto police are looking into two suicide reports with possible ties to the Ashley Madison hacking scandal, law enforcement officials said at a news conference Monday.

Toronto Police Superintendent Bryce Evans said details about both cases remain sparse. He added that the police’s investigation would be directed at finding the hackers responsible for leaking more than 30 million email addresses and credit card numbers from Ashley Madison, a Canada-based website that helps married men and women arrange affairs.

“Your actions are illegal and will not be tolerated,” said Evans. “This is your wake up call.”

Evans also announced that Ashley Madison parent company Avid Life Media is offering a $500,000 reward to anyone providing information that leads to the arrest of the hackers. Still, the hackers may be well outside the jurisdiction of Canadian police.

TIME innovations

How Your Credit Card Is About to Change Forever

Credit Card
Getty Images

New cards are coming — here's what you should know

If you recently and unexpectedly got a new credit or debit card in the mail, you may be wondering why. Sadly, it has nothing to do with a more favorable interest rate or an exciting new reward program. Instead, it’s a security upgrade infusing our old-fangled cards with some modern technology at last.

Called “chip-and-PIN” cards thanks to the microchip found on them, these new credit and debit cards promise to make your retail transactions far more secure than the magnetic stripe-based cards you’re used to using. “Effectively what’s happening is that we’re going from a static environment to a dynamic environment,” says Carolyn Balfany, MasterCard’s senior vice president of product delivery for the company’s chip-and-PIN cards (also called EMV cards).

For Americans, the change to chip-and-PIN is long overdue. As of last year, 83% of western European consumers had chip cards, compared to just 7% of stateside shoppers. France, the first country to adopt the new cards, did so back in the 1980s. But this is the year that the U.S. starts going all-in. According to information provided by VISA, industry analysts estimate 70% of the country’s credit cards and 41% of its debit cards will be upgraded to chip technology by the end of this year.

At the beginning, the new chip-and-PIN cards will still carry magnetic stripes. That’s because not all retailers are prepared to accept chip cards, so the older tech will stick around a little while longer. But making purchases via a magnetic swipe means data like your credit card number, expiration date and more get carried across phone lines to your bank for processing. Chip card transactions are more secure because they work differently. When you make a purchase by inserting your chip card, the payment terminal checks that your card is genuine. Next, instead of sending your account information, the new types of payment terminals generate a one-time use code (also called a cryptogram) that’s transmitted to your bank to authorize your purchase. Cryptograms typically include the transaction amount, date, time, terminal ID, and other information. They also keep all that data encrypted, helping to keep it away from would-be fraudsters.

Some chip cards also come with tap-to-pay technology, which means you don’t have to insert or swipe them at all to make a purchase. These contactless cards, which feature small symbols that look like radio waves, work like Apple Pay or Android Pay, only instead of tapping your smartphone, you just wave your card. Beyond the tapping versus inserting, these contactless card payments work just like other chip-and-PIN transactions.

But seeing as how not every retailer is ready for the new chip cards yet, when the time comes to make a payment, should you swipe, dip, or tap? “The technology is going to guide the consumer,” says Balfany. That means you can still swipe your card like you do today, and if a payment terminal is capable of doing a chip transaction, you’ll get a prompt on the terminal to insert your card instead. You should take the nudge, because your payment will be much more secure.

“Virtually everything else about the transition will be like what we experience today,” says Balfany. So after the payment terminal has your card’s information, sometimes you’ll be asked if your card is credit or debit, sometimes you’ll be asked for a signature, sometimes it will require a PIN, and sometimes — if the sale is something minuscule like a pack of gum — you’ll be asked for nothing further.

Over time, you’ll see fewer and fewer magnetic stripe registers around. In fact, U.S. merchants are required to accept chip cards by October, or else they can be held responsible for paying for any fraudulent purchases made at their establishments, a liability previously held by card-issuing banks. Even still, retailers, especially smaller ones, may take a while to accept the cost of upgrading. But for shoppers, nothing changes — you’ll still have an avenue to dispute fraudulent charges. And with all this new tech, there should be less fraud going on, anyway.

TIME You Asked

You Asked: What Is Ransomware?

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

How to avoid paying hackers to give your computer back

There you are, surfing the web — maybe you’re catching up with Facebook friends, or perhaps you’re reading the news — and seemingly out of nowhere, a window pops up, stopping your computer in its tracks. And there’s only one way to make it go away — pay up.

It’s an absurd scenario, the kind you might find in a movie, right? Tell that to the thousands of people who have been hit with these so-called “ransomware” attacks to date.

“It actually is a phenomenon,” says Candid Wueest, Symantec’s principal threat researcher. Wueest investigates all sorts of bugs that attack computers and mobile devices via the Internet. The first known cases of ransomware date back to 2005, says Wueest, but infections have increased every year since. And last year, ransomware incidents exploded 113% compared to the year before.

“At the moment we’re probably around 30,000 infections per day around the globe,” says Wueest.

There are many different ransomware viruses floating around the web. But in general, they work like Trojan horses, infecting your computer without you knowing. But in this case, the bugs aren’t corrupting your files, they’re locking them down. Ransomware can encrypt everything from your documents to your photos, and without the correct password to unlock them, you may never be able to open these files again. To get that password, you have one option: follow the ransomware’s instructions, which usually involves making a payment to hackers in the amount of — get this — $300.

Technically, the sums vary, but $300 is the average. “We’ve seen some which ask for $500 or even $700, but that seems to be over the top,” says Wueest, who notes that some ransomware even has dynamic pricing depending on the country you’re in. For instance, a virus in the U.S. might ask for $700, but that same bug in India will only require for $500 for the password.

In other words, the key for the hackers behind this scheme is asking for enough money to make the hustle worthwhile, but not so much that the victim can’t afford to pay. And even though the payouts are just hundreds of dollars at a time, quick math shows ransomware is a multi-million dollar industry.

The savviest ransomware not only capitalizes on users’ precious data — like irreplaceable family photos or the only draft of an in-progress novel — but it can also prey on their deepest fears. For example, one virus displays a screen warning users the FBI is on to all those movies they’ve downloaded illegally. And sure enough, lots of people who get that fake warning pay a fine to avoid prosecution. “Many people may have something in their closet that they think maybe was illegal,” says Wueest. “A lot of them started to pay.”

What can you do if you fall victim to ransomware? Sometimes it’s not much, as hackers’ methods are getting more advanced all the time. “The newest versions [of ransomware viruses] have strong, state-of-the-art cryptography which is used all over the Internet, like online banking and e-commerce,” says Wueest. And every victimized computer has its own distinct decryption key — so there’s no secret password that will magically open these locks.

That’s not to say that computers are completely defenseless. According to the FBI, the government is taking proactive steps to shut down these viruses before they reach your computer. And authorities worldwide are working with digital security companies like Symantec to find the digital kidnappers and bring them to justice. But these hackers can be hard to catch because work they in small, anonymous groups located in far-flung countries with largely ineffectual law enforcement.

“We track a few different groups,” says Wueest. “One group made $34,000 in its first month — that’s a pretty good income for a small group.”

But there are ways to protect yourself from these schemes. First, back up your data regularly. Keep your information in a safe place offline, because under the right circumstances ransomware can infect networked storage or even cloud-connected drives. Secondly, use anti-virus software. Ransomware can infect computers in different ways, like launching through email attachments or via malicious code embedded on a website — but anti-virus software is designed to catch these bugs before they take hold. And finally, keep your software and operating system up-to-date. Many viruses exploit weaknesses in older computer programs, which is one reason software developers are constantly issuing patches and bugging you to install them.

Failing these three measures, if you’re infected, you may just have to pay up to free your data. But there’s a catch: Should you actually trust these thieves to provide the decryption key? “We have seen instances where that actually is true and people did get data back, but we don’t recommend it,” says Wueest. That’s because even if you do manage to wring your files from hackers’ grasp, the money you pay them will further fuel their nefarious efforts. And by making you admit defeat, they’ll become emboldened and continue to shake down other Internet users. In other words, the best defense is avoiding ransomware before it takes hold of your computer in the first place.

TIME Markets

Hackers Allegedly Stole Insider Info To Make Big Trades

U.S. Stocks Make Encouraging Positive Turn After Slump
Spencer Platt—Getty Images Traders work on the floor of the New York Stock Exchange on January 14, 2014 in New York City.

The group made millions, officials say

A group of financial fraudsters worked with foreign hackers to access unpublished press releases and trade on the information therein, federal authorities said Tuesday.

The U.S.-based traders worked with Eastern European computer hackers to target press release distribution companies in a scheme that netted over $100 million in ill-gotten gains. Nine people have been arrested in the case, The New York Times reports.

This kind of stock-trading cybercrime has become a growing problem for law enforcement. In November, the cybersecurity firm FireEye [fortune-stock symbol=”FEYE”] published a report on a group that has been targeting pharmaceutical and health care executives in order to get ahold of confidential information, likely for an illegal edge in the markets.

The latest incident appears to echo a 2005 case against an Estonian financial services firm called Lohmus Haavel & Viisemann, the Wall Street Journal notes. That group, which also stole press releases electronically, made off with nearly $8 billion before settling with the SEC for $14 million in the end.

At least six government agencies—the Federal Bureau of Investigation, the Securities and Exchange Commission, the Secret Service, the Department of Homeland Security and the U.S. attorney’s offices in Brooklyn and New Jersey—will bring the charges against the group, the Journal reports.

TIME Smartphones

Is Your Android Phone Still Safe?

Google Unveils Music, Movie Services To Take On Apple, Amazon
Bloomberg—Bloomberg via Getty Images Google Inc.'s Android logo is displayed during a keynote speech at the Google I/O conference in San Francisco, California, U.S., on Tuesday, May 10, 2011.

A nasty new bug is getting phone makers to change their ways

Not everybody suffers from stage fright. But if you happen to own an Android smartphone, you’re particularly susceptible — and it doesn’t matter whether you’re under the spotlight or in the crowd.

A recently exposed vulnerability within Google’s smartphone operating system, “Stagefright” is the name of a exploit that can infect Android handsets without the phone’s owner knowing. The bug has also highlighted problems in how the mobile operating system used by more than half the world’s smartphones gets security updates.

Stagefright was discovered by researchers last month. Technical details aside, it essentially allows hackers to get access to targeted phones’ pictures and other data by sending a message with a malicious video attached. According to Zimperium, the company that uncovered the bug, Stagefright puts 950 million Android devices at risk. But there’s hope: the company reported the problem to Google and submitted patches before telling anyone else.

Alex Rice, co-founder and CTO of security firm HackerOne, Android’s open-source nature is what allowed the bug to be discovered in the first place, because anybody can look under the hood and check for problems. “One of the things that Android does fairly well is that it’s an incredibly open and transparent platform,” Rice says. “Through (Google’s) bug bounty program and a number of other factors, they actively encourage discussion and participation on the security of the platform.”

But uncovering and patching Stagefright is only the beginning. Updates need to be pushed out to 95% of all Android phones to make sure they’re protected. In an odd twist, that’s a feat made more complicated by Android’s open nature. Handset makers like Samsung and HTC alter Google’s stock Android software to differentiate their products from one another with exclusive interfaces and features. But that means they also need to make new security patches compatible with their modified software. Historically speaking, manufacturers haven’t done a great job of pushing out security updates, especially for older phones.

Part of the problem is the business model around mobile phones, Rice says. “If you walk into a Verizon store and purchase a Samsung Galaxy that has a platform built by Google,” he asks, “whose customer are you, in that case?” In that situation, Rice thinks Verizon should own the relationship with the customer, since it’s the company that’s taking their money. “But Verizon is three steps removed from the person who receives the vulnerability report and is capable of fixing it,” he adds.

This lack of accountability makes Android harder to keep secure, a frustration that was enough to make Vice’s Lorenzo Franceschi-Bibbhierai abandon his beloved Android device. Frustrated by the amount of time it takes security updates to filter through Google, handset manufacturers, and carriers, the security journalist argues that Android users are left exposed to bugs. By comparison, he writes, “When there’s a bug on iOS, Apple patches it and can push an update to all iPhone users as soon as it’s ready, no questions asked.”

At this month’s Black Hat USA conference in Las Vegas, an annual gathering of the world’s information security experts, Google made efforts to right the ship. With Stagefright generating a lot of the buzz, one of the talks kicking off the conference was about the state of Android security. Adrian Ludwig, one of Android’s lead security engineers, announced that Google is now committing to monthly, over-the-air security updates for three years on all Google-branded Nexus devices. Samsung and LG are reportedly making similar commitments.

“This is exactly the commitment consumers should demand from manufacturers,” says Rice, who thinks three years is a strong commitment to a device. And while many people wonder if these systemic vulnerabilities spell trouble for the future of Android, the reality is that your Google smartphone is probably safer today than it was last month. Unless you have an older model, of course, in which case you should consider upgrading — like, yesterday.

TIME privacy

These Companies Have the Best (And Worst) Privacy Policies

TIME teamed up with the Center for Plain Language to rank privacy policies from readable to ridiculous

Only the most diligent among us actually read technology companies’ privacy policies, though we all should. They lay out what the companies that we interact with daily are collecting and sharing about us—not to mention, in some cases, about our families and friends and everyone else we happen to correspond with.

But it’s not just on us, the users, to make an effort. Companies can package this information in a place that’s easy to find and in way that’s easy to understand and act on, or they can bury it beneath mounds of tedious legalese in some cobweb-strewn corner of their website.

In an effort to assess, exalt and shame some of the world’s leading tech companies for how they’ve presented privacy information to millions of users, TIME reached out to the Center for Plain Language. Every year, this non-profit grades government agencies on how well they’re following the spirit and letter of the Plain Writing Act—a 2010 law designed to eliminate bureaucratic gobbledygook. The Center also works with businesses, with the mission of teaching the powerful among us about how important it is to communicate in clear, comprehensible English.

We asked the Center’s experts to judge and rank the privacy policies of seven tech companies that most consumers know. They did this on several levels, assessing everything from design and tone to how many words writers tried to pack into each sentence. They also examined the more subjective “spirit” of their policies. Does the policy, for instance, make it easy for people to limit the ways in which the company collects their personal information? Or are instructions about opting out obscured in the policy’s hinterlands with no hyperlinks?

Here are their results, ranked from the company with the best-presented privacy policy to the worst, according to the Center for Plain Language:

  1. Google
  2. Facebook
  3. LinkedIn
  4. Apple
  5. Uber
  6. Twitter
  7. Lyft

To be clear, this is not an assessment of what data these companies have decided to collect from users or what they’ve decided to do with that data. Instead, it’s about how obvious they have made those decisions to the users affected by them. The companies who did this the best avoided jargon and confusing sentence structure, clearly organized their information and used a lively tone. The policies that did not rank highly contained 100-word-long sentences, obtuse explanations and little sense of design.

“A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the Center’s experts write in their report. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. And Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber, and Apple—do better in some areas than others.”

The Center used both expert judges to assess policies at a high level and software to evaluate the policies at the sentence level. Here are some telling comments about each company’s policy from judges Deborah Bosley, Meghan Codd Walker and Jeff Greer—all members of the Center for Plain Language Board. You can read the full version of their report at the bottom of this post.

Screen Shot 2015-08-05 at 1.16.04 PM

#1. Google: No privacy notice is perfect, but Google has created a good model for a clear, plain language approach. I’m at times skeptical/concerned about how much access Google has to my personal information, but this notice’s audience-focused approach actually increased my trust in them.”

Screen Shot 2015-08-05 at 1.20.34 PM

#2. Facebook: “I think we should note the difference between the Apple and Facebook policies. Apple [simply] points out how they minimally store customer data. Facebook, in the “What kinds of information” section, documents just about every interaction a customer has, and then talks about how those interactions are collected and stored. I’m marking this as above average not because I agree with Facebook’s practices, but because they’ve clearly communicated those practices.”

Screen Shot 2015-08-05 at 1.21.40 PM

#3: LinkedIn: “I appreciate LinkedIn’s obvious efforts to make their privacy policy easier to understand . . . But when you dive deeper into the more thorough policy, I think the language and structure leave something to be desired. The sentences should often be shorter, and the lack of headers and bullets within sections make wading through the content harder—even if it mostly avoids jargon. I would use this privacy policy as a ‘good intentions but not quite there’ example of plain language.”

Screen Shot 2015-08-05 at 1.27.40 PM

#4: Apple: The notice seems to have some respect for the audience and feels credible. But I don’t think they genuinely want people to read the notice, given how they’ve hidden the paths for adjusting how you share your information.”

Screen Shot 2015-08-05 at 1.30.34 PM

#5: Uber:Outside of the short introduction, there’s nothing here that distinguishes the tone. It feels and reads like a document written by lawyers for people who don’t really read this kind of document. This could be softened with the use of contractions, or better yet, a plain language translation of the legalese.”

Screen Shot 2015-08-05 at 1.32.24 PM

#6: Twitter: There are occasional moments of clarity, but many of the sentences and paragraphs are long and hard to read . . . this is mostly a black and white wall of text.”

Screen Shot 2015-08-05 at 1.34.57 PM

#7: Lyft:The only decent parts of this notice are the clear headings they provide for each section. Readers can tell what should be in that section, but then the writing is so unclear, they likely won’t find the information they need . . . Everything about this notice screams, ‘We don’t want you to read this!'”

The report ends with the Center noting that all the policies show room for improvement, though they realize only a certain amount of candor is likely to come from such tech companies.

It seems unlikely that a business would give its customers this very plain message: “By reading this policy, you agree to let us keep track of you, your email and photos, where you go, your devices, the Internet providers you use, and possibly the same information for everyone in your social network. And if we decide we want more information, we will let you know—in some way—maybe before we start tracking that, too.”

On the other hand, the use of plain language tends to build trust between a company and its customers . . . the market will likely dictate when and the extent to which the companies improve.

Here’s the full report from the Center for Plain Language:

Center for Plain Language Privacy Policy Analysis

TIME Autos

How the Jeep Hack Reveals Tesla’s Biggest Advantage

It's all about security

Tesla touts environmental friendliness and savings on gas costs as two of the big perks of its electric cars. But security may turn out to be a winning feature as well.

In the last few weeks, a worrying trend has emerged in which hackers have found ways to hijack control of vehicles’ onboard computers. In July, hackers were able to remotely access a Jeep Cherokee SUV through its on-board entertainment system, taking control of its steering, transmission and brakes. This week, researchers executed a similar hack into the Tesla Model S’s infotainment system; they were able to shut off the vehicle’s engine with a keystroke (the Tesla attack required physical access to the vehicle).

But the big difference between these scenarios is what happened next. Fiat Chrysler had to recall 1.4 million Jeeps that could potentially be vulnerable to the hack, but the “recall” actually amounted to mailing Jeep owners a USB stick that they could plug into their vehicle’s dashboard port in order to give the car the necessary patch. Tesla, on the other hand, was able to automatically send a patch to all its Model S vehicles on Wednesday through an over-the-air update, a method more akin to how your smartphone gets software fixes.

The advantage for Tesla here is obvious. There’s no telling how many people will actually bother plugging in Jeep’s USB stick, but it probably won’t be 1.4 million. In the Model S, drivers just click “yes” to an on-screen prompt offering a software upgrade with the fix.

As automakers race to make their vehicles behave more like smartphones, they’ll have to deal with the security risks that come along with connecting to the Internet. Tesla is a step ahead with its ability to widely distribute updates with the press of a button. But other companies are sure to follow suit quickly. Everyone from Ford to General Motors is working to bring robust over-the-air updates to their cars in the coming years.

Your browser is out of date. Please update your browser at http://update.microsoft.com