December Tips: Let Us Help You Make Your Holiday Gifts Safe

Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.

Above photo: Photo by Arantxa Forcada on Scopio

It's The Most Wonderful Time

of the Year!

Can you believe it is almost December? We know you are busy finding the perfect gift for your loved ones and we want to help make them as safe as possible. This month's newsletter covers a lot of great information for buying gifts and good tips when on social media platforms.

Everyone here at the Privacy Professor wishes you and your

family a safe and happy holiday season.

Rebecca

We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

Two New Flipbooks

Now available

Many of our readers asked us to let them know when the “Volume 5 – Securing IoT on the Go” and “Volume 6 – Securing IoT in Schools, Businesses & Other Organizations” free flipbooks were available. Well, they are now published!

The supporting information for the topics in these flipbooks is located in the lower part of the page at: https://privacysecuritybrainiacs.com/resources/infographics/IoT/.

Our new paperback book, “Cybersecurity for Grandparents (And Everyone Else!): Q4 2021 Edition - IoT Security,” will be available on Amazon, worldwide, in December. It is the second in our series of “Cybersecurity for Grandparents (And Everyone Else!)” paperback books. It contains expanded versions of the flipbooks with additional details, examples, tips, checklists, resources, plus pages throughout to take notes, a glossary and more.

December Tips of the Month

Safe Toys and Gifts Month
Privacy & Security Questions and Tips
Data Security & Privacy Beacons
Privacy and Security News
Where to Find the Privacy Professor

‌

Safe Toys & Gifts Month

Photo by Mohsin Alam on Scopio

December is recognized in various countries throughout the world as Safe Toys and Gifts Month. Many different physical and mental health organizations provide some great tips to consider when choosing gifts for the many holidays that occur in December.

Here are some additional tips to consider for toys and gifts that will provide security in the environments in which they are used and will help to protect the privacy of the toys and gifts users.

If the toy, or another type of gift, is a “smart” gift, make sure the following capabilities are provided:
Any default passwords are required to be changed upon activation of the device.
Strong authentication (e.g., long, complex passwords and multi-factor authentication) is enforced.
Recording capabilities can be completely disabled.
Data can be deleted entirely.
The device manufacturer provides customer service to answer security and privacy questions.
When ordering gifts online, make sure your personal information, and the information of the gift recipient (if you are shipping directly to the recipient), will not be shared with any other third parties without your explicit consent.
When giving gifts involving surveillance, set up a time to connect with your gift recipient and help them set up their device (e.g., security camera, smartphone, fitness tracker, interactive doll, etc.). This will help protect the privacy of your recipient and ensure the gift has the strongest security settings needed for the device.

‌

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

Thank you for sending in great questions this month. Here are our top 3. We encourage you to send us any of the security and privacy questions you have always wondered about.

Photo by Arantxa Forcada on Scopio

Q: I use facial recognition instead of passwords to log into my accounts on my phone. My brother told me I was throwing away my privacy. Isn’t facial recognition safer than passwords?

A: We love knowing siblings are discussing privacy and security. We wish we had a clear-cut answer for you. However, as with most privacy and security questions, the answer starts with, “It depends…”.

Different types of facial recognition tools can be used for authenticating devices, such as your phone, and into accounts, such as social media sites. The answer depends on a variety of factors:

Who will be accessing the images used for facial recognition authentication? To be properly secure and mitigate privacy risks, the site, app and/or device where you knowingly and explicitly set up facial recognition as your choice of authentication should not be using those images for anything else, only for authentication. If those images will be used for other purposes, this is a significant risk to your privacy.
Will the facial images be strongly encrypted in storage? The answer to this should be yes. If it is no, this is a risk to your privacy.
Will the facial images be used for any other purposes beyond authentication? The answer to this should be no. If it is yes, this is a risk to your privacy.
Do the methods and practices used for facial recognition comply with laws and regulations that apply to where you are located? The manufacturer, app or other vendor site providing the facial recognition authentication method should have an answer to this question in their posted privacy notice and/or security policy. If they don’t, and they cannot or will not answer your direct questions to them about this, it is likely they are not in compliance, and it is a risk to your privacy.
Can you discontinue the use of facial recognition for authentication and remove your associated facial images? You should have the option to discontinue using facial recognition for your authentication method. You should also have the ability to verifiably delete all your associated facial images from the app, cloud, device or other location where your images are stored. If this answer is no, it is a risk to your privacy.

Keep in mind that the answer to your question is for a very specific facial recognition use case for performing authentication into established accounts. Facial recognition is used for a very wide range of other reasons.

While there will be similar risks and controls to mitigate in those other use cases, there are a large number of additional types of security and privacy risks to think about. Those will need to have additional, or different, types of security and privacy controls from the recommendations we provided for authentication via facial recognition.

Photo by Brit Worgan on Scopio

Q: My family and I enjoy those social media quizzes. But, you’ve written about privacy and security risks for these types of quizzes. We are so confused! They don’t all seem bad. How can we enjoy doing those quizzes that our other friends and family are doing but still protect our privacy?

A: We absolutely understand. And guess what? We also participate in some of those online social media quizzes. They can be fun. And the answers given can be very entertaining. The key to ensuring they will not compromise the security of your systems or devices and don’t create unnecessary privacy risks is to stay aware of the risks involved with each question.

As a general rule of thumb, we make sure never to use identity verification information as answers within those often fun, and mostly silly, quizzes. Many of those quizzes are not innocently posted and ask for answers to commonly asked identity verification items. These are often questions that start with, “What was your first…” or, “What was your favorite…” or, “What is the name of…” or, “Where did you…?" So, if you want to have some fun and be silly, go ahead, but only if you are not answering with the same information used for identity verification elsewhere.

Keep in mind that you are not graded for accuracy for your answers during those silly quizzes. For example, if you use the name of your high school mascot, let’s say a roadrunner, for one of your online banking identity verification answers, then never, never, ever, use that as an answer to a similar question for one of those quizzes. Instead, make something up. Your friends and family also participating could make up something too, and you could see who could come up with the funniest mascot. After all, these online quizzes are not scientific, and if they are being used to phish for your identity verification information, you can give them some junk data caches instead.

Q: What search engine do you use?

A: While you did not ask specific to privacy, we will assume that you are asking with this in mind. Whenever you are online, any activity you do will have some degree of activity trail created or tracking involved. In privacy-protecting search engines, this is still necessary to maintain the session and create other types of diagnostic data. For searches that are the most privacy-protecting (they don't log your searches and block most of the sites whose search results are returned), we use DuckDuckGo.

For the most complete searches, but also with the most associated logging and sharing of your searches, Google is still the most comprehensive. We will often use the "incognito" browser in a Chrome browser to block much of the logging and tracking. If you are looking for the most results, and having the searches logged somehow is not a concern, this may be a good option for you.

Bing is a good search engine if you are looking for videos and want larger thumbnail images returned. But it also does a lot of logging.

We also use Twitter to do searches. Even though it is a social media platform, you can often find a lot of useful information there that can't be found with other search engines. Especially for legitimate news sites (but other sites are also returned) and breaking news. Just use the "Search Twitter" field in the upper right corner from within a browser, and in an app, click the magnifying glass icon.

Data Security & Privacy Beacons*

People and places making a difference

Mozilla Foundation for its holiday guide rating tech gifts for privacy practices. Around one-third of the 151 popular connected gifts analyzed by the Mozilla Foundation as part of its annual "Privacy Not Included" shopping guide did not meet security and privacy basic standards. Yikes! This is a very enlightening report and some huge disappointments were revealed for popular gadgets. Be sure to check it out before buying your gifts for others or yourself.

Faith Heikkila for posting a warning about phishing. To help raise awareness of this important topic, Faith shared a phishing email on her Facebook page.

Cybercrime Support Network. Their work is focused on helping individuals and small businesses impacted by cybercrime.

Fight Cybercrime. Helping cybercrime victims through their process of “Recognize, Report, and Recover” after an incident occurs.

DuckDuckGo once more makes our privacy beacons list. Their new “App Tracking Protection for Android” feature is now in beta testing as a part of the company’s standalone privacy-centric mobile browser.

Ben Rothke for his new awareness-raising article, “The top 10 phone scams of 2021.”

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page where we now post often daily pointers to news articles.

The PSB News page contains news grouped by month and by topic. In addition, we are now dedicating a separate news page specific to IoT security and privacy. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.

Revisit often to keep up with the news our team finds worthy of mention.

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news and speaking events. We have added several new items since the November Tips were published.

Rebecca's Radio Show

If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of

real-world topics within the data security and privacy realm.

Latest Episode

Protecting Aviation Critical

Infrastructure from Cyber Attacks with Cecil Pineda

Tune in to hear a fascinating conversation about the state of cybersecurity in the aviation industry, and how only recently cybersecurity management leadership positions were established. Cecil will also share with us how cybersecurity is significantly underfunded in aviation organizations, and how aviation CISOs can use his advice to increase support for cybersecurity efforts and investments. This and so much more!

Next Episode

Critical Needs for Contact Center Privacy Practices with Jon Bello

The customer contact call center is often the only barrier between access to your product controls, account information and smart device dashboards. This makes it imperative for contact centers to have strong privacy protections in place.

This episode will first air on Saturday, December 4, 2021.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. December 2021 Privacy Professor Tips. www.privacyguidance.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Info

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com;

2) making a request directly to Rebecca Herold; or

3) connecting with Rebecca Herold on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the SafeUnsubscribe link below.