A 'Sign' of the Times

Cyber crime, online scams and other digital threats get so much attention, we often forget about other risks to our privacy, especially those in the physical realm. That's why I was so excited to see this sign posted on our recent trip to Grand Teton National Park. It reminds (or informs for the first time) park-goers of the risks presented by drones commonly flown in the area. 

The sign addresses the trifecta of risk: safety, security and privacy. Out-of-control drones can injure people; threat actors use drones for all kinds of nefarious deeds; and on-board video cameras can capture private moments. 

Naturally, I love the awareness the sign attempts to raise; it's very nice to see such efforts within our national parks. It's a sign of the times... a stark reminder that privacy and security risks are everywhere.

We have more on drone privacy, and other places with inherent security and privacy risks below. Keep on reading!

I hope you enjoy the pics from my recent trip to Boise, Idaho, for the NIST Privacy Workshop No. 3. This was taken in the Craters of the Moon Lava National Monument in an area known as The Devil's Orchard.

us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

A Tips reader sent me a note (Thank you!) to recommend  TRUSTe/TrustArc  in Europe   as a privacy beacon. A ccording to  her TRUSTe/TrustArc   has done an outstanding job with its cookie notices.  In her opinion, the company  does a great job spelling out for site visitors which cookies are strictly necessary, as opposed to which are for traffic analytics, for personalization of content or for targeting of ads. In addition, they provide a button to say "NO" to any cookie that isn't necessary for technical reasons.

The city of Ontario has established a data strategy that prioritizes "thoughtful and robust protections for the privacy and personal data of all Ontarians." This comes after a survey of citizens revealed 83% of respondents believe data about people and businesses in Ontario need stronger protection. Time will tell how successful they will be. However, if this starts a trend among governments promoting privacy for their citizens, it could be a great bellwether of such moves, despite their individual success. 

The FTC has increased enforcement against false claims of participation in Privacy Shield and other privacy frameworks. This is good. I've seen many organizations that simply post that they are participating in Privacy Shield as a marketing ploy without actually taking any steps to follow the framework. That type of deception should be uncovered and sanctioned. 

Kudos to the group of privacy experts and legislators that have demanded an investigation of Amazon's child data protection practices. There are concerns that Amazon's Echo Dot Kids Edition violates COPPA, the Children's Online Privacy Protection Act. Advocates for children's privacy and others believe the violations mainly center on failing to provide parental notice and obtain parental consent for online services. 

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
I love how flowers thrive within the rocks at Moon Lava National Monument.
real You Can Make Privacy History
Global privacy standards are being written right now. Speak up!

NIST, the U.S. National Institute of Standards and Technology, is asking for your help -- yes, you. Regardless of your industry, profession, level of experience or expertise, NIST wants your feedback on the privacy framework it is currently developing.

The framework will eventually serve as voluntary tool for organizations to better identify, assess, manage and communicate about privacy risks. The idea is create  a tool, with a wide range of guidance, for all sizes and types of organizations to use within their privacy programs to create services and products that will allow individuals to enjoy the benefits of innovative technologies with greater confidence and trust.
The NIST Privacy Framework: An Enterprise Risk Management Tool is nearing V1.0 release, but NIST still wants your input! 

Feedback from public and private sector stakeholders has played a key role at each milestone throughout the development of the framework, and NIST continues to seek your input as they reach for the framework finish line. 

Here are some upcoming events. They are free to attend and will share more than what is currently on the NIST site:
  • "Roundtable Discussion on the NIST Privacy Framework." Thursday, August 15, 2019, 2:00 PM - 3:30 PM PT | San Francisco, CA. The Providence Group and Reed Smith LLP invite you to join the National Institute of Standards and Technology (NIST) for a roundtable discussion on the Privacy Framework.
  • "NIST Privacy Framework: V1.0 is Coming!" Wednesday, September 25, 2019, Tampa, Florida, 4:00 PM - 5:00 PM ET. Attend this session for a closer look at the latest framework draft from NIST, and to share your feedback and insights to help inform the development of Privacy Framework Version 1.0.  
I am happy to be part of the NIST Privacy Framework development team and was thrilled to be both a facilitator and panelist at the most recent public workshop on the framework at Boise State University. You can see  the final recap video from the panel in which I participated on my Facebook page. You can see all the videos and other materials from that event on the NIST website
Have you provided feedback to NIST yet?  Please do! It's easy. Simply review the most recent materials and drafts on the Workshop #3 site. (For full context, you can also review  materials from the general NIST Privacy Framework website.) After reviewing,  send your feedback to PrivacyFramework@NIST.gov. You can also use this email to request a meeting or event with NIST to discuss the Privacy Framework.

Visitors descending from the peak of a huge lave ember mound.
Popular App's Terms of Services Makes Waves
Language in FaceApp's terms raise privacy and security concerns.
There is still heated debate about whether FaceApp is a tool of the Russian government. In addition, many in the data privacy and security community are concerned about language in the app's Terms of Service. As reported by CNN:

In one densely-worded section, the company informs users that they "grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you." 

Translation: FaceApp can effectively do what it wants with your selfie.

Truth be told, that language is far from unusual.  And I've noticed a troubling trend in how app makers, and actually a large portion of other types of organizations, are writing their privacy notices. They  are often buried in their Terms of Service. 

ISACA invited me to write an article about this, which I will point to in the September Tips. And who knows... there may be even more new developments in the growing controversy of how apps are using images, recordings and videos to share in September, as well.

M ost users of "fun" apps like FaceApp, and generally other technologies, rarely read through the Terms of Service. Imagine how dramatically the number of privacy breaches could drop if more people asked app developers and technology providers to do a better job of protecting their privacy!

What's the big deal?
If you're wondering why giving FaceApp and similar apps rights to your photos and personal data is so risky, take a look at PBS's round up of 3 privacy concerns:
  1. Your photos may be sent to, stored and possibly used in other countries, like Russia. There are very real concerns about nation-state cybersecurity throughout the world. A huge repository of photos, even from a single app, may be very useful for malicious purposes. Consider the great number of people use use images of their face to unlock devices and access websites.
  2. Hackers may be able to use facial data to break into financial accounts.
  3. The open-ended language in FaceApp's Terms of Service could allow the app provider to use the photos and data any way they want.
One of the many hot springs in Yellowstone National Park, Wyoming.
Diverted benefits check are just one of the many consequences.
Have you ever wondered what cyber criminals and identity thieves do with stolen Social Security numbers? This Washington Post columnist's story demonstrates just one of the many malicious acts committed by crooks in possession of this valuable personal data. 

Below is just some of the tale told by 73-year-old journalist Robert J. Samuelson. His story begins with a snail-mail letter from the Social Security Administration that read:

"On June 28, 2019, you successfully created an online account with the Social Security Administration." 

... seemed innocuous, except for one troubling detail: I didn't create an online account with the Social Security Administration.

...I decided to call the 800 number in the letter. The woman who answered was courteous and helpful. Yes, my personal data had been altered so that my monthly benefit would be diverted to someone else's bank account, not mine. She reinstated the correct address and put a "block" on the account, meaning that unless I visited an SSA office, my personal information could not be changed.

...Just how my personal data was altered remains a mystery to me...We do know some things, however.

...The number of reported data breaches - hostile penetrations of computer networks - has soared from 421 in 2011 to 1,579 in 2017according to the Identity Theft Resource Center. Each breach in turn may contain data on millions of people. The breach in 2017 of Equifax, a major credit bureau, is widely regarded as a bonanza for cyberthieves because it contained personal data on more than 147 million people. 

...So, be forewarned. This is the Internet's new normal.

Be Suspicious

It's important consumers be wary of any communication that claims to come from the Social Security Administration (SSA) (especially phone calls, so warns the Federal Trade Commission). 

In this day and age, it's critically important to verify the legitimacy of any email, call, text or snail mail requesting your personal data. In the circumstance above, the journalist dutifully compared the letter he'd received to others he'd received in the past. He also verified the legitimacy of the phone number contained in the letter by checking the SSA's website before calling. Kudos to Mr. Samuelson!
The water in the Sawtooth Mountain streams in Idaho was so clear and such a beautiful blue-green.
 easyAre You Entitled To a Piece of the Equifax Breach Settlement?
Millions of Americans offered credit monitoring or $125 cash. 
Because the Equifax breach of 2017 impacted nearly half of all adults in the U.S., it's important to see if you're eligible for the settlement fee the company will pay to victims. (W hile my family members and I were not eligible, c hances are pretty good you are.)

Here's how to find out... 

1. Use Equifax's online look-up tool to see if your data was compromised. 
2. If the tool discloses that your information was among the stolen data, follow the prompts to file a claim. 

Be aware, however, that victims who file a claim also give away their rights to sue Equifax at a later date. Remember, it often takes years for stolen personal data to manifest as identity theft. 

Yes, it's ironic. 

The irony of Equifax requiring consumers to provide two pieces of personal information via their website to determine if their data was part of their breach is not lost on me. Hopefully this data is more stringently protected. 

If you find the request for your personal information too privacy-invasive (and you  are okay potentially passing up 10 years free Equifax credit monitoring or a one-time $125 payment), don't submit your information online. You might try calling Equifax. However, a couple of Tips readers who tried that told me they were instructed to use the website submission form; despite their privacy concerns with the form.

Know you can also file an opt-out by Nov. 19, 2019, if you were impacted and do not want to participate in the settlement. 

Take action soon. 

Be sure to consider all of your options, but make sure you do something. The deadline to file a claim for this settlement is January 22, 2020 .  

According to CNN, if those who were impacted do nothing, they relinquish the right to sue Equifax in the future and give up on the $125 or 10 years of free credit monitoring provided by the settlement.

freshFresh Phish: Spoofed USAA Insurance Email
I received the message below in May.  

Did you spot the red flags? Here are seven I found:
  • There is no USAA.Customer.Service@ mailcenter.usaa.com email listed on the USAA site, and there would not be a blank space after the @ sign in a valid email address.
  • The domain mailcenter.usaa.com is not even a valid domain. 
  • The email came from "soft.com" not USAA.
  • There are no numbers shown in the "ending in:" section.
  • "Preferences" is misspelled.
  • When hovering my mouse over the "Sign on to Validate" link, the URL displayed points to a completely wacky looking Australian domain.
  • The USAA logo is not shown consistently. That's a big no-no among legitimate corporations. 

Another dead giveaway this is a spoof? I don't have USAA insurance! 

seven6 Privacy Tips You Should Know
Keep control of your personal data (in places not often top of mind) with these pointers. 
How to Make Amazon Echo and Google Home As Private as PossibleHow to tighten the reins on what Alexa, Google Assistant and Siri hear. When was the last time you checked your settings?

How to Use Google Privacy Settings: It may be a good time to update your account's privacy protections.  When was the last time you checked your settings?

Protect Yourself at Work: A Minnesota police officer was awarded a $585K judgement after her colleagues snooped on her Department of Motor Vehicles Data.  If you see something, say something...to your information security or privacy officer, or your manager, depending on this situation.

Understand Laws Protecting Your Trash Can's Security: Oregon Supreme Court ruled that policy can't rummage through your curbside garbage without a warrant.  Always finely shred papers and destroy other types of materials you throw away (e.g., DVDs, CDs, USB drives, etc.) A wide range of folks, including criminals, love to take what they see as valuables from your throw-aways. (Mark Zuckerberg realized this recently after garbage pickers started selling the tech billionaire's trash.)

Be Aware of Public-Area Surveillance: A company called Louroe Electronics makes a system that places microphones in public areas and uses computers to listen in. It alerts law enforcement when human voices are expressing aggression.  This is just one of a growing number of surveillance tools being implemented in cities throughout the world. 

Know More about Your Schools' Surveillance: A variety of digital student monitoring systems that claim to deter violence, prevent suicide and other incidents are ushering in what New York Times columnist Charlie Warzel calls  a K-12 surveillance state.

droneDifferent Perspectives on Drone Privacy
Where do you fall on the drone privacy spectrum?
Drone privacy is an issue increasing dramatically in discussion... both for and against privacy laws, regulations and rules. Here are three articles representing vastly different perspectives and viewpoints about drones, privacy and other issues. What are your thoughts?

All of this lava came from a silent, flat volcano approximately 6,500 years ago. It oozed out of hole-in-the-ground craters.

Do security systems track movements inside your home? 
Our ADT security system has two settings: Stay and Go. The internal motion sensors are only activated when the Go setting is engaged. But, I was curious, are those motion sensors like Alexa and other "always listening" technologies?" And if so, how do security companies use the data generated from the sensors?

Great question!
The answer depends upon a couple of things: 1) the type of camera that is being used (not all ADT hardware is the same); and 2) how the homeowner has his/her settings established.
There is an "Automation" section where the homeowner can choose the triggers and events that they want to initiate recordings. There is also an "Active" setting to choose when these triggers will actually be initiated.
What I was told by an ADT customer call center rep was that if Active is set to "Always," the logging/recording will always occur when triggers and events within your established settings occur. However, the rep assured me there was no other recording taking place if the settings indicated not to record except for certain events/triggers. I have not yet confirmed this with the information security or privacy officer at ADT, but I've put this on my to-do list to follow up on.
So, it is up to each homeowner to make sure they know 1) the type of hardware they are using; 2) the different capabilities for the service to which they've subscribed; and 3) to check the settings upon initiating the service, and then checking them again every month or two to make sure that the settings didn't get changed as a result of a systems update, by someone else in their home, etc.  

PPInewsWhere to Find the Privacy Professor  

On the road...

Here are a few of the places I'll be speaking, hosting or teaching courses on data security and privacy over the next few months. If you're in the area or attending the events, be sure to say hello. 

September 5, 2019: Lunch keynote, "Corral Your Data or You'll Stampede Over Privacy," at FutureCon Des Moines CyberSecurity Conference , Des Moines, Iowa, USA

September 12, 2019: Keynote address, "Strategic Security Moves to Win Emerging Privacy Challenges," at 34th Annual SoCal Security Symposium, hosted by ISSA Orange County, Costa Mesa, California, USA


October 24 & 25, 2019: Giving two talks at PwC Cybersecurity Day  and then a half-day workshop the next day , in Luxembourg City, Luxembourg

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network

I took a break in recording shows over the summer, but new episodes will start airing again in September. I'd love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Monthly Tips Message Syndication

Please reach out if you'd like to repost the Tips message with proper attribution, as the outlets below have done.  

Recent awards / honors

I was honored to be included in the new book, " Women Know Cyber: 100 Fascinating Females Fighting Cybercrime,"  published by Cybersecurity Ventures  and co-authored Steve Morgan and Di Freeze. 

Check out the free online PDF or find the hard copy (that's mine to the left!) in major online bookstores.

Advertising Now Available!

After repeated requests from some exciting brands, we've decided to open Tips of the Month up to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

I hope those of you experiencing the dwindling weeks of summer are able to get out and enjoy the nature in your neck of the woods. 

Just remember to be on guard against the risks... security and privacy threats are everywhere. 

That's no reason to get down, however. With a bit of extra diligence and awareness of your surroundings, we are just as capable of experiencing the world's beauty today as we may have in "simpler" times. 

Have a beautiful and safe August!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. August 2019 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter