It has been called the morning miracle – getting up before everyone else and winning the day. But does it actually make you more productive and focused?

It is 5.15am and I am walking down my street, feeling smug. The buildings are bathed in peachy dawn light. “Win the morning and you win the day,” suggests productivity guru Tim Ferriss. The prize is within my sights: an oat-milk latte, my reward for getting up ridiculously early.

The trains have not started running yet and the silence seems to magnify hitherto inaudible sounds. There is a mysterious squawk of gulls. I live in Camden, north-west London, many miles from the seaside. I have certainly never heard them here before.

Limp salad, bad barbecues, jellyfish stings and chafing. Summer can be a tricky season – but our experts are on hand to help with your hot-weather headaches

Worrisome wasps
“If you eat near still water you’ll get a lot more insects than if you have a bit of a breeze,” says Ben Quinn, chef and founder of Woodfired Canteen. “But ultimately, if you go to mother nature’s dining room, there will be others at your table. Pack a few sacrifices to the god of the wasps in the form of diluted jam in a mug for them to focus on.” You’re better off firing up the barbecue, he adds: “The smoke annoys insects, so they avoid it.” Simon Stallard, chef and founder of the Hidden Hut cafe in Cornwall, says wait until the last second to open anything sugary: “Cakes, fizzy drinks, ketchup – that’s what they’re attracted to.”

The president met with Democratic governors to shore up support, but doubts regarding his competence remain

Joe Biden has reportedly admitted to Democratic governors that he needs more sleep – while telling a supporter at the White House Fourth of July celebrations on Thursday night that he isn’t “going anywhere” in the race for re-election.

The US president told the Democratic governors that he had been feeling fatigued, needed to get more sleep and was aiming to reduce overwork, particularly by planning fewer engagements after 8pm, the New York Times reported.

Friends, let's talk about one of the most confusing terms you’ll see on your fitness tracker—specifically your Apple Watch. Next to REM sleep, which you’ve probably heard of, and “deep” sleep, which feels self explanatory, there’s “core” sleep. And if you google what core sleep means, you’ll get a definition that is entirely opposite from how Apple uses the term. So let’s break it down.

The root of the confusion lies in the fact that the term “core sleep” has been used in the scientific literature to mean a few different things. Importantly, it’s not a recognized sleep stage. Apple, on the other hand, decided to rename the sleep stages its watch can detect, and called one of them “core sleep”—but it bears no relation to any of the previous common uses of the term.

"Core sleep" in the Apple Watch is the same as light sleep

Let me give you a straightforward explanation of what you’re seeing when you look at your Apple sleep data. 

Your Apple Watch tries to guess, mainly through your movements, when you’re in each stage of sleep. (To truly know your sleep stages would require a sleep study with more sophisticated equipment, like an electroencephalogram. The watch is just doing its best with the data it has.) 

Apple says their watch can tell the difference between four different states: 

• Awake

• Light (“core”) sleep

• Deep sleep

• REM sleep

These categories roughly correspond to the sleep stages that neuroscientists can observe with polysomnography, which involves hooking you up to an electroencephalogram, or EEG. (That’s the thing where they attach wires to your head). Scientists recognize three stages of non-REM sleep, with the third being described as deep sleep. That means stages 1 and 2, which are sometimes called “light” sleep, are being labeled as “core” sleep by your wearable.  

In other words: Apple's definition of "core sleep" is identical to scientists' definition of "light sleep." It is otherwise known as N2 sleep. (More on that in a minute.)

So why didn’t Apple use the same wording as everyone else? The company says in a document on their sleep stage algorithm that they were worried people would misunderstand the term "light sleep" if they called it that.

The label Core was chosen to avoid possible unintended implications of the term light, because the N2 stage is predominant (often making up more than 50 percent of a night’s sleep), normal, and an important aspect of sleep physiology, containing sleep spindles and K-complexes.   

In other words, they thought we might assume that "light" sleep is less important than "deep" sleep, so they chose a new, important-sounding name to use in place of "light."

A chart on the same page lays it out: non-REM stages 1 and 2 fall under the Apple category of “core” sleep, while stage 3 is “deep” sleep. That’s how Apple defined it in testing: If an EEG said a person was in stage 2 when the watch said they were in “core,” that was counted as a success for the algorithm.

What are the known sleep stages?

Let’s back up to consider what was known about sleep stages before Apple started renaming them. The current scientific understanding, which is based on brain wave patterns that can be read with an EEG, includes these stages: 

Non-REM stage 1 (N1) 

N1 only lasts a few minutes. You’re breathing normally. Your body is beginning to relax, and your brain waves start to look different than they do when you’re awake. This would be considered part of your “light” sleep.

Non-REM stage 2 (N2)

Also usually considered “light” sleep, N2 makes up about half of your sleep time. This stage includes spikes of brain activity called sleep spindles, and distinctive brainwave patterns called K complexes. (These are what the Apple document mentioned above.) This stage of sleep is thought to be when we consolidate our memories. Fun fact: if you grind your teeth in your sleep, it will mostly be in this stage. 

Non-REM stage 3 (N3) 

N3 is often called “deep” sleep, and this stage accounts for about a quarter of your night. It has the slowest brain waves, so it’s sometimes called “slow wave sleep.” It’s hard to wake someone up from this stage, and if you succeed, they’ll be groggy for a little while afterward. This is the stage where the most body repair tends to happen, including muscle recovery, bone growth in children, and immune system strengthening. As we age, we spend less time in N3 and more time in N2.

(There was an older classification that split off the deepest sleep into its own stage, calling it non-REM stage 4, but currently that deepest portion is just considered part of stage 3.) 

REM sleep

REM sleep is so named because this is where we have Rapid Eye Movement. Your body is temporarily paralyzed, except for the eyes and your breathing muscles. This is the stage best known for dreaming (although dreams can occur in other stages as well).

The brain waves of a person in REM sleep look very similar to those of a person who is awake, which is why some sleep-tracking apps show blocks of REM as occurring near the top of the graph, near wakefulness. We don’t usually enter REM sleep until we’ve been through the other stages, and we cycle through these stages all night. Usually REM sleep is fairly short during the beginning of the night, and gets longer with each cycle. 

How much core sleep do I need?

Using Apple's definition, in which core sleep is the same as light sleep, it's normal for almost half of your sleep to be core sleep. Sleep scientists give an approximate breakdown (although the exact numbers may vary from person to person, and your needs aren't always the same every night):

• N1 (very light sleep): About 5% of the total (just a few minutes)

• N2 (light or "core" sleep): About 45%, so just under four hours if you normally sleep for eight hours

• N3 (deep sleep): About 25%, so about two hours if you normally sleep for eight hours

• REM: About 25%, so also about two hours.

Other ways people use the term “core sleep”

I really wish Apple had chosen another term, because the phrase “core sleep” has been used in other ways. It either doesn’t refer to a sleep stage at all, or if it is associated with sleep stages, it’s used to refer to deep sleep stages. 

In the 1980’s, sleep scientist James Horne proposed that your first few sleep cycles (taking up maybe the first five hours of the night) constitute the “core” sleep we all need to function. The rest of the night is “optional” sleep, which ideally we’d still get every night, but which it’s not a big deal to miss out on from time to time. He described this in a 1988 book called Why We Sleep (no relation to the 2017 book by another author) but you can see his earlier paper on the topic here. He uses the terms “obligatory” and “facultative” sleep in that paper, and switched to the core/optional terminology later. 

You’ll also find people using the phrase “core sleep” to refer to everything but light sleep. For example, this paper on how sleep changes as we age compares their findings in terms of sleep stages with Horne’s definition of core sleep. In doing so, they describe core sleep as mainly consisting of stages N3-N4 (in other words, N3 as described above). 

From there, somehow the internet has gotten the idea that N3 and REM are considered “core” sleep. I don’t know how that happened, and I don’t see it when I search the scientific literature. I do see it on “what is core sleep?” junk articles on the websites of companies selling weighted blankets and melatonin gummies. 

For one final, contradictory definition, the phrase “core sleep” is also used by people who are into polyphasic sleep. This is the idea that you can replace a full night’s sleep with several naps during the day, something that biohacker types keep trying to make happen, even though it never pans out. They use the term pretty straightforwardly: If you have a nighttime nap that is longer than your other naps, that’s your “core sleep.” Honestly, that’s a fair use of the word. I'll allow it.

So, to wrap up: Core sleep, if you’re a napper, is the longest block of sleep you get during a day. Core sleep, to scientists who study sleep deprivation, is a hypothesis about which part of a night’s sleep is the most important. But if you’re just here because you were wondering what your Apple sleep app means by "core sleep," it means stages N1-N2, or light sleep.

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.

Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Onerep CEO and founder Dimitri Shelest.

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”

KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”

Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”

“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”

Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.

“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”

Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.

Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.

The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.

On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.

It’s not unusual for the data brokers behind people-search websites to use pseudonyms in their day-to-day lives (you would, too). Some of these personal data purveyors even try to reinvent their online identities in a bid to hide their conflicts of interest. But it’s not every day you run across a US-focused people-search network based in China whose principal owners all appear to be completely fabricated identities.

Responding to a reader inquiry concerning the trustworthiness of a site called TruePeopleSearch[.]net, KrebsOnSecurity began poking around. The site offers to sell reports containing photos, police records, background checks, civil judgments, contact information “and much more!” According to LinkedIn and numerous profiles on websites that accept paid article submissions, the founder of TruePeopleSearch is Marilyn Gaskell from Phoenix, Ariz.

The saucy yet studious LinkedIn profile for Marilyn Gaskell.

Ms. Gaskell has been quoted in multiple “articles” about random subjects, such as this article at HRDailyAdvisor about the pros and cons of joining a company-led fantasy football team.

“Marilyn Gaskell, founder of TruePeopleSearch, agrees that not everyone in the office is likely to be a football fan and might feel intimidated by joining a company league or left out if they don’t join; however, her company looked for ways to make the activity more inclusive,” this paid story notes.

Also quoted in this article is Sally Stevens, who is cited as HR Manager at FastPeopleSearch[.]io.

Sally Stevens, the phantom HR Manager for FastPeopleSearch.

“Fantasy football provides one way for employees to set aside work matters for some time and have fun,” Stevens contributed. “Employees can set a special league for themselves and regularly check and compare their scores against one another.”

Imagine that: Two different people-search companies mentioned in the same story about fantasy football. What are the odds?

Both TruePeopleSearch and FastPeopleSearch allow users to search for reports by first and last name, but proceeding to order a report prompts the visitor to purchase the file from one of several established people-finder services, including BeenVerified, Intelius, and Spokeo.

DomainTools.com shows that both TruePeopleSearch and FastPeopleSearch appeared around 2020 and were registered through Alibaba Cloud, in Beijing, China. No other information is available about these domains in their registration records, although both domains appear to use email servers based in China.

Sally Stevens’ LinkedIn profile photo is identical to a stock image titled “beautiful girl” from Adobe.com. Ms. Stevens is also quoted in a paid blog post at ecogreenequipment.com, as is Alina Clark, co-founder and marketing director of CocoDoc, an online service for editing and managing PDF documents.

The profile photo for Alina Clark is a stock photo appearing on more than 100 websites.

Scouring multiple image search sites reveals Ms. Clark’s profile photo on LinkedIn is another stock image that is currently on more than 100 different websites, including Adobe.com. Cocodoc[.]com was registered in June 2020 via Alibaba Cloud Beijing in China.

The same Alina Clark and photo materialized in a paid article at the website Ceoblognation, which in 2021 included her at #11 in a piece called “30 Entrepreneurs Describe The Big Hairy Audacious Goals (BHAGs) for Their Business.” It’s also worth noting that Ms. Clark is currently listed as a “former Forbes Council member” at the media outlet Forbes.com.

Entrepreneur #6 is Stephen Curry, who is quoted as CEO of CocoSign[.]com, a website that claims to offer an “easier, quicker, safer eSignature solution for small and medium-sized businesses.” Incidentally, the same photo for Stephen Curry #6 is also used in this “article” for #22 Jake Smith, who is named as the owner of a different company.

Stephen Curry, aka Jake Smith, aka no such person.

Mr. Curry’s LinkedIn profile shows a young man seated at a table in front of a laptop, but an online image search shows this is another stock photo. Cocosign[.]com was registered in June 2020 via Alibaba Cloud Beijing. No ownership details are available in the domain registration records.

Listed at #13 in that 30 Entrepreneurs article is Eden Cheng, who is cited as co-founder of PeopleFinderFree[.]com. KrebsOnSecurity could not find a LinkedIn profile for Ms. Cheng, but a search on her profile image from that Entrepreneurs article shows the same photo for sale at Shutterstock and other stock photo sites.

DomainTools says PeopleFinderFree was registered through Alibaba Cloud, Beijing. Attempts to purchase reports through PeopleFinderFree produce a notice saying the full report is only available via Spokeo.com.

Lynda Fairly is Entrepreneur #24, and she is quoted as co-founder of Numlooker[.]com, a domain registered in April 2021 through Alibaba in China. Searches for people on Numlooker forward visitors to Spokeo.

The photo next to Ms. Fairly’s quote in Entrepreneurs matches that of a LinkedIn profile for Lynda Fairly. But a search on that photo shows this same portrait has been used by many other identities and names, including a woman from the United Kingdom who’s a cancer survivor and mother of five; a licensed marriage and family therapist in Canada; a software security engineer at Quora; a journalist on Twitter/X; and a marketing expert in Canada.

Cocofinder[.]com is a people-search service that launched in Sept. 2019, through Alibaba in China. Cocofinder lists its market officer as Harriet Chan, but Ms. Chan’s LinkedIn profile is just as sparse on work history as the other people-search owners mentioned already. An image search online shows that outside of LinkedIn, the profile photo for Ms. Chan has only ever appeared in articles at pay-to-play media sites, like this one from outbackteambuilding.com.

Perhaps because Cocodoc and Cocosign both sell software services, they are actually tied to a physical presence in the real world — in Singapore (15 Scotts Rd. #03-12 15, Singapore). But it’s difficult to discern much from this address alone.

Who’s behind all this people-search chicanery? A January 2024 review of various people-search services at the website techjury.com states that Cocofinder is a wholly-owned subsidiary of a Chinese company called Shenzhen Duiyun Technology Co.

“Though it only finds results from the United States, users can choose between four main search methods,” Techjury explains. Those include people search, phone, address and email lookup. This claim is supported by a Reddit post from three years ago, wherein the Reddit user “ProtectionAdvanced” named the same Chinese company.

Is Shenzhen Duiyun Technology Co. responsible for all these phony profiles? How many more fake companies and profiles are connected to this scheme? KrebsOnSecurity found other examples that didn’t appear directly tied to other fake executives listed here, but which nevertheless are registered through Alibaba and seek to drive traffic to Spokeo and other data brokers. For example, there’s the winsome Daniela Sawyer, founder of FindPeopleFast[.]net, whose profile is flogged in paid stories at entrepreneur.org.

Google currently turns up nothing else for in a search for Shenzhen Duiyun Technology Co. Please feel free to sound off in the comments if you have any more information about this entity, such as how to contact it. Or reach out directly at krebsonsecurity @ gmail.com.

A mind map highlighting the key points of research in this story. Click to enlarge. Image: KrebsOnSecurity.com

ANALYSIS

It appears the purpose of this network is to conceal the location of people in China who are seeking to generate affiliate commissions when someone visits one of their sites and purchases a people-search report at Spokeo, for example. And it is clear that Spokeo and others have created incentives wherein anyone can effectively white-label their reports, and thereby make money brokering access to peoples’ personal information.

Spokeo’s Wikipedia page says the company was founded in 2006 by four graduates from Stanford University. Spokeo co-founder and current CEO Harrison Tang has not yet responded to requests for comment.

Intelius is owned by San Diego based PeopleConnect Inc., which also owns Classmates.com, USSearch, TruthFinder and Instant Checkmate. PeopleConnect Inc. in turn is owned by H.I.G. Capital, a $60 billion private equity firm. Requests for comment were sent to H.I.G. Capital. This story will be updated if they respond.

BeenVerified is owned by a New York City based holding company called The Lifetime Value Co., a marketing and advertising firm whose brands include PeopleLooker, NeighborWho, Ownerly, PeopleSmart, NumberGuru, and Bumper, a car history site.

Ross Cohen, chief operating officer at The Lifetime Value Co., said it’s likely the network of suspicious people-finder sites was set up by an affiliate. Cohen said Lifetime Value would investigate to determine if this particular affiliate was driving them any sign-ups.

All of the above people-search services operate similarly. When you find the person you’re looking for, you are put through a lengthy (often 10-20 minute) series of splash screens that require you to agree that these reports won’t be used for employment screening or in evaluating new tenant applications. Still more prompts ask if you are okay with seeing “potentially shocking” details about the subject of the report, including arrest histories and photos.

Only at the end of this process does the site disclose that viewing the report in question requires signing up for a monthly subscription, which is typically priced around $35. Exactly how and from where these major people-search websites are getting their consumer data — and customers — will be the subject of further reporting here.

The main reason these various people-search sites require you to affirm that you won’t use their reports for hiring or vetting potential tenants is that selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically don’t include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

There are a growing number of online reputation management companies that offer to help customers remove their personal information from people-search sites and data broker databases. There are, no doubt, plenty of honest and well-meaning companies operating in this space, but it has been my experience that a great many people involved in that industry have a background in marketing or advertising — not privacy.

Also, some so-called data privacy companies may be wolves in sheep’s clothing. On March 14, KrebsOnSecurity published an abundance of evidence indicating that the CEO and founder of the data privacy company OneRep.com was responsible for launching dozens of people-search services over the years.

Finally, some of the more popular people-search websites are notorious for ignoring requests from consumers seeking to remove their information, regardless of which reputation or removal service you use. Some force you to create an account and provide more information before you can remove your data. Even then, the information you worked hard to remove may simply reappear a few months later.

This aptly describes countless complaints lodged against the data broker and people search giant Radaris. On March 8, KrebsOnSecurity profiled the co-founders of Radaris, two Russian brothers in Massachusetts who also operate multiple Russian-language dating services and affiliate programs.

The truth is that these people-search companies will continue to thrive unless and until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century. Duke University adjunct professor Justin Sherman says virtually all state privacy laws exempt records that might be considered “public” or “government” documents, including voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman said.