If cell phone bills send your blood pressure boiling, here's the most important tactic to keep in mind.

Don't get angry: Complain.

Merely complaining isn't enough, of course -- you must complain effectively. So before you do, make sure you set aside a solid block of time to deal with the problem. Getting a refund from a cell phone company is no trivial matter. While there are no sure-fire strategies for getting wireless firms to say "I'm sorry," some strategies work better than others. You'll find them below.

But first, I must tell you this shocking truth: Unlike land lines, cable companies and many other industries, the cell phone industry is largely exempt from government mechanisms for resolving consumer disputes. In other words, consumers really are at the mercy of their mobile companies. If you want to know why your service is bad, advertisements are misleading and bills are often a surprise, there's your answer. The biggest piece of advice I'll give involves changing that bogus structure. But first, more practical matters.

In a recent "Sneaky Fee Alert," I wrote about handset upgrade fees charged by some cell phone companies. It works like this: You decide to stay with your mobile provider, upgrade to a new phone and think you've got a good deal, but two months later a $36 fee is slipped into your bill. Not surprisingly, the story elicited a tidal wave of complaints about cell phone companies. Many readers urged me to investigate strategies for gaining refunds.

Here's what I found.

The mobile industry is regulated by the Federal Communications Commission. That's the only agency companies like Verizon Wireless, T-Mobile and Cingular really have to answer to. So when you have a problem with any of them, you should complain to the FCC. The agency has a pretty easy online form to fill out, located at its Web site.

The complaint is forwarded to the company involved. You should know, however, that the FCC doesn't follow up on individual complaints. Perhaps that why the number of complaints filed with the FCC is shockingly low. The FCC takes in about 1,500 wireless complaints a month, according to its most recent report. That's about as many complaint as I took in with my blog.

I suspect the lack of complaints is a reflection of the lack of efficacy on the FCC's part. People don't see the point of complaining if they'll not going to get redress. An official I spoke to at the agency pretty much conceded that. He did say, however, that a flood of thousands of complaints could inspire the agency to action. So click away.

While the FCC is really your only formal avenue for complaints, there are a host of other strategies you can try, and a host of other agencies to contact. A fresh pen and a book of stamps might come in handy.

More places to complain
If you feel there is a clear Truth in Advertising violation, you can try to complain to the Federal Trade Commission. The FTC has an extensive set of telecommunications-related consumer tips on its site. Unfortunately, I've been told that mobile phone complaints are almost always redirected to the FCC, so your time is probably better spent contacting other agencies.

The agency you should be able to complain to is your state utility board (sometimes called "public service commission.") This is the agency that settles land-telephone line disputes, water and electronic billing issues, and the like. Each state has a different office; there's a great state-by-state list at ConsumerAffairs.com.

While state boards currently have no jurisdiction over wireless carriers, a flood of complaints there could stir political action. Also, it could be habit forming.

Cell Phone Users Bill of Rights
For years, consumer advocates have been lobbying for "Cell Phone Users Bill of Rights" laws in state legislatures around the country, with California and Massachusetts leading the way. Central to these laws is a measure that would grant state utility boards jurisdiction over wireless carriers. The boards would be instructed to resolve complaints, and have enforcement powers, such as the ability to levy fines. As you might imagine, wireless firms have pushed back hard against these Bill of Rights laws, so far, successfully.

So far, only Connecticut's legislature has managed to give its state utility board a measure of jurisdiction over wireless companies, and even that is limited. Still, it's a start. Beginning this year, Connecticut residents can complain electronically to their state utility commission at its Web site.

The state is currently compiling complaints and will release a report early next year. Hopefully, the next step will be doing something with those complaints. Once again, a flood of complaints could motivate the agency and the legislature to act.

The next place to turn is your state's attorney general office. I've found that consumers have the most luck when working through the state's top law enforcement office. Many have sections or units devoted entirely to resolve consumer complaints. While the state AGs have no direct authority over wireless carriers, they can bring lawsuits against the firms. Moreover, they can generate a lot of negative publicity, so I know companies like Cingular and Verizon take their calls. Here's an easy way to find contact information for your state attorney general. Be sure to select "State Consumer Protection Office" from the drop down menu.

Remember, half the state attorneys general in the country are eyeing the state's governor's office, so top cops in those states are doubly motivated to resolve your complaint and make a friend.

Call Congress
While we're on the subject of politics, writing to your local Congressional representative might be more effective than you'd think. Particulary during election season. Mileage varies widely, of course, but each federal representative has a set of case workers who take complaints at the district office and follow up with the appropriate federal agency. The FCC is more likely to listen to your Congressman or woman than you. You might get back your $36 and then be asked to donate $50 to the campaign. But you can always say no.

Next, take a copy of the letter or e-mail you've written and send it to the Better Business Bureau. I've seen mixed results from filing complaints with the BBB, which has no real censure power, because participation by companies is voluntary. But it doesn't hurt. The BBB does keep a record of resolved and unresolved complaints, and companies do tend to make some effort to avoid a negative BBB file.

Finally, of course, you must work directly with the company you feel has cheated you. Despite all these steps, the reality is, wireless carriers often get to be judge and jury for their own complaints. They have your money, and they get to decide if they're going to return it. So know you are entering a kangaroo court.

That said, plenty of Red Tape readers report good luck dealing with wireless carriers. Robert Bell of North Carolina reports that he hadn't noticed the $36 handset upgrade fee Sprint levied on a recent bill -- and he says he wasn't told about the fee at the stor. After reading my last entry on the topic, he called Sprint, and a phone rep relented, saying ""I was able to pull a few strings and we're going to take that charge off for you."

The direct route is best
Of course, other readers haven't had such good fortune. So here's some advice on effective calls to customer service representatives.

First: Make sure you are talking to someone who can actually refund charges on your bill. Many companies are moving that authority higher and higher up the reporting chain, says Deirdre Cummings, a cell phone users' advocate at the Massachusetts Public Interest Research Group. There's no sense getting into a debate with someone who can't help you anyway. Ask if they have the right authority. If not, ask to speak with someone who does.

Second: Hang up. Not rudely, of course. Just excuse yourself, and redial. Within moments of starting the conversation, you will know if the person you're talking to is cooperative and sympathetic, or hostile. If the conversation isn't going well, hang up and call again. Keep trying until you get someone who's having a good day and is more likely to be helpful.

Third: Be informed and specific. I know you want to just call up and say, "I hate you, I hate you all, you're all cheaters." That's rarely effective. But if you have the bills in front of you, and you can point to specific charges and make your case thoughtfully, you stand a much better chance.

Finally: Avoid the sneaky fee in the first place by finding sales reps you trust. Here's one vote for consumer loyalty. Don't be enticed by the cheapest advertisement in the biggest storefront window. Go to a smaller store, find someone who doesn't talk to you like a used car salesman, and keep going there. It doesn't matter what brand of phone you have; what matters is the integrity of the individual sales clerk. If you find an honest cell phone sales rep, you won't be surprised by the big number at the bottom of your cell phone bill. Reward honest reps with your loyalty. Avoiding surprises really is more important than getting the absolute cheapest price.

There are far more details on the right way to complain about cell phone bills on Consumers Union's cell phone users page, Hearusnow.org.

Still, you might end up getting an answer you don't want to hear. And once again, I'd urge you not to get angry, but to complain. This time, call your state legislator and insist that he or she support a Cell Phone Users Bill of Rights for your state.

The only way to really get us out of the fix we're in is to design a system that makes the cell phone companies answer to someone other than themselves. But for now, we're left with the random system we have. That being the case, I'd like to hear from Red Tape readers about their success stories for getting refunds or credits from wireless carriers. Is there a sample letter you've drafted with language you feel was particularly effective? A telephone call script you wrote for yourself that counteracted the script the customer service rep had in front of them. Sound off below; the best answers will be the subject of a future column.

Thursday, it was Apple's turn in the doghouse. The company announced it was recalling nearly 2 million laptop computer batteries out of concern that they may overheat and catch fire. Last week, you'll recall, Dell recalled 4.1 million laptop batteries. No surprise here. The computers use essentially the same batteries, which are manufactured by Sony. The only surprise is this: Where are all the other laptop computer makers that use Sony batteries? Their day in the negative PR light will come soon.

Apple's announcement in a strange way takes the heat off Dell, confirming that the overheating problem is not exclusive to Michael Dell's notebooks. In fact, it's not exclusive to laptops. The problem of exploding gadgets and volatile battieres has been quietly festering for years.

The same battery technology used in Dell and Apple laptops is used in nearly all our high-tech gadgets today. And almost all of them are just as likely, under certain circumstances, to catch fire. Even before this rather prominent round of laptop recalls began last week, the U.S. Consumer Product Safety Commission had presided over 23 battery-related recalls in the past three years alone.

Cell phones, flashlights, portable DVD players, GPS gadgets, even cordless drills also have all been recalled in recent months over concerns about dangerous batteries. During that time, there have been nearly 200 reported incidents of fires and explosions resulting from battery failure.

All of these recalls involve lithium ion rechargeable batteries, which now are the industry standard, because of their ability to yield high power in small spaces. It's that concentration of power which makes these batteries more dangerous.

When properly harnessed, a heavy-duty lithium ion battery can power today's feature-rich laptops, jam-packed with wireless chips, DVD players, and enormous hard drives. When out of control -- engaged in something engineers call a "runaway thermal reaction" -- a lithium ion battery can explode with surprising fury.

"To meet consumer demand for smaller, more powerful products, (companies) add a little more risk to the product," said Richard Stern, an associate director at the Consumer Product Safety Commission.

Lithium ion batteries are a relatively new technology. Invented by Sony in the early 1990s, they didn't supplant nickel-based batteries until the early part of this decade. Now, most laptops and almost all cell phones use lithium-based batteries. Lithium batteries are three times as powerful as the nickel batteries they replaced. Put another way, they pack equal power into a space three times as small.

Explode after a single drop

There is, however, a downside.

"Lithium is highly volatile," said energy analyst Sara Bradford at Frost & Sullivan. It's far more volatile than old-fashioned nickel-cadmium (Ni-Cad) battteries.

As an example, shock vibration in lithium batteries can cause combustion. In one incident reported to the Consumer Product Safety Commission, a consumer dropped his phone, then picked it up and put it in his pocket. Within a minute, the phone began smoldering, searing his legs.

The phone's impact disturbed battery components enough to create an electric short, which led to a fire, said Stern. "We have seen several incidents," like that, he added.

Nickel-powered cell phones withstood such drops without threat of explosive chemical reactions, Bradford said. Still, companies believe consumers are willing to take that risk.

"Unless we as consumers are willing to go back to those huge phones we're kind of stuck with (lithium ion)," she said. "Everybody is hungry for more power and want devices to last longer and longer and lithium is the best that we have."

Circuits to prevent fires
Lithium batteries are loaded with electronics designed to prevent the volatile, runaway chemical reactions. These include circuits that prevent overcharging, temperature sensors that shut the battery down if it gets too hot and load balancers that notice if an individual cell is working too hard.

When a battery explosions occurs, usually several things have to go wrong, including the failure of one of these security systems, Bradford said.

Among the necessary failures is human error. Proper venting is necessary to allow a hot battery to release extra energy, and battery manufacturers warn consumers not to cover vents.

Nevertheless, some fires begin because consumers throw their laptop on the bed, smother it in blankets, then plug it in to recharge, said Dean Gallea, head of the Computer Technology Testing Unit at Consumers Union. Laptops stored in direct sunlight in a hot car also might explode.

"I think heat is the culprit, combined with marginal quality defects," Gallea said.

Safety tips

Still, we weren't talking about exploding CD players or laptop computers 10 years ago.

"There wasn't enough energy back to then to start a fire," Stern said. "(A battery) may have leaked chemicals on your hand, but there wasn't the available energy to create an explosion. But as technology companies get more aggressive," batteries will get more and more powerful, he said.

In addition to keeping gadgets properly vented, Stern suggests consumers pay close attention to gadgets after they are dropped to see if an inadvertent chemical reaction has begun. If something has gone wrong, the gadget will swell or start to become hot within 30-60 seconds. In other words, don't simply pick up a dropped cell phone and put it in your pocket.

Gallea also says don't leave charging cell phones or computers on your car seat in direct sunlight– that's asking for trouble. The same goes for portable DVD players the kids use.

Consumers looking to buy replacement batteries or chargers should be wary of third-party gadgets. It's not clear those gadgets will incorporate the same heat-limiting circuits that the original manufactories deploy.

And a really cautious user shouldn't charge a gadget like a laptop computer while using it at the same time.

"That's the way of generating the most heat internally. You've got the processor and the graphic chip and the charger all generating heat at the same time," he said.

Explosion requires 'perfect storm'

It's important to note that, while dramatic, incidents of exploding laptops and cell phones are extremely rare. Driving a car is far, far more dangerous than plugging in a DVD player.

When explosions have occurred, they were likely the result of a "perfect storm" combining consumer neglect and manufacturing flaws, said Consumer Reports technology editor Jeff Fox.

"The average person using (a computer) on a kitchen table is not in mortal danger," he said. "Most people who use things judiciously are not in danger."

Still, Power expects more incidents and more battery recalls are on the way. It's still not clear how many other laptop manufacturors use Sony lithium batteries; and frankly, how many other lithium batteries post a hazard.

"There's no reason to believe the number of incidents aren't going to continue to rise with the number of products on the market," he said. "The harder you work the battery, the hotter its going to run … (and) the more battery-operated products out there, the more likely you are to have failure that could result in property damage."

Millions of consumers who followed the correct procedure for protecting themselves from identity theft may still be at risk because the system for sharing fraud alerts among the nation's three credit bureaus is flawed, according to a study released Wednesday.

The study is small, but the findings are consistent with other research documenting inaccuracies or discrepancies in credit bureaus' files.

Consumers who fear someone has stolen their personal information are instructed by the credit industry to call one of the nation's three credit bureaus and request a fraud alert be placed on their accounts. The alerts are meant to warn potential creditors that identity theft might be under way so that lenders will take extra steps before granting credit to anyone applying with data included in the credit report.

In the past 18 months, some 90 million consumers have been informed that their personal information has been lost by a company or government agency, and nearly all have been told to place a fraud alert on their credit files as a first step toward protecting themselves from identity theft.

When consumers call to place the alerts at one of the nation's three credit bureaus, an automated system informs them that it's not necessary to call the other two bureaus – that the alert information is automatically shared among all three companies. Since passage of the Fair and Accurate Transaction Act in 2003, sharing of the alert information is required by federal law.

Instead, about 40 percent of the time, the sharing system doesn't work, according to the study by Debix Inc., a new company that is selling a service to consumers designed to make fraud alerts more effective. That leaves millions of credit reports unprotected, the study suggests.

'How can that be?'
"I just assumed when a law was created (to implement fraud alerts) that someone would actually measure the process to ensure that it worked," said Julie Ferguson, a vice president at Debix Inc. "Turns out we are the first to measure the fraud alert system. ... I just keep asking myself, how can that be?"

Ferguson is also a board member on the Merchant Risk Council, an association of electronic merchants which shares information and research concerning credit card fraud and other risks. Members include such e-commerce giants as Apple, American Express, Expedia, and the credit bureau Experian.

Norm Magnuson, spokesman for the Consumer Data Industry Association, an industry lobby group, questioned the methodology of the Debix study, and the study's results.

"Do I think there is a 40 percent propagation failure? No," he said. He said fraud alerts were successfully helping protect consumers from identity theft, and pointed to a reduction in the rate of increase of identity theft in recent years.

Asked if the industry had conducted its own study of fraud alert failures, Magnuson said he had not "seen any figures on rejection rates."

Don Girard, a spokesman for Experian, criticized the study's small sample size and said internal data contradicts its results.

"We see a success rate of 98-plus percent … in other words, a failure rate of less than 2 percent (receiving fraud alerts from the other two bureaus and applying them to the correct credit report)." he said. "I am baffled and mystified by this so-called study."

He said he did not know how successful Trans Union and Equifax are at applying fraud alerts that consumers file with Experian.

Betsy Broder, who heads the Federal Trade Commission's special ID theft unit, said she was aware of the Debix study.

"We have oversight of the system and we think it's important that the system works well for consumers," she said.

Most lenders – retailers such as cell phone companies or loan-granters such as auto dealerships – only examine one credit report before granting credit. If a consumer's fraud alert information is not shared among the bureaus, then two of the three credit bureau reports would not reflect the warnings, making identity thieves' work much easier.

The problem: Finding the right consumer
The Debix study tracked 54 consumers as they attempted to place fraud alerts on their files from May to August. Debix is about to launch a new product that automatically resets fraud alerts for consumers, which by default expire after 90 days.

Ferguson said that minor discrepancies in credit reports was the most common reason that the information was not shared among the bureaus. Examples included slight differences in a name (some include middle initial; others list full names) or erroneous data. When attempts are made to transmit an alert from one bureau to another, many alerts are rejected because the system cannot apply the fraud alert to a consumer's accounts because of these discrepancies, the study found.

In other words, the fraud alert is discarded because the system cannot verify that it is being applied to the right consumer.

In virtually every situation, the credit bureau involved failed to inform the consumer that the fraud alert did not set properly, Ferguson said. The only way to make sure an alert has been placed on a file is to obtain a credit report and see the alert printed on it, she added.

"(I'm) pretty disheartened because consumers and creditors put a lot of energy into making the system work and it is actually working pretty well if you can figure out how to set your fraud alert at all three bureaus," Ferguson said.

The biggest culprit in the failure, Ferguson said, was mismatched information in the consumers' address field – for example, one listing might indicate "99 Second Street", and another "99 2nd St." Mismatched dates of birth, or problems identifying generations (Michael Smith Jr. or Michael Smith III) also were common, she said.

Placing a fraud alert on a credit report involves responding to a confusing set of prompts from an electronic answering system that requires consumers to manually enter their personal information to verify their identity.

Frequently, subjects in the Debix study were able to fix their alert problems by obtaining a credit report and scanning it for errors, then calling the fraud alert system and entering the information as listed – even if it was wrong -- on the credit report, Ferguson said. In one example, an alert was successfully added to a report only by entering the same erroneous birthday into the system that was listed on the credit report, she said.

Credit reports: Many errors
The existence of factual discrepancies on credit reports has been chronicled many times. In 2004, the Public Research Interest Group found 54 percent of credit reports had some errors. In 2003, the Federal Reserve released a study which indicated that 70 percent of reports had some error. Thousands of lenders – known as "furnishers" in the industry – voluntarily place data in consumers' credit files. The quality of the entries varies, so it's common that consumers' reports end up with multiple versions of their names and addresses listed in their reports.

Because credit report information is private, it is notoriously difficult to perform comprehensive studies on credit report data. Researchers must obtain permission from individual consumers in any study, making the sample sizes small. The nation's three credit bureaus reject error rates found in such studies, and say mistakes are rare.

The fraud alert system has long been criticized by consumer advocates as ineffective. During congressional hearings in 2003, many consumers indicated they'd been hit by identity theft even after they'd placed fraud alerts on their accounts. For example, new credit cards were issued to imposters using consumers' personal information despite indications on credit reports that credit should not be granted without further identity verification.

The credit bureaus have often blamed retailers for ignoring the fraud alerts. Observation of them is not mandatory; lenders can choose to accept the risk of giving credit to a person with fraud alert on their account.

The Debix study, however, found that fraud alerts were generally observed by lenders, suggesting the blame might lie with a faulty fraud alert system.

Ferguson recommends consumers ignore the advice given by credit bureaus and call all three companies individually when requesting fraud alerts. Consumers should then obtain copies of their credit reports to make sure the alert appears, she said.

Our gadgets are our lifeline to the 21st century digital world. So why do we neglect them so? Why do we leave DVD players, GPS navigation systems, iPods, CD players and more lying around in our cars -- in plain sight -- just inviting them to be stolen?

Recently, my GPS was stolen from my car, so I became personally curious about the problem. And as it turns out, gadget theft from cars is skyrocketing -- up 30 percent in four years, according to the FBI's most recent statistics.

But those are just stats. To get an idea just how bad the problem is, we visited Paramus, N.J., just a few miles west of Manhattan, where the local police have set up a task force to deal with the problem of stolen gadgets. Click on the video above to see our journey, or read below. NBC Producer Andy Gross, editors Von Brunson and Mike Covert, and MSNBC producer cameraman Kevin Flynn help me tell this story.

"Theft from autos has definitely gone up," said Paramus Chief Of Police Frederick J. Corrubia. "And the main reason is that all these units are portable and people fail to secure them in their vehicles."

To prove his point, Corrubia graciously lent us a detective for a few hours to give us a thief's eye view of the problem. So with Detective Sgt. Robert Guidetti, we prowled the Garden State Plaza shopping center looking for easy targets. There were hundreds.

"We got one car parked ... right up close to the mall, but unfortunately they leave their GPS unit and the satellite radio right on the front dash," Guidetti said, motioning to one obvious target. "Just being close to the mall, that isn't gonna stop anybody from breaking the window. They will just walk on to the other side of the car where they are not seen and the view is being blocked by a van."

When we peered inside, we found even more electronics

"I see a laptop on the front seat (and) a mini DVD player," Guidetti said.

The problem isn't just theoretical. Stephanie Sorace, a hairstylist at the Garden State Plaza, had her GPS stolen from her car earlier this year.

"The insurance only covered about $600 so i was our about $500 with that," she said. "I was completely devastated with that because I was looking forward to that navigation system for so long and I finally got the money to get it."

Sorace had left her unit right on her dashboard. Not all victims are quite so obvious. When mine was stolen, I had taken the time to stash the GPS in an accessory box between my car seats. But I left the $20 plastic mount on the dashboard. When I came out in the morning, my passenger seat was full of broken class.

Empty GPS mounts, I was told by the man who replaced my auto glass, are a neon sign telling criminals, "GPS inside!" Car chargers left in the cigarette lighter offer similar hints.

So how do consumers protect themselves against gadget theft? For starters, put everything electronic in your backpack, and take it with you, or stash it in your trunk. That also includes accessories that serve as hints to criminals, like dashboard mounts or car chargers. Criminals are far less likely to pry open a car trunk looking for tech to take, chief Corrubia says. You'll be safer, he said, and taking a few extra moments to store your gadgets safely will give law enforcement agencies like his more time to deal with bigger problems.

"We are all in this together. what we have to do is pull together," he said. "If we secure all our items we may be able to cut car insurance costs for theft."

Consumer Reports recently conducted one of the most thorough tests ever of antivirus programs. But to really put these security programs through the paces, the magazine hired a firm to create 5,500 new viruses, using them to test the antivirus software products for their ability to detect unexpected threats.

Now antivirus companies are crying foul, saying the magazine ignored a long-standing principle not to invent new viruses.

"Creating new viruses for the purpose of testing and education is generally not considered a good idea," wrote Igor Muttik of McAfee's antivirus lab on a public company blog this week. "Viruses can leak and cause real trouble." The entry helped touch off a firestorm.

Other antivirus commentators were far more inflammatory, accusing Consumer Reports of being irresponsible.

"The antivirus community has always been very strongly opposed to the creation of new malware for any purpose," wrote John Hawes, the technical consultant at antivirus Webzine Virus Bulletin. "There's just no need for it. Plenty of new viruses are being written all the time, why would anyone in a responsible position want to add to the glut?"

For a very good reason, said Consumer Union's Evan Beckford, who helped run the test. Nearly all antivirus programs do a good job of detecting known viruses. That's easy; and rarely are old viruses the cause of much trouble.

It's the new viruses that cause outbreaks like the LoveBug or Code Red. So antivirus software's ability to detect new, unexpected threats is paramount, he said.

"We need to anticipate how antivirus software will react to future threats. This is the only way we know to do it," Beckford said. "We think the benefits far outweigh the risks."

The viruses were created by paid outside consulting firm Independent Security Evaluators.

Better tests are essential

Malicious programs and recovery from virus attacks cost Americans about $5 billion last year, Beckford said, adding that more in-depth, objective testing of these packages is essential.

Widely respected computer security researcher Alan Paller agrees. As director of Research at independent security training firm SANS Institute, Paller helps thousands of technology professionals prepare for virus outbreaks. He thinks Consumer Reports' rigorous testing was fair and appropriate.

"I think it's extremely valuable because a great weakness of most leading antivirus tools is that they are slow in detecting new viruses," he said. Creating viruses in a lab environment isn't wrong, he added – only distributing them is wrong, he said.

But David Marcus, a security research manager at McAfee, said Consumer Reports was playing with fire by making the new malicious programs.

"I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them."

Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats.

That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants.

"In some cases (they were created) using freely available tool kits on the net put out there for virus writers to use," Beckford said. "We did exactly what script kiddies (young hackers) would do."

'Bad things can happen'
In the results, McAfee scored in the middle of the pack. BitDefender and Zone Labs scored at the top, in part for the two program's abilities to detect new viruses.

Marcus denied McAfee's lackluster result motivated the company's criticism of the study.

"The antivirus community is unified ... that people should not write viruses," he said. "Bad things can happen. They get out."

The tight-knit antivirus community has spent years developing a set of ethics to deal with the many sticky situations that bubble up from computing's underground. Universally, companies say they won't hire former virus writers, and they follow gentleman's agreements to share discovery of dangerous programs with each other for the common good.

Still, there are persistent accusations that security firms somehow fund or promote virus writing activity, which is clearly good for business. Such accusations have never been proven, but the emotions they dig up explain part of the antivirus community's knee-jerk reaction to any discussion involving creation of new viruses.

The issue of effective, independent testing continues to be a challenge for the industry, particularly as consumers are faced with an ever-widening array of threats online. In fact, Symantec Corp., which wouldn't comment on the controversy, did say it is holding a symposium on objective antivirus testing methods during the fall in New York.

Disagreement with Consumer Reports over testing methods is nothing new. But creation of potentially dangerous testing by-products is new for the magazine, and its parent, the non-profit entity Consumers Union. Now that the test is over, what will Consumer Reports do with its potentially destructive software?

"Those viruses exist right now only on a CD in a sealed container in a locked cabinet in our computer lab," Beckford said.

That's a CD the antivirus industry will no doubt want to get its hands on very soon.

"It's a good idea that if McAfee and rest of antivirus industry (gets a copy) to make sure consumers are protected," he said.

Of course, if antivirus software worked better, we'd all be protected from those variants already.

Consumer Reports' September issue, including the review of computer security products, is on newsstands now. A detailed description of its testing methods is available at the magazine's Web site.

The Homeland Security Department could really benefit from enrolling in the school of hard knocks that software developers have been attending for the past decade or so. The primary lesson the geeks could teach is this: Rely on consumers to follow complicated, optional security procedures, and you're sure to fail. Give them easy tools that are designed from the start to be safe, and give them a clear path to do the things they need to do, and you stand a fighting chance.

Let me put it another way: Expect people to choose and remember complex passwords, and they'll use sticky notes and affix those passwords to their computer monitors. Tell users not to open e-mail attachments, but give them the ability to do so, and they will most certainly click on something that looks like a love letter. Leave it up to the users, and you'll have major incidents on your hands like the I Love You virus. Blame those users, and you'll feel superior, but no one will be any safer.

On Tuesday, I had my first personal taste of a post-9/11 Homeland Security situation. The planning felt eerily similar to the kind of strategy that doomed computer security 10 years ago. Give me a moment to describe the doomed "every man for himself," approach. Then I'll explain the parallels to tech security.

It was rush hour, and suddenly all the trains heading west out of New York's biggest train station were shut down. I had a plane to catch in Jersey in three hours, and now, I had no clear way across the river. Tens of thousands of commuters faced the same kind of dillema. The station was a sea of confused people yelling into their cell phones and staring at station monitors. Passengers were told only this: "Trains are delayed for police activity." That was it.

I learned from my pals at the NBC News desk that investigators were checking into a suspicious package discovered on the other side of the Hudson River. So all the trains to New Jersey were marooned indefinitely in Manhattan.

New Jersey's commuter rail system is the largest in the country, feeding hundreds of thousands of workers into New York every morning. This shutdown stranded them all.

Mob rule
What happened next is a scene I know New Yorkers have repeated again and again since 9/11-- the frustrated mob slowly but surely developed its own plan for escaping Manhattan that night. It quickly passed through the crowd: walk a few blocks east to a different train system that crosses the Hudson called the Path, and take that to get to the Jersey side. Then take a second subway to Newark, which would reconnect people to some of New Jersey's commuter rail. It was far from their intended destinations, and wouldn't work for everyone, but somehow, most of the crowd silently agreed to this alternative.

So off it went, parading up 33rd Street, taking over the busy Manhattan street, then cramming down an escalator.

Once down underground, the chaos really began. Effectively, passengers from six different train lines tried to cram their way onto one subway line. Sardine-style compression soon followed. But things got much worse on the Jersey side, after we were all summarily dumped on the other side of Hudson. The second line was ill-prepared for the exodus. The platform in Jersey City, where we were left, was nearly overrun. I had to let three subways headed for Newark go by before I finally shoved my way onto the fourth. As I did, I shouldered a man who tried to push past me, as if we were fighting for a rebound on a basketball court. It was instinctual on my part; his scowl made me glad he didn't follow his instincts.

The platform I was on had been dangerously full; but the final subway ride was even more so. With arms and legs thrust every which way, even caught in the door for a while, it's a wonder no one was injured.

Preparing alternatives
But it's outrageous that Homeland Security wasn't better prepared. The disorderly evacuation, in the end, was far more dangerous than the suspicious package. (It turned out to be a drum of hydrolic oil that had fallen off a train.)

Clearly, we live in a time when bomb threats and "police actions" are the norm. So why isn't a clear Plan B also the norm?

It's not enough to invest in million-dollar technologies for diffusing bombs and super-sci-fi tools that allegedly smell them out. We also need to plan orderly alternatives for our citizens when disruptions occur. In the days immediately following Sept. 11, it was understandable that security officials asked for our patience. Long lines were an inconvenience, surely, but well worth it for safety's sake. But five years after 9-11, it is not enough to tell rush hour commuters in Manhattan to fend for themselves whenever there is a suspicious package. It's not enough to tell people to grin and bear massive delays. Alternatives should be spelled out. Extra trains and buses should be raced into action. Commuters should be told more than "a police action" is causing delays, and they should be given a clear alternative method to get home.

Doing so is not simply a matter of convenience. Failure to do so will eventually lead to dangerous, even fatal consequences. Angry commuters who take matters into their own hands will hurt each other, or take unnecessary risks packing themselves onto subways cars, or trample each other on escalators, or end up being a great target for terrorists as they line up on some other crazy queue.

Back to the geeks
Here's where the geeks can teach the spooks something. For years, software developers took the attitude that consumers needed to defend themselves against hackers -- and if they didn't, it was their own fault. "Use your dog's name as a password, and you deserve to lose your money," I've heard whispered by more than one tech elitist.

And so, until recently, every single wireless networking device sold to consumers was configured to broadcast all your bandwidth to your neighbors. It was up to consumers to add the security. Likewise, for years, the only thing between a hacker and the money in your online bank was an easily-guessable user name and password. Sure, banks told consumers not to use 1234 for their passwords . But they did anyway. And likewise, consumers opened e-mail attachments that looked like love letters or pictures of Anna Kournikova.

Now things have changed in the software world. Many companies now ban attachments - a clear step that protects people from understandable, human mistakes like clicking before thinking. Banks now rely more on back-end algorithms to catch fraud than strong passwords remembered by consumers.

But most important, software firms and information technology companies now understand the need to give users a safe alternative to dangerous things they might want to do. It's not enough to simply bar an activity like opening attachments. When you do that, users simply sneak around the ban somehow. People always find a way to do what they have to do. They'll have a document e-mailed to an unsafe Web e-mail service and end up opening it anyway. Just as, eventually, a crowd trying to get home will think to run across town to another train service. Even if that train service turns out to be just as dangerous.

Companies have learned they must provide safe alternatives to employees who want to receive Excel spreadsheets and Word documents in e-mail. Attachments can be mailed to specially quarantined computers, for example. Banks need to provide safe login tools for people who just can't remember passwords like "th1s0ne." So they've created easy password alternatives that are now making their way through the online banking sector.

Similarly, Homeland Security needs to plan -- not just for attacks -- but for safe alternatives so commuters can get home when there's a potential hazard. Serious energy needs to be put into creating and communicating safe alternatives that help us move in a time of crisis. There must be alternatives that prevent us from needlessly costing people time, money, and anxiety. Preventing attacks is only one way of winning the war on terror. Preserving our way of life is equally important.

There is a new reason to think twice about using your debit card when you go shopping. Criminals have managed to steal ATM account information and PINs from shoppers at Dollar Tree stores in western states.

The U.S. Secret Service says it is investigating. Visa Inc. says it is too. No one will say how widespread the crime spree is, but here's a hint -- 150 consumers who shopped at a Dollar Tree store in Modesto, Calif., have told local police that a total of $170,000 has been stolen from their accounts. Similar reports have trickled in from Ashland, Ore., some 350 miles to the north.

It appears criminals are using stolen data to create counterfeit ATM cards, then using stolen PINs to withdraw money from victims' accounts. This kind of theft is far more serious than credit card fraud, because the money instantly disappears from victims' accounts, and it's up to victims to call their banks and get it back. And after 60 days, victims lose their right to refunds. That's much different from credit card frauds, which simply require consumers to call and have items removed from their bills.

And don't forget – while victims and banks sort all this out, consumers often lose access to their checking account money. One victim I heard from said he was traveling, and suddenly couldn't access his cash. Banks often try to paint this kind of crime as painless for consumers. It's not.

The critical question is this: How did the criminals get their hands on PINs? The four-digit numbers are supposed to be sacred – so sacred that they are encrypted the moment consumers enter them into those little PIN pads that are slid across the counter at retail stores. There should be no way for any criminal to access that information. It's immediately hidden inside complicated mathematical formulas and transmitted as something called a PIN block, only to be unwrapped by the consumers' bank in order to check that PIN.

Nevertheless, the fact that the withdrawals were made makes clear that criminals somehow managed to grab PIN numbers. There is also evidence that the crime was at least somewhat sophisticated. Sgt. Craig Gundlach of the Modesto Police Department tells me the data was stolen between March and April from the local Dollar Tree store, but wasn't used to withdraw funds until mid- to late June. A casual criminal would have tried to make off with cash much quicker.

The story echoes a massive ATM data theft that occurred late last year involving perhaps 200,000 accounts. In that case, withdrawals occurred as far away as London and Moscow. Many consumers who reported the thefts had shopped at retailer Office Max, but the firm denies it was involved in losing any consumer data.

"Obviously there were lessons from the last PIN debit breach that weren't learned," said Avivah Litan, a banking security analyst at research firm the Gartner Group. "There is a desperate need to upgrade (security) standards."

In the Dollar Tree case, the company confirms its customers were struck by the crime. Spokesman Tim Reid said the incident was confined to "a handful of locations," but refused to say how many. He said investigators had come to no conclusions about how the data had been stolen.

The number of possible methods are limited. The PINs might have been stolen by "shoulder surfing" – criminals who watched consumers as they typed in PINs, perhaps through high-powered scopes. But given the number of compromised cards, that seems unlikely.

Criminals could also sit in the parking lot with laptop computers and download the data over a wireless network that had been incorrectly configured to store PINs. Or the PINs could have been stored incorrectly on computers connected to checkout registers -- and then copied by an employee or someone else who had access to the hardware.

Finally, the data could have been stolen from Dollar Tree's payment-processing company. Internet Cybersleuth Richard Smith points out that Meridian Payment Systems indicates on its Web site that it provides processing services for Dollar Tree. Meridian is a division of National Processing Company in Louisville, Ky., which was acquired by Bank of America in 2004.

Betty Reiss, Bank of America spokeswoman, wouldn't comment on the theft. But she did insist that "we haven't lost any data."

On the other hand, she confirmed that the company's consumers had recently been hit by data theft. She said Bank of America had recently canceled and reissued a "limited number" of ATM cards in response to a data leak incident -- she wouldn't specify which one.

As is standard in these incidents, hard information is nearly impossible to come by. Thousands of dollars disappears from consumers' checking accounts; mysterious card cancellation notices are received. Nearly everyone says nearly nothing, making it very hard for consumers to know how to react.

Here's my best effort at advice. Consumers' rights governing credit card thefts are much stronger than rights governing debit card theft. So it makes sense to use credit cards for retail purchases instead of debit cards. Each time you give anyone your debit card, you are exposing your entire checking account to possible fraud. It's true that in most occasions, consumers receive a full refund of the stolen money. But you still have to get the refund. Wiping off fraudulent credit purchases is much easier.

As long as ATM PIN thefts remain this mysterious, I'd recommend leaving your check/debit card in your wallet and using a credit card instead.

It is perhaps the world's oldest security technique -- forcing someone to drink from the bottle they are carrying to prove the liquid inside isn't dangerous. But five years after 9/11, with billions of dollars invested in the latest high-tech security gadgets, U.S. airports were forced this week to employ this very old-fashioned technique. As mothers were sipping from their baby's milk bottles in front of Transportation Security Administration workers Thursday afternoon, some had to be thinking -- is this the best security $5 billion a year can buy?

All our technology investments since 9/11 apparently can be thwarted by altered sport drink bottles. On Friday, that news had well-known security expert and author Bruce Schneier crying foul.

"Most of the stuff we're spending money on is a waste of money," said Schneier, whose terrorism security book "Beyond Fear: Thinking Sensibly About Security in an Uncertain World" was published earlier this year. The quest for technology that makes us safer has so far been largely a wasted effort, he argues, because terrorists can always win a game of cat-and-mouse. For each gadget security experts invent, terrorists just alter their plans slightly and circumvent it. "We are spending billions of dollars to force terrorists to make minor changes in their plans."

Since the terrorist attacks of Sept. 11, the Homeland Security Department has repeatedly turned to technology to keep us safer. There were signs this week that tech has so far let us down.

Early Thursday morning, when U.S. officials were told by their British counterparts precisely what explosives this week's crop of would-be terrorists planned to sneak onto an airplane, federal authorities raced to Reagan National Airport to conduct a test, reports NBC News Pete Williams. Would the ingredients be picked up by normal boarding procedures? Would magnetometers or baggage X-ray machines tip off screeners about the liquid explosive ingredients? The answer was clear and alarming.

"I was told, 'They didn't like what they saw,' " Williams said.

So for the foreseeable future, you won't be able to carry hand lotion or bottles of water with you when you board an airplane.

Remember face recognition?
A long of list of tech-safety projects have come and gone -- taking millions of dollars with them -- since 9-11. The most controversial, Secure Flight, involved creation of an extensive database of travelers, matching that with commercially available data, and applying special formulas to predict likely terrorists from flying patterns and purchasing habits. After several years and an estimated $150 million, Secure Flight was sent "back to the drawing board," by Homeland Security Chief Michael Chertoff earlier this year.

The federal government still maintains lists of potentially dangerous people it says shouldn't fly on planes, the so-called No Fly List. But the technology used to communicate those names to airlines is today essentially the same as it was on Sept. 10, 2001.

Similar failed experiments have dogged other expensive and failed technologies like facial-recognition software.

Thursday's failed plot -- and TSA's reaction to it -- can only be seen as a tacit admission of failure for the nation's explosive detection projects. That's the only conclusion to draw from implementation of the brute-force solution to ban all liquids on all airplanes.

Last year, the Department of Homeland Security budgeted $443 million for explosive detection technology. Many passengers around the U.S. are already being subjected to inspection by some of the best new explosive detection technology money can buy, so-called "trace portals." They look like magnetometers, but trace portals actually work by blowing small puffs of air at subjects, then inspecting the disturbed molecules for traces of explosives. The devices cost $160,000 each, according to Homeland Security. There are 93 of them now in 36 airports around the country.

Neither TSA nor the two makers of the devices -- Smith Detection and General Electric -- like to talk much about how trace portals work. So there is no definitive answer as to whether trace portals could have prevented the planned attack. But clearly there was little confidence expressed in the devices this week. Meanwhile, other gadgets that might detect bomb ingredients are nowhere near U.S. airport screening lines.

What almost happened
The news this week was actually good news – that a terrorist plot didn't happen. But had events broken the other direction, an investigation into America's preparedness for carry-on explosives would have echoed the "this-could-have-been-prevented" inquiries into the Katrina disaster or 9-11. There have been ample warnings about exactly the kind of liquid bomb attack foiled this week.

This week's failed plot appears to be a near carbon copy of an attack uncovered in 1995, which was planned by 1993 World Trade Center bomber Ramzi Yousef. Last summer, during a House committee meeting on security, Rep. Peter DeFazio grilled Transportation Security Administration's chief technology officer Clifford Wilke about the agency's preparedness for liquid bomb attacks. DeFazio's remarks sound prophetic now.

"We haven't equipped our people at the checkpoint to detect the bomb that (Yousef) used … and I'm concerned that there are patterns out there. (The terrorists) came back after the (1993) World Trade Center bombing. I'm worried that someone else's going to come back."

Even with more than a decade's warning, the only tool screeners have right now to protect against the Yousef plot is a large trash bag.

"I think we have wasted a lot of money, and I don't think we've gotten a big bang for our buck," said James Jay Carafano, a security analyst at the Heritage Foundation.

However, he wasn't critical of all of the TSA's efforts. Work on biometrics and some of the immigration-screening technologies have improved, he said. But efforts to screen 100 percent of passengers and bags for 100 percent of any dangerous objects is, as he puts it, is guaranteed to be a losing effort.

Look for dangerous people, not dangerous objects
Frequent aviation security critic Bob Polle, who in January published a report called "Aviation Security's latest 'F' ," said the chief problem is the paradigm that persists in airline security. Screeners and technology are both focused on finding knives or explosives -- a needle in a haystack -- rather than finding those who are intent on causing harm.

"The focus needs to shift from trying to find the latest bad object to systematically finding the bad people," he said. Secure Flight, the now-tabled database of fliers, has been TSA's only effort at that to date.

Schneier, who served on a special TSA task force for Secure Flight, said the best way to find bad guys is to stop wasting money on ineffective technologies and instead hire far more on-the-ground intelligence agents. After all, this week's plot was apparently foiled by old-fashioned police work and volunteer tips-- not whiz-bang technology.

"The little money we spent on intelligence paid off," he said.

Not everyone is down on tech as a safety tool. Larry Ponemon, operator of consultancy The Ponemon Institute and advisor to the Department of Homeland Security, says the agency's Transportation Workers Identity program deserves high marks. It involves new high-tech ID cards designed to keep terrorists from sneaking into secure locations at airports.

The failure of SecureFlight and other projects has more to do with bureaucracy than technology, he said.

"My belief is that a lot of these projects are not able to get off the ground fully because...there are too many people in the decision-making process," he said. "There's so much inertia on this topic…this is more about the inability to execute and the inertia of these bureaucracies."

'Movie plot security'
But Schneier is adamant that the search for a silver technology bullet to make flying safe is actually a distraction that hurts the cause. And right now, he's concerned that Homeland Security is caught up in a vicious and counter-productive circle.

"We invent a movie plots. Then we spend money because we have in our heads a specific, dreamed-up a movie plot," Schneier said. Or alternatively, we spend incredible amounts of time and money fighting against the last threat instead of the next threat – taking our shoes off in response to the "shoe-bomber" threat while all the while the next attack may very well involve explosives smuggled on as airplane food. Inventing technologies to thwart specific threats is pointless, he says.

"I'm tired of (security) that requires me to guess correctly. That's the problem with the movie plot threat model."

There's good news and bad news out this morning about the dangers facing children when they go online. It appears all the news reports and educational efforts to warn parents and kids about online dangers may be having an impact.

In a study released today by the Center for Missing and Exploited Children, fewer kids report being solicited by strangers online for sex. On the other hand, there is an uptick in kids who report being exposed to unwanted sexual material such as pornographic spam; and there's a sharp rise in something experts call cyberbullying. If you're not familiar with that term, you will be soon.

Back to the good news for a moment. The Center for Missing and Exploited Children reported back in 1999 that 1 in 5 children aged 10 to 17 had been solicited for sex online. You've seen that statistic repeated again and again in online safety marketing campaigns. Well, things are a bit better now. A telephone survey conducted last year found that number shrunk to 1 in 7.

The good news ends there, however. The study found that the most serious kinds of solicitations -- those that involve a predator attempting to make real-world contact with a victim -- have not declined.

Also in the survey, one-third of children reported they were exposed to sexual material online, compared to 25 percent five years ago.

And there was an increase in the number of kids reporting cyberbullying -- from 6 percent 5 years ago to 9 percent today.

Cyberbullying involves technology-based taunting of children. It can range from a few nasty text messages, to a deluge of ugly e-mails, to hacking children's MySpace accounts and placing pornographic pictures on them. Kids can be cruel. And kids with technology can be cruel on a world-wide scale.

"There is no question that cyberbullying is a big deal now," said Parry Aftab, who runs child safety Web site WiredSafty.org. She offers tips for parents and schools at
A Web site named StopCyberbullying.com

Polls are, of course, are subject to interpretation. It's hard to say exactly how many children have been hit by the most serious form of sexual exposure or bullying. But it's clear far too many children are finding trouble online, and parents need to know what kind of trouble can be found there.

Finally, somebody is doing something about those crazy gift card "dormancy" fees. That someone in particular is the Federal Trade Commission, which recently accused Red Lobster restaurants of misleading consumers in the way these fees are charged.

In case you've never received a gift card, or you've never turned one over and pulled out a magnifying glass, dormancy fees slowly drain the value of gift cards when they're not used. In Red Lobster's case, after 24 months, $1.50 is slowly ticked off the card for each month it's not spent.

So here's what can happen. A $25 Red Lobster gift card purchased on January 1, 2004 and never used was only worth $23.50 on Jan. 1 2006. And by Jan. 1, 2007, that card will only be worth $7. By spring, it's a worthless piece of plastic.

The FTC isn't actually accusing Red Lobster and its parent Darden Restaurants Ltd. of being crazy, or attacking dormancy fees directly. Instead, the FTC says Red Lobster customers weren't told clearly about the fees.

The FTC doesn't disclose information about ongoing investigations, but Darden revealed the investigation in its recent annual report. Darden said FTC attorneys had found that the company engaged in "unfair and deceptive trade practices," and asked for $30 million in reparations. The company has until the end of August to consider the settlement offer.

Darden declined my request for an interview, but spokesman Jim DeSimone told the Orlando Sentinel last week that the company did adequately disclose gift card fees.

"In every case since we've had the gift-card program, we have notified consumers of the potential for maintenance fees at least once . . . and often multiple times," DeSimone told the newspaper.

I disagree. Today I went to Red Lobster's Web site to order a gift card and see how clear the dormancy fee disclosure is. The answer: Not at all.

Clicking on "gift card" from the site's home page brings visitors to a page that allows consumers to pick the number of cards they want, and their value, and add them to a shopping cart. Nothing about dormancy fees there.

That's not to say there isn't small print on the order page. But these statements don't protect consumers, they protect the company. Like this: "Orders placed after 3:00 PM Mountain Time or on weekends usually ship the next business day."

Or this, clearly designed to prevent fraud: "There is a $500.00 maximum per order. You may not purchase more than $500.00 per credit card in a 30-day period. Orders over $200.00 must be shipped to the billing address."

But nowhere on that page is there notice of a $1.50 monthly fee. And it's easy to complete your purchase without ever receiving such notice. Only those consumers savvy (or curious) enough to scroll to the bottom of the page will find the link that hints at other, potentially damaging, details.

"Important: Gift Card Terms and Conditions" it says, in a lovely blue pastel color. It's easy to miss, as it's overshadowed by the words "Your Shopping Cart is Currently Empty," which are larger, and shine in bright red.

Still, an industrious visitor who clicks on "Gift Cards and Conditions" brings up a page that's topped by one word in red: "Legalese." Nothing says "read me" like "Legalese."

Perhaps use of the word is self-effacing fun. After all, Wikipedia, the Internet's deciding vote in conventional wisdom, defines legalese as a pejorative term "for legal writing that is difficult for non-lawyers to understand."

But only in this legalese will you see mention of the $1.50 fee, in a part of the site the company practically tells you to skip because it's going too be to hard understand.

"If you don't use your card for a 24-month period, a $1.50 monthly maintenance fee will be deducted from the balance until you use it again," it says. Actually, I think that's pretty easy to understand. It's just hard to find.

Gail Hillebrand, a staff attorney at Consumers Union, said it was encouraging that the FTC had taken notice of Red Lobster's fees, and its alleged inadequate disclosures. But fee disclosure is really only part of this story. Gift cards are a huge business now -- $35 billion in gift cards were sold last year, with the business expected to swell to $76 billion this year. And since the beginning, nickel-and-dime fees on the card have been a secret source of extra revenue for the companies--and an incredible irritant for consumers. Each year, the Montgomery County of Maryland's Office of Consumer Protection performs an excellent survey of gift card fees. The survey is excellent reading.

In last year's study, published in November, the agency concluded the Red Lobster was one of six major retailers that didn't adequately disclose dormancy fees. The others were Blockbuster, KB Toys, Kmart, Macy's, and Toys "R" Us.

But while we're on the subject, retailer fees pale in comparison to fees assessed on bank-issued, general-purpose gift cards. Some of those start with a $10 fee, then layer in transaction fees, monthly fees, ATM withdrawal fees, and so on. It's easy to concoct a scenario where a $25 present costs you $35 and the recipient only gets to spend $15.

As I've said before in this space, cash really is an acceptable gift! But if you must give plastic, support those companies that don't reach out and take money from your gift recipient. And always ask a question like this:

"How much is my $25 gift card worth? And how much will it be worth in two years?"

When is a $79 cell phone cheaper than a $49 cell phone? Welcome to mobile phone mathematics.

That snazzy new cell phone the store clerk just talked you into probably costs more you think thanks to a sneaky fee known as the "phone upgrade fee." You might think you walked out of the store with a great deal on a phone and a steal of a monthly plan for $34.99 per month. But this phone upgrade fee – a fee you might not even realize you'll have to pay later on -- could cost you more than a month's worth of minutes.

I'm sorry to report this: To the complicated calculus required to make an informed purchase of a new cell phone and plan, you must add "upgrade fees" as a variable. And no, this is not the same as the "activation fee" you're probably already familiar with. This fee is levied against loyal customers who choose to stay with their carriers and purchase a new phone.

Julie-Ann Klein, a Washington, D.C., area real estate agent, found out about upgrade fees the hard way.

Klein had an old AT&T Wireless phone and decided recently to get an all-in-one gadget that let her make calls and receive e-mail on the road. Cingular acquired AT&T Wireless two years ago, so Klein had to turn to Cingular for the new e-mail phone.

The gadget worked just fine, and she had no complaints, until the first bill came. On page four of the 22-page bill, there was a long list of "other services" with cryptic names like "IntlRmS/C Am/Car1.99," and "IntlRmMidE/Afr2.49." Next to each was an entry under Total Charge listed as 0.00. But at the bottom of the list was this entry: "Promotion for Upgrade Processor." Charge for that service: $18.

Klein was furious. She says she was never told about the fee. When contacted, Cingular held its ground and refused to remove it.

"My husband spotted it. He said, 'What's this?'" Klein said. "It's frustrating to know that these extraneous fees are being charged without being sufficiently disclosed. ... On top of the other charges, (the fees) really add up."

Cingular says it all upgrade fees are disclosed to all consumers before they sign cell phone contracts.

Surprise can cost you $36

But one thing is clear: plenty of consumers are surprised by the upgrade fees. An Internet search reveals a flood of complaints about them. And Cingular's $18 surprise isn't the only fee generating complaints.

Nextel customers who get a new phone can pay as much as $36 in a subsequent bill for the right to use the new phone. Sprint customers also face as much as $36 in fees for what some bills call a "handset upgrade fee." Plenty of consumers call it by other, less polite names.

In at least one lawsuit, the practice is called illegal. Earlier this month, Cingular was sued for allegedly unfair practices in a Seattle federal court by plaintiffs seeking class-action status. The suit alleges that former AT&T Wireless users were forced to upgrade to Cingular's network and then given the choice of paying either the upgrade fee or a $175 early termination fee. The suit hinges on the allegation that Cingular intentionally downgraded the AT&T Wireless network, effectively pushing consumers to either upgrade or quit.

Cingular's Mark Siegel said the lawsuit is baseless and called it a "publicity stunt ... built on thin air." He added that former AT&T Wireless customers did not have to pay the $18 upgrade fee if they chose to join Cingular's network.

In Klein's case, Cingular says she had already upgraded her phone once before, and her $18 fee had been waived previously -- that's why she was charged the upgrade fee.

Internet advice bulletin boards, by the way, are full of consumers who claim complaining worked. Many say the fee was removed after a call to customer service.

What do you get for your money?

A natural question for consumers who discover the fee is this: What am I paying for?

For an entertaining set of answers to that question, I found this Web site,
where several writers who identify themselves as cell phone retailers describe their answers to that very question. Here are just a few.

•"I just tell them that it's California law and Cingular doesn't get any part of it. I also tell them I think it sucks too."

•"If someone asks me why upgrade fees are charged, I simply tell them that it is so I can get a paycheck. Most people just laugh and end up signing up."

•"I tell people that I honestly do not know why they are charging the upgrade fee or what it's actually for."

•"(I) wait till it pops up on their bill. Never when selling the phone."
And my personal favorite:

•"(An) easy way of rephrasing about the upgrade fee is pulling a magic string and showering them with confetti and balloons and telling them YES WE WILL NOT WAIVE YOUR UPGRADE FEE - They will be so happy and leave your store smiling about all the confetti you just poured on their head."

Now you know what mobile phone retailers think of you. There are more answers at the site, so it's worth reading. None of those answers are official, however. Here's Sprint's answer, from spokesman Mark Elliot.

"The upgrade fee is standard across the industry," he said. In Sprint's case, consumers pay $18 for upgrading online, $36 if they walk into a retail store and buy a phone.

I asked Elliot what consumers were getting for that $36. After all, when I get a new phone, I watch the clerk press a few buttons, and in an instant, my new phone works and my old one doesn't. How could that cost $36?

"It's for the process of changing your handset out and programming the new one … (and) making adjustments to your account," he answered.

I got a similar explanation from Cingular.

Verizon and T-Mobile – no upgrade fees

But I got very different answers to my questions from Verizon and T-Mobile. Neither charges upgrade fees, challenging the notion of "standard industry practice."

Here's my problem with upgrade fees. Consumers don't pay the fee when they buy the phone. Instead, it's tacked on to a future bill -- a bill that arrives after it's too late to cancel the contract. In Nextel's case, the fee might not appear on a bill until two months go by.

That puts consumers at a distinct disadvantage, and leads to surprises. After all, Sprint, Nextel and Cingular can't control the dialog that occurs between retail salespeople and customers. Perhaps those fees are disclosed on a lengthy form or during a verbal exchange at some point, but how can these firms be sure consumers understand?

Actually, there is a way: Put the fee on the price tag, and make people pay it up front. That will end the surprises, and allow consumers to compare apples to apples when upgrading their phones.

After all, a $49 new phone starts to sound quite a bit less appetizing when you find out the price is really $85. It's enough to make a $79 phone sound downright cheap by comparison.

Ultimately, consumers are frustrated because the number they see at the bottom of their monthly bill is often so much bigger than the price they see in the store window. Have you been surprised by your cell phone bill? Share your frustration below.