Under Surveillance
 
From streaming video and voice recognition technology to geolocation beacons and connected sensors, technology makes it easy to monitor anyone from anywhere. Save a favorite on a website, download an app from your phone, ask a voice-enabled device for help with your shopping, walk into a fast food restaurant -- nearly everything we do is not only watched; it's stored, catalogued, analyzed and shared throughout the vast and growing Internet of Things (IoT).
 
Like many, you may be tempted to think, "So what? I'm not doing anything wrong. Go ahead and watch."
 
Be careful. That can be a dangerous mentality.
 
Even good guys can get snagged by digital eavesdropping. Data taken out of context can lead to very incorrect conclusions. Incorrect assumptions about your behavior, your whereabouts or your purchases can lead to erroneous conclusions that can negatively impact your life. 

Read on to learn who is watching you and what the implications may be if we're not more diligent with the protection of our privacy. 


IN THIS ISSUE

Singapore Botanic Gardens
 
hotHot Holiday Gifts May Be Spying On You
 
Four tips for protecting yourself from smart gadgets

 
National Orchid Garden of the Singapore Botanic Gardens
Some of the most popular gifts this holiday season were "smart" devices connected to the Internet. Consumers around the world demonstrated a massive appetite for the technology. Amazon, for instance, sold more than 9 times the number of voice-enabled Echo devices this year than last.
 
This explosive growth of consumer interest in connected gadgets means more cameras and microphones sending private images and conversations to the Internet. In fact, news just broke of law enforcement pursuing Echo data for a murder investigation. C onsider the other types of organizations that could also pursue such data.
 
So what should you do if you received a smart something this year? Here are a few tips...
  1. Give your gadget a good strong password and make it unique from your passwords for business, for financial sites, for social media, etc
     
  2. Never keep the default password. Never. Never. Did I say never? This is really important, folks!
     
  3. Turn on encryption. Always!
     
  4. Whenever you are not using them, power down or disconnect voice-enabled devices. They are always listening even if you haven't activated the device with its keyword or phrase.  
   
devDevices Themselves are Under Surveillance
 
 
  
Internet of Things (IoT) search engine makes finding vulnerable devices easy

 
Crooks looking to hack connected devices have a strong ally. IoT search engines, such as Shodan, can easily find connected devices. If you have a baby monitor, a DVR or one of the newer "smart home" gadgets, anyone can locate those devices simply by using Shodan to search your neighborhood. Without a strong password and encryption, you will likely be targeted as a good potential victim or an unwitting accomplice for cybercrimes.
 
This is exactly how the Dyn hackers got up to their mischief and successfully pulled off the largest cyber attack in recorded history in October 2016.
 
Hackers have also been known to use Shodan to crack into highly confidential stores, such as the classified counter-terrorism material stolen from an Internet-linked hard drive at Europol. Rarely do these criminals need physical access to infect connected devices with viruses either. Check out this story of a drone used to hack the lights of an office building (thanks for the pointer, Gal Shpantzer!)
 
For more on how hackers take advantage of connected devices, check out my recent visit to the CWIowa Live morning show

janJanuary 28 is Data Privacy Day
 
What are your plans?


For nearly a decade, we have celebrated Data Privacy Day here in my home state of Iowa, USA, by requesting the proclamation of Iowa Data Privacy Day on January 28. This year will be even more special as I am meeting with Iowa governor Terry Branstad (incoming U.S. ambassador to China ) for a special proclamation signing (stay tuned for images in February's Tips message).
 
What does your organization have planned for its International Data Privacy Day activities? Please send me a note, as I always love to hear how others plan to raise privacy awareness on this important day. If you're looking for ideas, visit StaySafeOnline.org.
favFavorite Apps Monitor Your Moves
 
 

Uber, Facebook and others loaded with surveillance features


A third of mobile apps today have location services. Of course, those features are only a few of the ways providers monitor users' digital behaviors. Below are just three examples of popular apps and how they track users either directly or as a door-opener for data thieves.
 
Uber Now Tracks Passengers' Locations Even After They're Dropped Off - Before, Uber only collected data when the app was open. Now, Uber can continue to collect location data up until five minutes after the ride ends, and even if the app is closed. Users can select "Never" from the share location options to avoid this.
 
Fake Celebrity Photos and Videos Spreading Malware on Facebook - One way to ensure your every digital move is monitored is to fall for a malware scam. Once downloaded to your device, all clicks, visits and downloads made from that computer are tracked, and usually not by anyone good. Falling for fake news is a terrific way to walk right into a malware trap. Thanks to my friend Mich Kabay for pointing to this resource on how to stop fake news from spreading on Facebook.

Evernote's (Attempted) New Privacy Policy (Would Have Allowed) Its Employees To Access Your 'Ideas'  - This planned change would have given a large number of Evernote employees access to your proprietary, and possibly confidential, information. It's incredibly encouraging to see the public take notice and to express their concerns and outrage about the change. The push back resulted in Evernote changing its plans, and the app's providers have agreed not to make the change after all. Proof that heightened awareness of privacy policies and plans, and being vocal about concerns, CAN make a difference! 

idIdentity Theft as Certain as Death & Taxes
 
 

Tax Identity Theft Awareness Week is Jan. 30 through Feb. 3

 
Built in 1827, the Sri Mariamman Temple is the oldest Hindu temple in Singapore.
Tax-related identity theft and IRS imposter scams are on the rise. The Federal Trade Commission wants to do something about it. As such, the agency has designated a week to raise awareness of common tricks and traps, as well as what you can do to avoid falling victim to them. Check out the series of educational webinars they will be hosting beginning Jan. 31, 2017.
 
In the meantime, here are tips to share with friends and family (particularly those who like to file early)...
 
  • Call to demand immediate payment using a specific payment method.
  • Initiate contact by e-mail or text message. Generally, the IRS will first mail you a bill.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested.
  • Demand you pay taxes without giving you the opportunity to question or appeal.
big Big-Time Surprise Coming Out of the UK

Arguably leaps and bounds ahead of other countries with privacy protections, UK does an apparent about face

 
A new law in the UK forces ISPs to store the browsing histories of their customers. And this is not fake news, folks!
 
Why so shocking? British legislators historically have been quick to demonstrate respect for the privacy and security of its citizens. This dangerous new law, however, flies right in the face of this long-held deference.
 
Even in the U.S. (where legislators have a long way to go in demonstrating respect for privacy), ISPs must get permission from customers before collecting and sharing data.
 
While many anti-terrorism and law enforcement representatives are likely to applaud this move in the UK, it's important to know there are plenty of less intrusive ways to monitor online behavior of suspects.
 
For starters, keep it to the actual suspects!
 
Monitoring every single user of a particular ISP is not only unnecessary, it's irresponsible. Collecting the data of non-suspects opens these individuals up to all kinds of potential harm from data breaches alone.
 
2017 is sure to be full of conversations about the need to balance privacy with homeland security, and I for one can't wait to be a part of them! Join me by sharing your thoughts with the law makers in your area. Every voice counts!
Looking across the Marina Bay at the Marina Bay Sands Hotel, Merlion Park
Privacy 'Time Hop'
privacy

Hate to say we told you so, but... 
  
Last year at this time, we talked about the potential of privacy risks associated with smart toys  new to the market. Not surprisingly, researchers have since found many of these toys lack appropriate security and privacy policies. What's more, they are believed to be sharing kids' secrets, asking them for sensitive information and subjecting children to hidden advertising.
 
This is only going to get worse before it gets better. Make sure you are aware of the ways in which your children's smart toys are watching, listening and provoking the release of sensitive information. 

healthHEALTHCARE SPOTLIGHT
 
 
 

Prescriptions monitored more than ever before
 
Under the guise of protecting people from the U.S. opioid epidemic, lawmakers are establishing even more intrusive prescription monitoring programs. The programs are said to help physicians writing prescriptions more easily identify "doctor shoppers, which are criminal drug sellers who jump from clinic to clinic to avoid detection.
 
At first blush, it sounds like a good idea. But consider the ramifications. By storing sensitive health data like prescriptions, we'll be in huge violation of patient privacy and be putting that data at risk if effective controls are not in place. Storing such information on a database no doubt connected to the Internet is far from an ideal way to protect our citizens during a time when data breaches are prevalent.  

SeventhPrivacy Professor On The Road & In the News
  
 

On the road again 

One of my favorite things to do is visit with leaders in different industries - healthcare to associations to energy and beyond. Below are a few of the events I have scheduled for the upcoming season.

January 5, 2017: Formal signing ceremony by Iowa Governor Branstad for the official Iowa Data Privacy Day proclamation, Iowa Capitol, Des Moines.
 
April 18, 2017: Giving speech, "Don't Let Third Parties Bring Down Your Business: Effective Vendor Management," to attendees of ISSA Minnesota Chapter Meeting, St. Paul.
 
July 27, 2017: Providing sessions at the Internet of Medical Things III: Engineering and Cybersecurity for Connected Devices Conference , hosted by the BioPharmaceutical Research Council, NJ Hospital Association,  Princeton.


Taking to the air waves

CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my first of the month visit to the studio   on Dec. 20, during which we discussed smart devices and the vulnerabilities they come with.   

This is my second visit to the studio on Dec. 27. On this episode we talked about the  growing numbers of sextortion incidents, how to avoid becoming a victim and steps you can take if you do.


In the news


Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!


This is an image of my dragon fruit salad and jumbo seafood, which I enjoyed at the River Point in Singapore. Boy, do they know food! 

By the time you receive this message, you may be off to the races on another wonderful year of new experiences.

Rather than another year older, let's consider ourselves another year smarter.

Keep those privacy and data security priorities moving and stay in touch as you accomplish what I'm sure will be tremendous goals! 
 
Have a terrific start to 2017 and Happy New Year!
Rebecca
Rebecca Herold
The Privacy Professor
Need Help?


Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor®, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images, which are my own personal photos. If you want to use them, contact me.
 
 
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter