Verizon and AT&T have agreed to stop “cramming” consumers' telephone bills with unauthorized third-party charges, Sen. Jay Rockefeller announced Wednesday. The move comes after a Senate investigation revealed last year that consumers were hit with $10 billion in fraudulent charges due to the practice over the past five years.

A TODAY show/msnbc.com investigation in July  revealed how extensive and frustrating cramming is, with maddening, mysterious $10 or $20 charges appearing every month on millions of Americans' phone bills.

The investigation relied on a report commissioned by Rockefeller that found that three telecom firms - -- Verizon, AT&T and CenturyLink/Quest -- earned $650 million as their cut of cramming charges levied by third-parties since 2006.

---

"AT&T made the right decision to end cramming by August," the West Virginia Democrat’s office said in a statement on Wednesday.  "Something had to be done.  And while the decisions of AT&T and Verizon are a step in the right direction, I still believe we need to pass a bill that bans this abusive practice once and for all.”

“AT&T has decided to discontinue most third-party billing on our customers’ landline accounts,” Michael Balmoris, an AT&T spokesman, said in a statement to msnbc.com. "We currently receive cramming complaints for only about one out of every thousand bills that contain third-party charges.  However, due to continued concern over the possibility of unauthorized charges, we have decided to take this additional step and eliminate third-party billing for most types of services.”

Verizon spokesman Bill Kula also confirmed the change, saying in an email: “On March 19, Verizon’s wireline business began notifying its billing aggregators (or “clearinghouses”) and carriers that it is going to cease providing third-party billing services for so-called 'miscellaneous' or 'enhanced' services. All billing of those services will be phased out by the end of 2012.  … Verizon wireline will continue to provide billing services for third party charges that generally relate to telecommunications or information services that use our network.”

Separately, Verizon earlier this month agreed to settle aclass-action lawsuit related to cramming, and agreed to refund 100 percent of victims' money for any unauthorized third-party charges consumers suffered from April 27, 2005, through Feb. 28, 2012.

Cramming has vexed consumers and generated mountains of complaints since 1995, when land line providers began making it easy for third-party firms to sell add-on services like voice mail through local phone bills. 

The problem is it's too easy for third parties to attach unwanted items to consumers' bills:  Previous investigations have found firms frequently trick consumers into signing up using sweepstakes entries or cashing small checks that also serve as authorization forms. In other cases, the third-party firms simply lie about getting authorization, a scam called “phantom billing.” Last year, Illinois Attorney General Lisa Madigan testified that usage rates for the unwanted services could be as low as 1 percent.

"Committee staff has found hundreds of egregious examples of cramming," the Rockefeller report found. "Third-party vendors have enrolled deceased persons in their so-called services and charged family members' telephone bills for it. They have charged telephone lines dedicated to fire alarms, security systems, bank vaults, elevators and 911 systems. Senior citizens' telephones have been enrolled in web-hosting services, even though they have never used. A children‘s hospital was charged for a celebrity tracker e-mail service that provided daily celebrity news feeds, photo, and videos. A national bank‘s telephone lines were charged for credit protection plans."

Perhaps nothing illustrates how out of control cramming had become as well as AT&T's own victimization.

"Committee staff confirmed that third-party vendors associated with one hub company crammed at least 80 of AT&T‘s own telephone lines with charges for services such as voicemail, sometimes for periods as long as 18 months," the report said.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

---

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.

The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.

The report comes as that new agency is about to take on regulation of he credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.

---

The FTC’s findings are the result of a years-long survey of 3,000 ID theft victims who had contacted the agency, and a subset of those victims. The study was mandated in 2007 by the Bush administration’s Identity Theft Task Force.

The survey takers were not scientifically sampled, so the results should not be extrapolated nationally. But they do offer insight into the struggle ID theft victims face when trying to recover from the damage inflicted by their imposters.

Pestered with pitches
The news wasn't all bad for the bureaus -- 68 percent of respondents said they were somewhat or very satisfied after their interactions with credit bureaus.  But there were plenty of complaints.  Chief among them: Victims are pestered with pitches when they are simply calling for help.

"They kept trying to sell me a fraud alert package and I often had to ask to speak to a manager to get them to put a freeze on my credit reports," said one victim quoted in the report.  Another complained:  "It was very difficult to avoid marketing." Several said that, as a result of the pitches, they ended up buying services they felt should have been free.

"Several consumers in the focus groups complained that they felt pushed into paying for additional services while placing their fraud alert,” the report said. One complained that when attempting to obtain a credit report, the respondent was tricked into signing up at a fee-based credit report website.

'They should be helping you'
But at least those folks got through the phone mail tree and reached a live person.  Many victims complained to the FTC that they "spent too much time navigating automated menus and being placed on hold."  One of three victims who called looking for help said it was either somewhat difficult or very difficult to get a human being on the phone.

"That's because operators are spending too much time selling things people don't need," said Ed Mierzwinski, head of the Public Interest Research Group, a public interest advocacy organization. "The bureaus are supposed to keep your information accurate. When you call to complain, you are a victim of their failure, and they should be helping you, not pitching you to buy their product that won't help you anyway.”

In 2000, the FTC fined the three bureaus a total of $2.5 million for failing to answer consumer phone calls in a reasonable amount of time, something they are obligated to do under federal law. The FTC didn't say whether it was considering a similar action in light of the complaints in the report, but it did issue a warning to the bureaus.

"Given these incidents, the Consumer Financial Protection Bureau, which has examination and rulemaking authority in this area, may want to address these practices," the agency said in its conclusion. "In addition, to the extent any marketing of identity theft protection products involves unfair or deceptive practices, the commission retains authority to bring enforcement actions to protect against such conduct."

Credit bureau TransUnion said that it takes consumer rights seriously.

"TransUnion was the first credit reporting company to establish a Fraud Victims Assistance Department," said spokesman Clifton O'Neal in a statement to msnbc.com "We established (it) in 1992.  Consumers calling (the number) are always presented with the option to speak to a fraud specialists to assist them and answer any questions.  In addition, consumers can easily place and remove fraud alerts and credit freezes online at TransUnion.com."

Equifax and Experian didn't immediately respond to requests for comment.

Confusion
There were plenty of other signs of dissatisfaction in the FTC report, including confusion over consumer rights. Many consumers didn’t know they could request that ID theft-related items be blocked from credit reports, for example. Others didn’t know the difference between free annual credit reports provided to anyone at http://AnnualCreditReport.com, and the free credit report that ID theft victims can obtain when they call a bureau to report the crime.  Such confusion also leads to unnecessary purchases, the report suggested.

Only 51 percent said they had received the free credit report they'd asked for from all three credit bureaus after reporting the crime. Some victims said they had to wait "weeks or months," and about 10 percent said none of the three sent a report.

"(One) participant did not receive the credit report until after the 90-day fraud alert had expired," the report said.

The biggest complaint involved trouble getting errors fixed: 29 percent said mistakes that landed on their credit reports were not corrected. 

"(It) was easier for the thief to change my info on my credit report than it has been for me to change it back. It's still not right," said one victim.

Tortuous process
Even consumers who were eventually able to beat back mistakes said the process was torturous. One in four said three to five phone calls were required to fix errors, and about the same number said they were "very dissatisfied" with the process -- the highest dissatisfaction rating in the survey.

 "(If) your identity is stolen it becomes a full-time job to get it fixed. Everybody, credit cards, banks, CRA want to pass the buck," said one victim quoted in the report.

Mierzswinski, who's testified about credit bureau misbehavior before Congress repeatedly during the past 20 years, said he's seen all these complaints before. But he's optimistic that the new consumer agency's power to regulate and sanction the bureaus offers a real chance to address some of the recurring consumer issues.

"All of us have been disappointed that the bureaus have really skated for a long time and gotten away with a lot of sloppy practices," he said. "The Federal Trade Commission never had the big guns, but the CFPB does. ... We think it will be an exciting time."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

Denise Richardson had three kids, worked the night shift and had little spare time to take classes that would earn her the high school degree she never received as a teenager.

Nearly 1 million Americans try to get their high school equivalency credentials every year, and she wanted to join their ranks, so the Wisconsin mother went online to learn about the process. After clicking her way through a few ads, she found one that looked promising: For around $500, she would get a series of practice tests mailed to her. Then she could take a test online and, if she passed, she’d get that coveted diploma. 

A few weeks later, after working through the practice tests and struggling through a five-hour online exam, she was told she had passed. Soon, she had her diploma. Then, last fall, she proudly took the diploma and transcripts to nearby Blackhawk Technical College and enrolled in classes. A few days later, she got a call from an admissions officer with bad news.

---

"She told me that (my documents) were no good," Richardson said. “I was back to square one, and out money -- a lot of money. … I felt terrible because I didn't finish school, and then here I try to go back and better my education and it gets thrown in my face.”  

Richardson is one of 39 million U.S. adults who don't have a high school diploma and are therefore blocked from college and many employment opportunities. There's only one way to "test" out of high school -- through the General Educational Development (GED) program that's operated by the GED Testing Service, a joint venture of the American Council on Education and a private firm named Pearson VUE. And there's currently no way to take the test online: You have to sit, SAT style, in a hard chair in front of a proctor and pass the test's five components.

But as with so many industries, the digital world has added confusion to the process and left the door wide open for scam artists. Imposters abound online, promising simpler ways to get a GED or a high school diploma, the offers sweetened by promises that online tests mean the applicants never need to leave their homes. Those who are duped into doing that are almost always disappointed, as those degrees are not recognized by state education departments or the federal Department of Education. More importantly, colleges and employers don’t accept the degrees.

Victims like Richardson are usually out anywhere from $200 to $1,200 and they face embarrassment when they try to use their diploma. For many, it's also a tough setback on an already tough road.

"I wanted it so bad and I figured … it was something online where I could do it on my own time, and working third shift, I couldn't go to school during the day and come home to the kids at night and help them with school work, so it was a perfect opportunity,” Richardson said. “That's where they got me.”

This week, the American Council on Education is warning consumers about an explosion of fake high school equivalency scams and, with the GED Testing Service, has filed a lawsuit against a string of websites it says offer false hope and false degrees.

"(Victims) are getting something not recognized by employers, not recognized by colleges," warned Randy Trask, president and chief executive officer of GED Testing Services. "They pay their money, they get their credential, they try to get into college or they try to get a job only to find out that it was a fraudulent credential. … It’s not worth the paper it was printed on."

It's unclear how many victims have been taken nationwide, as there's no central clearinghouse for victims. But there are piles of complaints at local Better Business Bureaus and state attorney's general offices across the country. A simple Web search shows just how many questionable high school degree programs compete for victims.

“It’s likely there are thousands of people, if not more, who have been affected by scams like this,” said GED Testing Service spokeswoman Cassandra Brown. The service has recently launched a website to encourage victims to come forward to help determine how extensive the problem is.

The pool of potential targets is particularly vulnerable, said Trask.

"It's quite frankly a target rich environment,” he said. “There are lots of people who know they need (a degree). They have a sense of urgency about how quickly they want to get it, and they're a logical victim. If they see something that requires less work, why would they go through the process if it requires more time and they think they're going to be getting the same thing?"

The lawsuit has already had an impact. Visitors to SenfordHighSchool.com -- one page alleged in the lawsuit to have sold imposter GEDs -- now see a stark warning that the site was disabled by a federal court order on March 9. Anyone who placed an order with the site is instructed to contact a lawyer listed on the page.

The original GED test was first administered in 1942, during World War II, and was designed as a way to get veterans ripped from their childhoods quickly back into the educational system and on a path towards college or a career that required a high school degree. Since 1942, 17 million people have been granted GED credentials.

GED Testing Service has been able to successfully sue rogue online operators who abuse the GED trademark. But the Web is teeming with similar sites that tempt potential GED test-takers with online studies  that lead to diplomas rather than the  equivalency credentials granted by the GED Testing Service.  Such online studies aren't accepted by most colleges either, further confusing the issue and sometimes skirting the edge of the law.

"I think as Americans we should all be incensed that people are taking advantage of adults that are really just trying to get out of the path that they headed down," Trask said. "They want to turn their life around, they want to provide for their families.”  

Only state departments of education can give entities the authority to grant high school diplomas.  Potential students should check with their state office before enrolling in any program for a high school degree.  The national Department of Education website has a handy list of links to state offices.

Richardson’s story has a happy ending. She went to a local GED testing center and shared her story. She got no refund – the website she paid for her fake degree had disappeared – but she eventually sat for the real test, passed it and enrolled in college.

“A lot of people say now I’m too cautious because I don't like to do anything on the computer anymore,” she said. “It feels really good that I’m in college and taking up two degrees. ... I couldn’t be happier.”

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

If someone handed you a form that said your child might lose the ability "to generally enjoy life", would you sign it? If you are the parent of a child playing sports in school, you probably have already done so.

Parents of school-age kids know too well that life is a steady stream of waiver forms and other kinds of paperwork.  Who has time to read all the fine print? 

Fortunately, the child of a co-worker did just that recently, and called my attention to the following language on a waiver form sent home by the Seattle School District for prospective track and field athletes.

---

 "I am aware that track & field is a high risk sport … involving many risks of injury," it said.  It then delineated a long list of potential horrible outcomes, such as brain damage, blindness, paralysis and, of course, death.

The kicker, however, was the following line: "Competing in track & field may result not only in serious injury but a serious impairment of my future abilities ... generally to enjoy life."

Well, that covers it.

The dad and I had a few laughs about inclusion of such a Draconian phrase, but just for fun, I Googled it  and found thousands of school sports waivers that include precisely the same language, like some legalese virus.

Kids in every one of those school districts, and their parents, are being told that playing sports may prevent them from generally enjoying life. This discovery led to much speculation about how far our society has fallen, and about the fine job that lawyers do in ruining the fun of just about everything.

But as with so much that you read in fine print, there is an explanation. Meet the man who essentially invented the legal term "generally to enjoy life": He's a Chicago-based economist named Stan V. Smith.

When someone is injured in a car accident, a workplace mishap or in any other circumstance where blame is assigned by a civil court, you probably know that the defendant must pay for the injured party's medical expenses.  And you might know that the defendant could also have to pay for future lost wage potential.  But, according to Smith, those injured through negligence -- or worse -- face all sorts of other future life costs. Suppose an avid amateur cello player is hurt in a car accident and is no longer able to play her instrument. She hasn't lost future wages, but something that she loved has been taken from her.  To Smith, the way to make that person whole is to compensate her for the lost enjoyment of being an amateur musician. Smith calls this "hedonic damages," named after the Greek word for pleasure.

Smith, as an economist, is constantly honing formulas that lawyers can use to arrive at fair price tags for loss of life enjoyment. There's even something called an LPL, or Lost Pleasure of Life, scale, that Smith helped develop.

While this concept might sound foreign, it's not new, and it’s not really controversial.  Smith first provided expert testimony on hedonic damages in a 1985 wrongful death lawsuit in an Illinois federal court, winning "enjoyment of life" compensation for the victim's family.  The decision was not only upheld by an appellate court, the justices singled out his testimony as an "invaluable guide to the jury."  Courts around the country have, to varying degrees, been awarding hedonic damages -- sometimes referred to as “LEL damages,” for loss of enjoyment of life -- to plaintiffs ever since.

Ever those trial-lawyer-hating conservatives don’t dispute the concept. In his first opinion as a Supreme Court Justice, Clarence Thomas authored a noncontroversial 9-0 decision granted hedonic damages to a plaintiff who was mistreated in a VA hospital, for example.

When I talked with Smith, he was unaware that his famous phrase had made its way into thousands of school waivers around the country. He had mixed feelings.

"I think it's good that people are recognizing we have a quality of life, and we have to pay attention to that. To the degree that this is raising consciousness about that, it's positive," he said.

Of course, these waivers are not intended as pamphlets for parents and students to learn about their legal rights. They are small print designed by district lawyers with one goal in mind: to shrink the size of any future payout a jury might award an injured student. (Can't you hear it now? "Members of the jury, Johnny and his parents knew that by joining Math Club he might lose enjoyment of life.")

That disturbs Smith.

"This is a cover your butt thing,” he said. “It's a very blunt statement that is ominous and threatening. ... They are shoving it in the parents' faces and implicitly saying, 'Crap happens.' "

Smith thinks such warnings certainly have a place in school waivers. But he wishes they were accompanied by an equally clear statement that districts will work hard to minimize risk and keep kids safe.

"I think it would go a long way if schools or organizations would take responsibility and say, 'We will take precautions and set forth reasonable standards,’" he said. "Wouldn't that be nice to hear the other side of this?"

Theresa Amato, who runs a Website devoted to outing fine print called FairContracts.org, said she's seen similar issues with school districts and other kid-oriented organizations before. They often purchase contract templates from legal form sellers, then have a district lawyer tweak it to suit their needs. That explains why these kinds of contracts are so similar around the country, she said.  Also, Amato noted, districts probably feel pressure from insurance companies to include such sweeping language.  

She's not concerned about how a parent's signature on such a waiver would impact a jury trial  -- entities can't use small print to avoid responsibility for negligence, for example.  But she is worried that the language could have a chilling effect on injured parties and prevent them from bringing cases in the first place.

"One parent might say, 'Gee, honey, we signed this paper,' and not sue," she said.  "But on its face, that phrase is ridiculous."

Have you been asked to sign a contract or waiver for your kids with absurd language?  Enter it below.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

If you've ever felt overwhelmed by deciding what brand of toothpaste to buy or what flight to book, two marketing professors think they know why.

"Decision quicksand," a painful element of 21st century life, ironically strikes hardest when people face trivial choices, say researchers Aner Sela of the University of Florida and Jonah Berger of the Wharton School, in a paper to be published later this year in the “Journal of Consumer Research.”

While struggles to pick a new job or a select a mate might seem to demand the most deliberation, decision quicksand strikes even harder over trivial choices.  Little decisions cause a big problem precisely because they are surprisingly hard. Faced with too many options, consumers unconsciously connect difficulty with importance, and their brains are tricked into heavy deliberation mode, the researchers say in their paper, “Decision Quicksand: How Trivial Choices Suck Us In."

---

“One could imagine a recursive loop between deliberation time, difficulty and perceived importance," write Sela and Berger.  "Inferences from difficulty may not only impact immediate deliberation but may kick off a cycle that leads people to spend more and more time on a decision that initially seemed rather unimportant."

The challenge of too many choices -- a bane of life in the age of information overload -- arises in part because people fail to recognize decisions as relatively unimportant.

"Why do we agonize over what toothbrush to buy, struggle with what sandwich to pick, and labor over which shade of white to paint the kitchen?” the authors ask. “… Instead of realizing that picking a toothbrush is a trivial decision, we confuse the array of options and excess of information with decision importance, which then leads our brain to conclude that this decision is worth more time and attention."

But something else is going on, they contend:  our brains are ruled by an unconscious force that mistakes difficulty – any difficulty -- for importance.

To test their theory, the researchers set up numerous experiments. In one, volunteers were asked to select a flight using an online service.  Half the volunteers were forced to use a site with a small, hard-to-read font.  That one extra hurdle added nearly 50 percent to their deliberation time.  When told that the trip was short, so flight choice didn't matter as much, deliberation choice time spiked even more. (The researchers controlled for added time that could be blamed on simple difficulty reading.)

Decision struggles can be blamed for many poor outcomes – couples’ spats in the grocery store, or at the video rental place come to mind. But there are longer-term consequences.  Research shows that time spent in decision quicksand before a choice correlates with dissatisfaction after the fact.  And of course, there’s all that wasted time and emotional energy.

If you are still debating whether or not you should read on, of if you should "like" my columns on Facebook (YOU SHOULD), the authors offer some simple advice:

*Set decision rules and stick to them. In other words, start with a time limit that reflects the true importance of the choice. For example, "I will book a flight in 5 minutes, no matter what."

*Delegate unimportant decisions:  “Honey, you pick the toothpaste.”

*Breaks can also help. Spending time away from a decision-making process can free the brain from an obsessive loop. "Even minor interruptions, short breaks, or momentary task switching can change information processing from a local, bottom-up focus to a top-down, goal-directed mode," the authors say.

Have you spent way too much time on a relatively unimportant decision recently? Tell us below.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

A 12-year-old Minnesota girl was reduced to tears while school officials and a police officer rummaged through her private Facebook postings after forcing her to surrender her password, an ACLU lawsuit alleges. 

The claims are the latest in a string of tales showing that even password-protected, private online activities might not be safe from curious government agencies and schools. (See last week’s story)

The girl, whose identity is withheld in the lawsuit, came home "crying, depressed, angry, scared and embarrassed" after she was intimidated into divulging her login information by a school counselor and a deputy sheriff, who arrived in uniform, armed with a Taser, the lawsuit alleges.

"(The student now) fears that the school could make her give up her passwords at a moment's notice, at any time, for any reason," the lawsuit claims.  It also alleges that password prying is standard practice at the Minnewaska Middle School, which the student still attends. "(Officials) have compelled other students to disclose their private information and have accessed students' online accounts on multiple occasions," it states.

---

Officials at the Minnewaska Area School District -- which is about 125 miles northwest of Minneapolis -- say the ACLU's version of events is "one-sided," and that the school acted to "prevent disruption," according to a statement e-mailed to msnbc.com by Superintendent Gregory Ohl. 

"The district is confident that once all the facts come to light, the district's conduct will be found to be reasonable and appropriate," it said.  

When asked if the district has obtained other students’ login information, he responded, “We feel this is not accurate.”

The lawsuit raises the complicated -- and quite unsettled -- legal quandary that balances students' constitutional rights with schools' needs to maintain order and a positive educational environment. For example, can schools punish students who publicly criticize school officials on their own time using social networks?

Federal district courts have handed down contradictory decisions on that issue. Facing a chance to settle the matter, the U.S. Supreme Court in January declined to hear three cases on the issue.

But private social media criticism, intended only for a limited audience behind a password or a privacy wall, raises a different legal issue, said Teresa Nelson, a lawyer for the ACLU in Minnesota.  

"The notion that it was a search of her private Facebook content ... the Fourth Amendment applies," she said.  "The government has to have a really good reason to do that kind of search," and would need a court order in most cases, she said.

Monitor 'was mean to me'
According to the ACLU's version of events, the girl had moved and entered a new school as a 6th-grade student in the fall of 2010. In early 2011, she felt targeted by a school monitor and posted an update to her friends-only Facebook wall saying she "hated" the monitor because "she was mean to me," using her own computer and while off campus.

Soon after, she was called into the principal's office -- he had obtained a screen shot of the post -- and given detention.

The student subsequently posted another update to her page related to the incident: "I want to know who the f%$# told on me," the complaint says. Again, she was called to the principal's office, and this time was suspended for "insubordination" and banned from a class ski trip.

In March, the student had a second run-in with school authorities.  The parent of another student had complained that the girl was talking about sex with that student.  The 12-year-old was called out of class by a school counselor and eventually brought into a room with several school officials and the sheriff's deputy, where the password demands began.

The ACLU claims that the school never asked the girl's parents for permission to examine her private Facebook space. The school district doesn't dispute that it obtained the girl's password, but does say it had parental permission.

"Any viewing of (the student's) Facebook account was done with the express consent of her parents," it said in the statement to msnbc.com.

In the First Amendment fight over online criticism related to school, districts and parents are relying on legal interpretations of an outdated 1969 Supreme Court decision knows as “Tinker,” which gives students wide latitude to criticize.  That decision famously gave us the phrase, "Students don't shed their constitutional rights at the school house gates."  The opinion offers little guidance about rights on the other side of a firewall or a Facebook password, however.

The Tinker case basically found that students can say what they want as long as the speech doesn't cause a disruption at school.  But can a school's ability to punish students extend to activity conducted entirely off school grounds?

Dozens of cases over the last decade have failed to hash out the online version of this debate.  In one, a Pennsylvania student who was suspended for making a MySpace page that mocked a principal was granted a reprieve because the U.S. Court of Appeals found it wasn't disruptive. In another, a West Virginia student's suspension was upheld after she created a MySpace page where students were encouraged to discuss if a fellow classmate had herpes. 

Legal confusion
Even though the National School Boards Association asked the U.S. Supreme Court to hear appeals on these two cases in an attempt to break what seems like a legal tie, the nation's top court demurred, leaving behind a lot of legal confusion.

"Things are complicated," said the ACLU’s Nelson. "Kids have been criticizing school officials since there have been school officials. ... If kids had been venting about teachers at McDonald's no one would care."

One important distinction noted by Nelson: While she believes demands for a student's Facebook password were a clear Fourth Amendment violation, there's no constitutional issue raised by a school official learning about a private communication that's volunteered by another student. In other words, students' private Facebook chatter is only as private as the participants make it.

The ACLU of Minnesota offers a rights handbook to students who use social media. While it's specifically applicable only to Minnesota law, its principles are universal.

The pamphlet notes that while school officials in most cases cannot force students to reveal their Facebook login information, officials can search for evidence of violations "if they have reasonable individualized suspicion" about an ongoing violation of school rules. 

And while free speech rights may prevent schools from banning students from classes because of non-disruptive but critical Facebook posts, those legal protections do not extend to extracurricular activities. In other words, football players and math club members can be kicked off their squads for anything a school official deems against policy.

It's important to note that while Facebook's terms of service say members cannot give out their passwords or otherwise allow others to view private areas of their accounts. But those same terms say members must be 13 years old to join.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

 

What would you do if you found a smartphone on the subway or at a coffee shop? If you're like most Americans, you'd rummage through the phone looking for photos, emails and even private banking information. And the chances are only 50-50 that you would try to return the phone.

Computer security firm Symantec Corp. recently conducted an elaborate, first-of-its-kind study on lost smartphones and shared the results exclusively with TODAY and msnbc.com. The company set a trap for human nature, then sat back and watched. The results were not pretty.  

Symantec researchers intentionally lost 50 smartphones in cities around the U.S. and in Canada. They were left on newspaper boxes, park benches, elevators and other places that passers-by would quickly spot them. But these weren't just any phones -- they were loaded with tracking and logging software so Symantec employees could physically track them and keep track of everything the finders did with the gadgets.

---

To spice up the test, the phones had an obvious file named "contacts," making it easy for any finder to connect with the phone's rightful owner.   But the phones also offered tempting files, with names like "banking information," and "HR files."  

 

Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were checked by 60 percent. And a folder labeled "private photos" tempted 72 percent.

Collectively, 89 percent of finders clicked on something they probably shouldn't have.

Meanwhile, only 50 percent of finders offered to return the gadgets, even though the owner’s name was listed clearly within the contacts file.

"I wasn't surprised, but I wish I had been,” Kevin Haley, director at Symantec’s security response team, said of the unscientific test. “At the end of the day people’s curiosity is so strong, if you present them with the opportunity, they will do it. You would have hoped most people would have made every effort to return the phone."

It's important to note that most, if not all, of the finders weren’t criminals and did not wake up the day they found the lost phones with the intention of rummaging through someone else's personal information. But the temptation created by finding such a device was apparently too much for most of them -- even for some Good Samaritans who tried to return the phone. The story of one lost phone illustrates this point.

On Feb. 2 at 3:05 p.m., Symantec “lost” a phone in a bathroom at Santa Monica Pier in California. A finder tried to access the phone's contacts application 18 minutes later. Moments later, the finder accessed files labeled “passwords,” “cloud-based docs” and “social networking.”

GPS data indicates the finder moved the phone into a nearby restaurant, then into a mall, and an hour later, to a dog park.  At around 5 p.m., the finder opened the Contacts application three times, even there were only two entries listed in it – and one, clearly including an e-mail address and phone number for the owner.

Then the finder continued rummaging around the device, started the File Manager application, and explored files on the gadget's SD card. 

The phone then made its way through downtown Los Angeles, eventually settling in East L.A., where the finder opened the passwords file three times.  Then, online banking, social networking, contacts, private pix, remote admin and other files were opened in rapid succession. Soon after, the device was plugged into a computer for recharging, and then finally reset to original factory settings, wiping all the logging software off the gadget.

But a guilty conscience eventually won out with this finder. On Wednesday, Feb. 8, nearly a week after the gadget was lost, the finder wrote an e-mail to the  supposed owner. It read:

"Hi. I found your phone at the Santa Monica Pier last Thursday (Feb. 2). I used it for like a week but now I feel bad and want to return it. I'm really sorry. :/  What do you want me to do to return it to you?"

Some might consider the 50 percent return rate a victory for humanity, but that wasn't really the point of Symantec's project. The firm wanted to see if -- even among what seem to be honest people -- the urge to peek into someone's personal data was just too strong to resist.  It was.

"The most stunning thing to me were the people that attempted to open bank account information -  four out of 10 finders. That's, a lot," Haley said.

Another tale of a phone lost near Rockefeller Center in New York City at 4 p.m. on Feb. 2 illustrates this point well.

The finder moved the phone some six blocks north, then repeatedly opened and closed the contacts application, again containing only two entries. One can imagine the finder struggling with his or her conscience like the “Lord of the Rings” character, Gollum, deciding what to do.  Between 4:30 and 6:30 p.m., the finder opened most of the other applications, and took many more glimpses into the “contacts” file. At 10:30, activity on the phone stopped.

Suddenly, at 4:03 a.m., the phone was used again by its finder -- this time to peek a view of the “HR salaries” file.

"It's like they woke up out of a deep sleep and said, 'Hey there's salary information on that phone. Let me see if I can access it,'” said Haley.  

At 6:30 a.m., the finder opened the calendar, private pix, social networking, online banking, HR salaries, remote admin, corporate e-mail and passwords. For the rest of the day, there was near continuous rummaging through the phone, including the eventual launch of File Manager to see the entire phone's contents. 

"It's relentless. He can't get into online banking so he goes back to the file that has passwords in it, checks the passwords again and tries again,” Haley said. “He tries to log in remotely to the computer, can't get on so he goes to password to get the password and tries again."

By nightfall, activity on the phone stopped, and it remained relative dormant until it was moved to New York City's Chinatown area at 5:35 a.m. Feb. 9 -- one week after it was lost -- and wiped clean, probably for sale on the black market.

Scott Wright, president of Security Perspectives Inc, helped design the research for Symantec.  One statistically insignificant finding he called attention to: the return rate in Ottawa was 70 percent, highest in the study. The lowest return rate – 30 percent – was in New York City.

“Curiosity is a very powerful thing, especially on a mobile,” he said. “The most surprising thing is how obsessed people became with finding personal information off the phones, with accessing e-mail, accessing social network, private pictures. … People didn't give up. They just kept trying again and again over the course of a week to get access to this data and that really surprised me.”

RED TAPE WRESTLING TIPS

The lesson here is obvious: studies show that half to three-fourths of smartphone users don’t password-protect their phones.  That’s an invitation to disaster. While most corporations force users to password-protect their phone, many personal users think entering a password is a hassle that interrupts their texting habits. 

One lost phone would quickly change that perspective.

After the steady drumbeat of identity theft and lost privacy stories, why would consumers still choose to put their smartphones at risk?

“People haven't thought it through,” Haley said. “Maybe before they had a smartphone, losing an old cell phone was devastating but there wasn't much information on it.  Maybe it’s like the frog in a pot of cold water that’s eventually boiled –  it wasn’t that bad losing their old phone, so people haven't thought through how much information is now on their smart phones and what could happen if they lost it. We hope this research shows what could happen and sticks out in people's minds.”

Even if you are glass-half-full person, and think a lost phone would find its way back to you, if you don’t use a password you’re still putting your data at great risk.

“The moral of the story is that people may offer to give you your device back, but you shouldn't assume they haven't accessed any of their personal or corporate information on the device,” Wright said.

Of course, PIN-protecting your phone may prevent a Good Samaritan finder using “contacts” to find you. So Haley recommends placing contact information on the outside of the phone, perhaps on the case.

Also, consider technology that allows you to wipe the smartphone’s memory clean in case it’s lost. There are also services like Apple’s MobileMe, which let you locate the phone through a Web page; several commercial services offer similar products. 

If you find a phone, the best thing to do is quickly turn it in to the nearest authority – a police officer or the lost & found at the mall, for example. If you really want to gain good gadget karma, and you can determine the service provider, walk it into a nearby Verizon, T-Mobile, Sprint or AT&T store and turn it in there. It’s easy for stores to look up the phone’s serial number and get contact information for the rightful owner.

You might look up the owner on the gadget and send him or her an email. But be realistic about your own human nature. If you don’t think you could resist taking a peek at personal information on the phone, you are probably best handing it off to someone else instead.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

If you think privacy settings on your Facebook and Twitter accounts guarantee future employers or schools can't see your private posts, guess again.

Employers and colleges find the treasure-trove of personal information hiding behind password-protected accounts and privacy walls just too tempting, and some are demanding full access from job applicants and student athletes.

In Maryland, job seekers applying to the state's Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through wall posts, friends, photos and anything else that might be found behind the privacy wall.

---

Previously, applicants were asked to surrender their user name and password, but a complaint from the ACLU stopped that practice last year. While submitting to a Facebook review is voluntary, virtually all applicants agree to it out of a desire to score well in the interview, according Maryland ACLU legislative director Melissa Coretz Goemann.

Student-athletes in colleges around the country also are finding out they can no longer maintain privacy in Facebook communications because schools are requiring them to "friend" a coach or compliance officer, giving that person access to their “friends-only” posts. Schools are also turning to social media monitoring companies with names like UDilligence and Varsity Monitor for software packages that automate the task. The programs offer a "reputation scoreboard" to coaches and send "threat level" warnings about individual athletes to compliance officers.

A recent revision in the handbook at the University of North Carolina is typical:

"Each team must identify at least one coach or administrator who is responsible for having access to and regularly monitoring the content of team members’ social networking sites and postings,” it reads. "The athletics department also reserves the right to have other staff members monitor athletes’ posts."

All this scrutiny is too much for Bradley Shear, a Washington D.C.-lawyer who says both schools and employers are violating the First Amendment with demands for access to otherwise private social media content.

"I can't believe some people think it's OK to do this,” he said. “Maybe it's OK if you live in a totalitarian regime, but we still have a Constitution to protect us. It's not a far leap from reading people's Facebook posts to reading their email. ... As a society, where are we going to draw the line?"

Aside from the free speech concerns, Shear also thinks colleges take on unnecessary liability when they aggressively monitor student posts.

"What if the University of Virginia had been monitoring accounts in the Yeardley Love case and missed signals that something was going to happen?” he said, referring to a notorious campus murder. “What about the liability the school might have?"

Shear has gotten the attention of Maryland state legislators, who have proposed two separate bills aimed at banning social media access by schools and potential employers. The ACLU is aggressively supporting the bills.

"This is an invasion of privacy. People have so much personal information on their pages now. A person can treat it almost like a diary," said Goemann, the Maryland ACLU legislative director. "And (interviewers and schools) are also invading other people's privacy. They get access to that individual’s posts and all their friends. There is a lot of private information there."

Maryland's Department of Corrections policy first came to light last year, when corrections officer Robert Collins complained to the ACLU that he was forced to surrender his Facebook user name and password during an interview. The state agency suspended the policy for 45 days, and eventually settled on the “shoulder-surfing” substitute.

"My fellow officers and I should not have to allow the government to view our personal Facebook posts  and those of our friends just to keep our jobs," Collins said to the ACLU at the time.

Agency spokesman Rick Binetti confirmed the new policy, but wouldn't comment on it or the proposed law which may ban it.

It's easy to see why an agency that hires prison guards would want to sneak a peek at potential employees’ private online lives. Goemann said that prisons are trying to avoid hiring guards with potential gang ties -- the agency told the ACLU it had reviewed 2,689 applicants via social media, and denied employment to seven because of items found on their pages.

"All seven of these individuals' social media applications contained pictures of them showing verified gang signs (signs commonly known to law enforcement which are utilized by gangs)," the Department of Corrections told the ACLU  in response to questions it asked about the program. It stressed the voluntary nature of social media inspection, noting that five of the 80 employees hired in the last three hiring cycles didn't provide access.

For student athletes, though, the access isn't voluntary. No access, no sports.

"They're saying to students if you want to play, you have to friend a coach. That's very troubling," said Shear, the D.C. lawyer.  "A good analogy for this, in the offline world, would it be acceptable for schools to require athletes to bug their off-campus apartments? Does a school have a right to know who all your friends are?"

There have been many high-profile embarrassing moments born of the toxic combination of student-athletes and Twitter. North Carolina defensive lineman Marvin Austin tweeted about expensive purchases on his account two years ago, then became subject of an NCAA investigation about improper conduct with a player agent. The incident led, in part, to the school's aforementioned aggressive social media policy.

So it’s not surprising that many schools want to keep a careful eye on what students are posting online.

But avoiding an uncomfortable moment is not a good enough reason to squash free speech, Spear says. Plenty of settled case law in the U.S. sides with students' rights to express themselves publicly, he said, including numerous cases involving student newspapers.  Public displays of protest are also protected: A landmark 1969 Supreme Court decisions known as Tinker vs. the Des Moines School District said school officials couldn't prevent students from wearing armbands protesting the Vietnam War as long as they weren't inciting violence.

Colleges have legitimate concerns about the things students post on social media accounts, but they should "deal with that issue the way they deal with everything else. They should educate," Shear said.

"Schools are in the business of educating, not spying," he added. "We don't hire private investigators to follow students wherever they go. If students say stupid things online, they should educate them ... not engage in prior restraint."

Goemann also noted that the rush to social media monitoring raises an often overlooked legal concern: It's against Facebook's Terms of Service.

"You will not share your password ... let anyone else access your account or do anything else that might jeopardize the security of your account," the site says in its policies. 

Frederic Wolens, a Facebook spokesman, wouldn't comment on the Maryland legislative proposals, but he said many of these school and employer policies appear to violate the site's terms.

"Under our terms, only the holder of the email address and password is considered the Facebook account owner. We also prohibit anyone from soliciting the login information or accessing an account belonging to someone else," he said in a statement to msnbc.com. Wolens said Facebook has yet to take a position on collegiate social media monitoring.

Social media monitoring on colleges, while spreading quickly among athletic departments, seems to be limited to athletes at the moment. There's nothing stopping schools from applying the same policies to other students, however.  And Shear says he's heard from college applicants that interviewers have requested Facebook or Twitter login information during in-person screenings.

The practice seems less common among employers, but scattered incidents are gaining attention from state lawmakers. The blog Tecca.com last year showed what it said was an image of an application for a clerical job with a North Carolina police department that included the following question:

"Do you have any web page accounts such as Facebook, Myspace, etc.?  If so, list your username and password." 

And the state of Illinois has followed Maryland's lead and is considering similar legislation to ban social media password demands by employers. 

But Shear says a patchwork of state laws isn't good enough when the stakes are this high.

"We need a federal law dealing with this," he said. "After 9/11, we have a culture where some people think it's OK for the government to be this involved in our lives, that it's OK to turn everything over to the government. But it's not. We still have privacy rights in this country, and we still have a Constitution."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.