Practice Good Personal Data Hygiene
 


As people the world over increase their personal hygiene habits to contain the novel coronavirus, COVID-19, we must pay just as much attention to our personal data hygiene. That's because scammers and cybercrooks do not take a break during times of turbulence.  In fact, they clamor for more chaos. 

A global crisis provides the perfect cover for the nefarious tricks and traps of criminals. So, as you are changing your daily routine, increasing your use of technology to work from home and opening your heart to those in need, remember to keep up a healthy guard against scams and security intrusions. 

Although we are in unusual times where everything seems odd and often scary, common sense remains one of your biggest allies in the fight against fraudsters. And, there are plenty of resources out there to guide your decisions. Use them to check (and recheck) every offer, request, warning and "too good to be true" promotion that comes your way.

  
us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

The U.S. Federal Trade Commission (FTC)  continues to earn a place in our Privacy Beacons feature, as the agency keeps putting out great resources. One of the most recent ones is a fun and inventive activity that raises awareness of scams circulating the country. FTCScamBingo encourages players to print off the bingo card and mark off scams as they experience them. The game can be used by private citizens and even by  businesses as part of their information security and privacy awareness and training programs. If you're home with family during the pandemic, consider doing this activity with those in your home. Fun, informative and educational! If you play, please let us know. Did you get a Scam Bingo?

Douglas J. Leith of Trinity College in Dublin, Ireland, has just released the results of a study on web browser privacy. His team of researchers analyzed the backend server connections of six popular browsers. As it turns out, one of our prior Beacons, Microsoft Edge, was deemed among the least private by the study!  This is a good reminder that using self-proclaimed privacy-friendly tools that check out upon high-level inspection may require a deeper dive. You want to be sure so-called privacy-improving solutions aren't actually privacy-degrading.  

Lead Stories  is an online journal that detects and debunks trending fake news stories and hoaxes originating on sites, networks, prank generators and satirical websites. One of their ongoing features is the Hoax Alert, and I was so happy to see the recent Lowe's anniversary check scam covered. I saw many people sharing posts on social media about the scam as if it were real; certainly they were hoping it was real. (Some of these individuals even went so far as to delete my comments warning them about the dangers of falling for the trap.) Kudos to Lead Stories for explaining the scam so well.

The U.S. Department of Health and Human Services (HHS) has prepared a terrific resource on the Office of the Inspector General's website. The information posted is alerting the public about fraud schemes related to COVID-19. Among the more disturbing is a scam in which Medicare beneficiaries are offered COVID-19 tests in exchange for personal details, including Medicare information. As the HHS reports, such services are unapproved and illegitimate. Please be suspicious of all unexpected texts, emails, calls or visitors offering COVID-19 tests or supplies. Rely on your trusted medical professionals, such as your primary care physician or local clinic, for answers to any questions you have about your personal risks or testing and treatments available to you. 

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
It's important to mitigate the risks of working remotely  
  

In recent weeks, many people have been challenged to quickly transition to working from home. Given the large number of workers and entire industries that have gone remote, we must all by hyper diligent in the protection our new home offices from opportunistic cyber attackers.

Because so many organizations had to enact remote working capabilities with urgency, they had little time to train employees with proper procedures. In fact, many organizations did not even have documented policies, let alone procedures, for their employees to follow for work-from-home security and privacy. This lack of preparedness, coupled with the sheer number of distractions employees face as they monitor news about COVID-19, is likely to open up businesses and employees to a variety of increased risks. These include:

Phishing scams: Cybercriminals send phishing emails, texts and even social media posts that appear to be from someone inside the company. One of their common tricks is to pretend they've been kicked out of the system and need access codes to get back in. 
  • TIPS: Verify the email with a phone call to the colleague. Never click on links or provide sensitive information over email or any other method of contact. Continue to utilize the help of your IT resources even when working from home.
Remote desktop tool vulnerabilities: Because remote desktops, a.k.a. remote desktop protocols or RDPs, are so widely used, they are common targets for cyber criminals. Case in point: Hackers are exploiting vulnerabilities in Zoom to hijack virtual meetings and even spread malicious code. 
  • TIPS: Add an extra layer of security by using a virtual private network (VPN). Computers connected to a VPN are assigned a private IP address, which allows them to access a remote connection much more securely. Be sure to also use a strong password. Speak with your employer's information security or IT area for help. If VPNs are not implemented correctly, hackers can exploit those vulnerabilities.
Unsecure wi-fi connections: If you are accessing the internet through a public network, you run the risk of hackers spying on your online activityIf you are using your home wi-fi network, make sure you have implemented all security options and that your router's software is updated and patched.
  • TIPS: One way to secure your wi-fi connection, protecting you and your employer, is to use WPA2 security. The technology guards access to your router by requiring each new device to submit a password before it can connect. More are available at Privacy Security Brainiacs 
Increased accessibility to information and devices: Working from home for the first time could mean you don't have a dedicated space for your technology or documents. Spouses, kids, roommates and other unauthorized individuals can easily gain access to your computer and its contents, or to papers with sensitive data lying around or even thrown in the trash.   
  • TIPS: Keep your computer powered off or log out when not in use. Change your password more frequently. Don't allow family members to use a computer you use for business. Also, invest in a cross-shredder for your home office.
Internet of Things (IoT): As mentioned in previous Tips, I'm committed to raising awareness of risks posed by Internet of Things (IoT) devices and feel it's important to be aware of issues that could arise in our new remote working environments.  In a home office, you may have a device like an Amazon Echo or Dot. It's been proven that those gadgets (or more specifically, the human engineers and analysts behind them) are capable of eavesdropping on users. Could they be recording you as you speak about sensitive or confidential information? 
  • TIPS: Keep smart speakers and other listening devices out of your home office. Or, turn off the microphone until you need it. You may also consider changing the device's "wake word," so you don't inadvertently record conversations or send to someone on your contact list by mistake.
Data security and privacy protections you may have taken for granted in your office space aren't guaranteed at home. We must all be extra careful and take measures to protect the sensitive data we work with and around. 

Remote Working Resources for the Privacy Professor Community

During the COVID-19 pandemic, work from home (WFH), remote working and the use of mobile devices has increased dramatically. Employees are setting up home offices, using mobile devices and online meeting tools for work, as well as performing work activities on the road and in other temporary locations. A large number of organizations throughout the world, of all sizes and across many industries, have been asking our team for policies and procedures to deal with the data security and privacy challenges this presents. 
 
To help these organizations with their information security and privacy needs during these difficult times, we created a new page on our Privacy Security Brainiacs site. 

There, you can find  home and mobile computing  policies and procedures, tools and tips, as well as news items to help during the pandemic and long after the crisis has ended.  We are also including a no-cost set of remote working and mobile computing policies  to help you establish or update your own.

Because things are moving rapidly, we plan to continuously update Privacy Security Brainiacs throughout the crisis and beyond. If you have feedback or suggested additions, please let us know!  

wanted Scammers Take Advantage of COVID-19 Fears
Awareness and common sense are great allies against schemes

This is prime time for con artists. 

With lowered guards and a voracious appetite for information, people in a crisis are much more prone to believe what they're told. This is especially true in an increasingly digital environment in which scammers and con artists have a multitude of technologies to hide their true selves. 

Scammers are communicating via text, email, voicemail, social media and many other channels. They're posing as the federal government officials and representatives of the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO). Because these agencies have become part of our daily lives amid the pandemic, we are more inclined to believe they're contacting us with critical information we need.

For example, passengers who were aboard the Diamond Princess cruise ship are receiving emails asking them to click a link to see their COVID-19 test results. If you've had such a test done recently, it would be hard to resist clicking on it. That's exactly what hackers are banking on.

Indeed, the parent company of Princess cruise lines announced that hackers had gained unauthorized access to employees' email accounts. The hack exposed the personal data of those who traveled and worked aboard the Princess and Holland America cruises.

Now, with the announcement that U.S. citizens will receive stimulus checks, many totaling in the thousands, there are likely to be an even greater level of scam attempts against citizens. It's fairly easy to predict an explosion of phishing emails enticing people to click a link, download an attachment or call into a nefarious line with their social security numbers to receive their money. 

The FTC has warned consumers of COVID-19-related scams. They have also provided advice to keep scammers at bay:
  • Hang up on robocalls.
  • Fact-check information.
  • Know who you're buying from.
  • Don't respond to emails or calls about checks from the government.
  • Don't click on links from sources you don't know.
  • Watch for emails claiming to be from Center of Disease Control (CDC).
  • Ignore online offers for vaccinations.
  • Do your homework when it comes to donations.
worldsHeading for a Future of Health Surveillance
Balancing pandemic prevention with personal privacy

Several countries and agencies are facing criticism about not containing the spread of COVID-19 fast enough. Especially because the technology to track diseases and the movement of people exist, some are critical about the choice to avoid deploying it. 

Among several reasons digital surveillance is not used as widely as it could be is an appreciation for privacy in many areas of the world. But, as Axios correspondent Bryan Walsh recently suggested in his reporting,  the loss of privacy may soon be weighed more critically against p ublic health benefits.

History can be a great teacher when it comes to this debate. Over the past several decades, governments have enacted policies or relaxed regulations during times of crisis. While they begin as temporary measures, they often stay in place even after the crisis comes to an end. 

The U.S. Patriot Act stands out as a recent and poignant example. The legislation  was hurriedly written and put into place right after 9/11. Although it was meant to be temporary, the law is still in place nearly two decades later. And, law enforcement and the U.S. Department of Justice have even been attempting to expand the law's surveillance capabilities. They are actively trying to compel some tech companies to weaken encryption while purchasing facial recognition capabilities from others. 

The increase in companies leveraging COVID-19 as a selling point for surveillance has ramped up in the past month, and will likely continue on for years. How successful our legislators are at balancing pandemic prevention with personal privacy depends greatly on all of us. Use your voices and share your opinions. The people who introduce and vote on our laws need to hear from you. 
 
 oldWhat 'Right to Be Forgotten' Bills Are Forgetting
A U.S. Senator from my neck of the woods recently introduced a bill that would require organizations to remove internet content if a consumer asks them to. The bill, titled the The Right to Be Forgotten Act is likely inspired by legislation in the European Union that gives citizens the power to demand certain data about them be deleted from company servers.

The spirit of the Senator's proposed legislation is good, but pragmatically speaking, it's not likely to have much of a meaningful impact on privacy protection. And, here's why...

Our personal histories, once uploaded to social media sites and elsewhere on the World Wide Web, are not irreversibly erasable. Silly, stupid, dangerous and even illegal mistakes posted online can, and typically do, live forever. Even if an ISP or social media site, such as Twitter, is directed to remove a post, chances are someone made a copy within seconds of it's original posting. 

As I've shared with audiences for decades: Once posted to the internet, information is there indefinitely. 

No amount of lawful commands can make that information disappear from the potentially thousands of copies that have been made and reposted. (I hope all the Snapchat users who believe their posts self-destruct after 30 seconds are paying attention). 

Data protection and privacy laws in the EU, which are much more robust and executable, are focused on the data that a company has in its possession, not the data a social media giant has on its servers. So while they stand out as a good model for the U.S. and other countries to follow, it will be important for our legislators to emulate the most realistic mandates (rather than the ones most likely to garner headlines). 

trackingTracking Your Every Move
FCC fines telecoms for selling real-time location data of users
 
 
 
 
 
 
 
In 2018, the largest telecom companies were found to be selling user location data to third-party aggregators, with complete disregard of U.S. Federal Communications Commission (FCC) laws.

As reported by Apple Insider, the ultimate end-users of that data included law enforcement agencies, bounty hunters, tracking services, alleged stalkers and others. 

While the top wireless carriers supposedly ceased selling user location information in 2019, they are now facing fines totaling more than $200 million. T-Mobile is staring down the largest share of the penalty at $91 million. The fines may appear massive. But if we consider that location-targeted advertising is a one of the hottest and fastest growing markets, producing sales into the double-digit billions each year, how much of a deterrent are those fines, really?

Ironically, the FCC is fining mobile phone companies for selling user's location information while making it easier for police to find people through your cellphone data. Yes, their moves may make it easier to find 911 callers, which will undoubtedly save lives. But, we must also ask, at what cost? When that data is being used for so many more purposes beyond emergencies, what will be the consequences?  We have to be cognizant of the potentially negative implications of having our exact locations known at all times.

If you're worried about unknowingly giving your consent for location sharing, you should be. As reported by Kim Komando, data sharing policies are commonly buried in privacy policies and terms of agreements. Providers should never attempt to conceal such important information in their policies; it's a terrible practice that opens them up to reputational and legal risks, and it's simply the wrong thing to do. 

There are things you can do, however. In the same Kim Komando article, the writers offer up eight ways to manually disable geo-tracking on your mobile devices.

noticesYour DNA Today Could Hurt Relatives Down the Line
Society's rules change on a dime 

When law enforcement asked Ancestry.com for access to its genetic database in 2019, the company said no based on the fact the agency's warrant was improperly served. Had it gone through, police officers, and potentially their technology partners, would have gained access to 16 million DNA profiles from potentially unwilling Ancestory.com customers.

What's the big deal, you may be wondering. Don't we want police and prosecutors to have as much help  as possible  solving crimes and convicting guilty people? Yes, of course. But, we need to be wary of overreaching requests for WAY more information on WAY more people than is necessary. 

The CNET article pointed to above does a nice job of summarizing the issue:

[GEDmatch and other genetic genealogy techniques] give law enforcement agencies access to much more genetic information than they typically use when looking at crime scene DNA. Criminal investigators typically create a DNA fingerprint from forensic samples, stripping away all the genetic information that could reveal personal characteristics like hair and eye color or genetic health conditions. With genetic genealogy, investigators need to include that information in order to identify relatives [and trace that to potential suspects].

It's really important to understand that even if DNA companies say no to overreaching law enforcement requests, a court may still force the company to hand it over. If such a precedent is set, effectively overruling promises made by private companies to their private customers,  all companies may soon be compelled to share everything they know about you and the totality of their customer base. 

Another factor complicating matters is consumer apathy. Many people think, "I don't care if a company has my DNA because I haven't done anything wrong, nor do I plan to in the future. And, it might even help cops catch a criminal." 

If you've had these kinds of thoughts, ask yourself, at what point will you draw the line? Would you give away every bit of your private data simply because it could become helpful to someone down the line? Couldn't we argue that the same data could become harmful to someone down the line? Society's rules for civility, respect and decency change on a dime... just look at how quickly daily life was altered thanks to the pandemic. We simply can't predict how our personal data will be used for, or against, us...or our descendants...in the future 

Before you give your DNA to hobbyists with unknown data security and privacy protections, not to mention philosophies around privacy, consider that your DNA is not only yours. It's also your siblings', cousins', kids', grandkids' and great grandkids' DNA. It's not too much of a stretch to imagine that what you share today could haunt them tomorrow.

veinsA Matter of National Security
Chinese hackers caught bypassing 2FA 
 


The group took advantage of vulnerabilities to take over websites across multiple sectors, including aviation, insurance, energy and gambling.  The hackers figured out how to generate valid security passcodes to hack 2FA controls previously thought impenetrable.  As they moved through the systems, they were able to avoid detection by local security software. 

Chinese hackers have come to pose a greater concern than others around the world because of the type of technology that originates in China.  As testimony before the U.S. Congress revealed, "technical vulnerabilities built and owned by Chinese companies abound."


The popular TikTok app, which is owned by China's ByteDance and Apple, is also under fire for suspected risks it poses to American's personal data. Although ByteDance claims to store its data in the U.S., the company is subject to new data privacy laws in China, which were set to take effect this year. 

Any big tech company or data broker that cooperates with foreign adversaries, like the Chinese Communist Party, leave the U.S. with a target on its back and our systems vulnerable to attack. It's important for everyone around the world to be mindful of the apps, gadgets and IoT devices we let into our lives, our homes and our workspaces. Consider where they are manufactured and research who may have access to the data they collect and share. 

PPInewsWhere to Find the Privacy Professor  
  
 

On the air... 

HAVE YOU LISTENED YET? 

Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.


In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 


3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 
3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

 
 
My home office Chief Security Officer, Jesse
This is one of the more unusual times I can recall. It's been incredibly reassuring, though, to see all the positivity and support coming from different corners of the world. It really makes you remember the goodness that exists in most individuals. 

But, as with every chaotic circumstance, there will be people who take advantage of fear and uncertainty. It's my wish that every one of you stays safe from these bad actors, as well as from the pandemic and all the challenges it has brought. 

Take good care of yourselves, make the best of social distancing and have a happy April!

Rebecca
Need Help?


share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. April 2020 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
 
 
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter