Global Privacy Control was built to enable users to control how their data is collected, shared and sold. Because trackers that collect as much info about us as possible are hidden within most websites, this is a privacy problem begging to be solved. Here's hoping this solution works and gains a good-sized userbase. There are some large organizations involved, which I imagine provides a lot of support for the initiative.

Canada's Innovation Minister Navdeep Bains has introduced a new law that would, among other things, force an organization to stop collecting data or using personal information if it violates Canadians' privacy. The Digital Charter Implementation Act would complement two of the country's previously established laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

Jacinta González and the Dutch privacy group SOMI are doing an excellent job of raising awareness around data analytics firm Palantir's data privacy practices. Jacinta was a recent guest on my podcast Data Security & Privacy with The Privacy Professor. Together, we talked through several issues related to surveillance, including how widespread these privacy-violating practices really are.

The U.S. Internal Revenue Services (IRS) is taking action to protect taxpayer privacy, something desperately necessary as we head into what could be one of the worst years for tax-related identity theft and related fraud. Among the steps the IRS is taking is the masking of sensitive data on business tax transcripts.

Kim Komando always does a nice job alerting consumers to tricks and traps that could cost them financial, reputational or safety issues. In a recent article, the online publication prepared a simple explainer on how to "take back your privacy" from smart TV manufacturers and streaming video channels.

It's easier than ever to find a privacy-friendly gift. Here are 20 great ideas for gifts that can enhance privacy beyond what is provided by the associated devices or products.

Typical SMS text messages can be intercepted and read by third parties. Popular messaging apps like WhatsApp, Signal and Telegram, though, are designed to make messages unreadable by anyone other than the sender or recipient. 

These apps rely on a cipher to convert information into random characters or symbols. It's a good practice, but it's not perfect. Why? Because of the human factor: anyone with the encryption and decryption keys can access the encrypted messages, so if those folks are compromised by social engineers, or they are investigators who have become entrusted to have such keys, that encryption will do no good.

Fortunately, that was the tough lesson learned by the group of alleged conspirators plotting the kidnapping of Michigan Governor Gretchen Whitmer. In their case, law enforcement was able to read what they likely thought were private messages via a confidential FBI informant who was in on the group chats. (BTW, this is proof government-sanctioned encryption backdoors are not necessary; embedding personnel with suspected crime rings has worked successfully for centuries! See below for more on this...)

The key takeaway: Secure messages on your phone can be accessed, with or without an encryption app. Here are just a few of the ways that can happen:

Several misguided groups, countries and individuals are trying to compel tech companies to create backdoors to encryption. Simply put, this is a bad idea. Infiltrating and accessing messages is a much better way to combat criminal activity.

Backdoors are hardly for white-hat use only. Creating a backdoor can enable criminals, just as easily if not more so than law enforcement, to read encrypted files. It's just not worth the risk.

Again, encryption is good, but it's just one layer. Be sure to also deploy classic tactics like the ones regularly emphasized in the Tips Message: Create strong passwords, update them regularly, don't share them with others, lock your devices and never rely blindly on one single technology to keep your data secure and private.

... and why building backdoors into encryption is a very bad idea, see the following from folks who have spent their entire careers studying and actively working with encryption in practice:

On November 12, 2020, the Elections Infrastructure Government Coordinating Council and the Election Infrastructure Sector Coordinating Executive Committees released a joint statement saying, “The November 3 election was the most secure in American history.”

Christopher Krebs, the head of the Cybersecurity and Infrastructure Security Agency (CISA), also clearly explained why it was so secure in an informative interview he gave on 60 Minutes on November 29. Give a listen if you have any doubts about the security and results of the US general election. 

This makes complete sense. For the last four years, Secretaries of State and their teams, as well as a large number of data and cyber security experts who specialize in elections security, have been heavily focused on this election. When the pandemic hit, those teams had an additional hurdle to overcome. Yet, the various challenges of COVID-19 apparently did not deter them from working to ensure Americans were able to vote safely and securely. It’s comforting to learn that different states and federal government agencies of multiple political parties, as well as those who are independent, are saying the security worked – that these four years of ramping up were worth the effort. 

Voter security has been a hotly contested topic, and I’ve devoted numerous radio shows to it. You can listen to any of the episodes on-demand at Voice America or on your favorite podcast app:

I am thrilled to be speaking with Dr. Cheryl Cooper, Cybersecurity Engineer for T-Mobile. Cheryl agreed to be my guest on the latest episode of Data Security & Privacy with The Privacy Professor.

Women and people of color are still a woefully small percentage of the IT and cyber/data/network/applications security workforce. Lack of diversity like this results in weak and flawed IT, security and privacy practices, applications, networks and data protection. Dr. Cooper and I discuss related issues, including:

The episode will air first on Saturday, December 5 at 10am CST and then be available on-demand online and in your favorite podcast app. After you listen in, please share your perspective. I always love to get feedback on the show's topics and guests. It helps our team create even more applicable episodes in the future.

When “Kelvin Cork Morgan” sent me a friend request on Facebook, it appeared at first glance to be legitimate. I'm always open to new connections... after I complete some due diligence, of course.

The first thing I typically do is investigate how long the person has been posting on whatever channel they are asking to connect on. "Kelvin" passed that test. He appeared to have been posting on Facebook since 2018. Next, I checked to see if he had engaged with any online posts that were not his. As I was checking, he actually "liked" a few of my own posts. After that, I checked to see if he had "liked" any groups that would fit where he (purportedly) lives or the posts that he had liked. And, he actually did.

As an additional step, I performed an image search on his profile picture. Wouldn't you know it... "Kelvin's" headshot appeared in multiple places across the web, each with a different name. Either he was a prolific scammer or his picture had been taken over by one. Big red flag.

Not too terribly long after I began providing tips for how "Kelvin" could protect himself, the conversation dropped. When I searched for the "Kelvin Cork Morgan" profile five days later, it was no longer on Facebook. Imagine that...after being an active profile on Facebook for almost three years! I wonder how many people he deceived during that time.

NOTE: As of the publication of this Tips issue, "Kelvin" is back on Facebook with five different profiles, all under the name "Kelvin Cork." Each uses the same photo, but with slightly different info about himself. And, at least one of these profiles contain likes and comments from folks in India, where many catphishing scams originate.

I've notified Facebook about these accounts. Appears the catphishers really like this man's photo, and the name "Kelvin Cork"!

Aside from the relatively "normal" conversation this catphishing artist and I had, another thing stood out to me. "Kelvin" had been liking a few of my posts for several days before asking to connect. He'd also posted to groups and pages I frequent. That's a lot of time to invest in a catphishing scam, and a pretty strong indication of the return on investment these con artists get from their tactics.

As we go into the holidays and people are feeling especially open (or lonely), it's really important to have your guard up against friend requests from people you don't know. Trust your gut, perform your due diligence following the steps I recommend above... and never connect until you are satisfied the individual is legitimate. 

The global outbreak of COVID-19 changed so many things it's difficult to keep track. From health worries to work-from-home to financial stressors, scammers have several new areas of exploitation through which to lay their traps. Read on for just a few of the emerging risks presented by the "new normal."

Drug Infusion System Flaw Could Lead to Attack: Newly discovered authentication weaknesses open healthcare systems up to denial-of-service attacks. During a time when the system is already overly taxed by the pandemic, this kind of cyber assault could lead to serious implications for patients, perhaps even death. This is one more reason it is so critical to have information security experts on staff or helping hospitals and clinics during this time when our over-worked and brave front-line healthcare workers are depending heavily on many networked devices to support saving their patients. Especially when ransomware attacks against healthcare providers are also increasing dramatically.

Tips to SEC Surge as Working From Home Emboldens Whistleblowers: With more people working remotely, they have a potentially false sense of privacy. Lawyers believe this is contributing to the 35% increase in complaints and referrals of possible corporate wrongdoings the SEC received from mid-March to mid-May 2020. Do your work from home information security and privacy policies cover these issues?

US Government Clears Debt Collectors to Go After Americans through their Social Media Accounts: Your next friend request could be from an agency collecting on an unpaid medical bill or car payment. Keep this in mind, however: The new law allows you to direct a bill collector not to use social media to contact you. If you do, they must stop. And, if you want to take an additional step, you can report the incident to your State Attorney General's office and the SEC. 

I use different, strong passwords for every site. I know 2-factor authentication is even more secure. However, how do I know when the added security is worth the effort?

Perform a quick risk assessment. Ask yourself, if someone got into the account, how much damage could they do?

Would they be able to access your personal data, which may lead to identity theft and fraud? Could they determine your location, putting your physical security at risk? Might they even be able to change your data, resulting in erroneous medical or financial records? Would they be able to steal your money or other assets by siphoning them from your accounts to theirs?

What do you think of LastPass?

I recommend offline password managers instead.