It's That Time of Year Again
Opening a fresh new calendar is especially exciting for privacy people like me. That's because international
Data Privacy Day
is celebrated each year on Jan. 28.
t's officially less than a month away! What will you do to mark the day?
I'm thrilled to announce a couple ways we're observing the now 11-year-old holiday. For starters, we will be announcing our first ever Privacy Hero of the Year...
in this very issue
Second, our state's head legislator, Iowa Governor Kim Reynolds, has declared Jan. 28, 2019, to be Iowa Data Privacy Day. This hyper-local recognition of a global awareness initiative is a very special acknowledgement we've been successful at securing for nine consecutive years.
This monthly email is one of several ways I'm proud to raise awareness of data security and privacy issues, concerns and trouble spots. This year, I'd love to make it even more relevant by incorporating feedback from you. So,
shoot me a quick note
to let me know which topics you'd like me to cover in 2019. I may address them here, cover them on my
weekly radio show
or explore them in several keynote addresses I'm scheduled for throughout the coming year.
Yet Another Facebook Bug Uncovered
Private photos made available to app developers
Facebook's in hot water again. This time for exposing the private photos of millions to a sea of app developers.
Among those photos exposed are ones users uploaded, but for whatever reason, decided not to post. (Yes, Facebook still has access to those!)
The trouble spot... again... stemmed from the "Sign In with Facebook" feature, which allows users to create accounts on third-party sites using their Facebook credentials.
TIP: DO NOT USE "SIGN IN WITH..." FEATURES.
Data security and privacy experts advise against using "convenience" features like "Sign in with..." because it flies right in the face of another no-no. We tell consumers NEVER to use the same password more than once. Using "Sign in with" shares your passwords across multiple accounts.
The other thing that often happens when you grant a third party app permission to access your sign-in credentials is that third party can also see the data you've uploaded to the initial site. In this case, a Facebook bug allowed app developers to see a broader range of Facebook photos than are typically allowed.
How to tell if your photos were exposed
, anyone curious to see if they were impacted by the Facebook bug can check by logging into Facebook and then visiting
. It will tell you which apps may have had access to your photos.
Privacy Hero 2018: Tara Taubman-Bassirian
Two privacy champions gather votes from community
We've tallied the votes from our Privacy Hero of the Year poll, and the results are in...
Tara Taubman-Bassirian is the winner!
(Big thank you to the community of voters for participating in our first ever Privacy Hero of the Year initiative.)
For those who may have missed our profiles on Tara and Philip, here are the recaps...
Tara Taubman-Bassirian: Early adopter learns tech so she can teach others
Tara goes by many titles: lawyer, advocate, mediator, researcher, consultant, speaker and writer. With incredible expertise in areas like privacy, intellectual property and data protection, she has made a name for herself in several areas of the world, most notably the UK, France and the US.
An early adaptor of emerging technologies, Tara makes it her business to understand intimately the challenges presented by regulations in the era of high connectivity. This year, the EU GDPR was a heavy focus for Tara. This is how she has become a trusted advisor to individuals and businesses looking to navigate the legal pathways to justice in the Internet age.
Tara is heavily involved raising awareness around privacy issues, rights and regulations. She is a member of ICANN's Noncommerical Users Constituency, the European Network and Information Security Agency (ENISA) and Society for Computers Law. She co-authored "Online as Soon as It Happens" and is a volunteer mediator for Meditation North Surrey where she extends community mediation to copyright conflict resolution.
A few years back, Tara and I co-founded the Facebook group Fly a Kite, dedicated to coping with and eradicating cyber-bullying, something near and dear to the two of us.
Philip R. Zimmermann: Creator of "Pretty Good Privacy" (PGP) encryption
The first personal encryption tool I ever used back in the early 1990s was PGP, developed by
Philip R. Zimmermann
. The free solution effectively democratized high security for individuals and small businesses, which prior to PGP's development simply couldn't afford to encrypt sensitive and personal data.
Philip is also the author of a favorite q
uote of mine: "If privacy is outlawed, only outlaws will have privacy."
In 1991, after Philip published PGP for free on the internet and it began to spread worldwide, he became the target of a three-year criminal investigation. The U.S. government alleged he had violated U.S. export restrictions on cryptographic software. Thankfully, the case was dropped in early 1996.
Philip went on to become an advisor and consultant to PGP Corporation, which was ultimately acquired by Symantec in 2010. For the last 15+ years, his focus has been on secure telephony for the internet. He developed the ZRTP protocol, as well as Silent Phone and Zfone, and co-founded Silent Circle, a provider of secure communications services.
Rightfully so, Philip has received numerous honors and awards. In 2014, he was inducted into the Cyber Security Hall of Fame, and Foreign Policy Magazine named him one of the Leading Global Thinkers of 2014. The next year, Philip received the U.S. Privacy Champion Award from the Electronic Privacy Information Center.
Privacy Votes Highlight 2 Big Privacy Issues
What's behind your choices
While the Privacy Hero of the Year voting results were not scientific, I did find it interesting that our winners were so closely associated with two very big issues in privacy advocacy: GDPR & e
Around the globe, organizations are facing immense pressure to address the EU GDPR. Tara Taubman-Bassirian has been providing exactly that to many, and it's clear from the active participation in our poll, they are grateful.
Long valued for protecting our data and privacy, encryption is another tool that has inspired gratitude among many. And while PGP was introduced almost 28 years ago, there are still many grateful for
leadership in promoting the need for strong encryption tools with no back doors.
The results of our poll were based on those who took the time to express their gratefulness to these specific individuals. It certainly does not take away from the great achievements of the others nominated for this honor. I personally admire and greatly appreciate each of them.
I believe initiatives like this help to establish a type of barometer for what is important to individuals at a given point in time. Today, having a comprehensive privacy regulation to protect the privacy of individuals and having strong, effective tools anyone can use to protect their own data are priorities (at least among our readers!).
2 FTC Alerts That Should Get Your Attention
Attackers set sights on your SSN and your Netflix account
The U.S. Federal Trade Commission (FTC) is warning of two winter-time scams. Take a look and then spread the word!
Scammers Impersonate Netflix
The below screenshot came to the FTC from police in the U.S. state of Ohio.
Clever timing on this, as people are hunkered down for couch time with loved ones. If you were planning a night in with Netflix and this came through, you might be very likely to click.
But, if you did, you may find yourself keying credit card information into a fake website and directly into the hands of greedy cybercriminals, ready to use those accounts for themselves or sell them on the dark web to potentially hundreds of other crooks.
TIP: If you get a notification about problems with your payment details, check it out independently. Navigate to the website of the company in question on your own, WITHOUT clicking on an email, text or sharing with a person who calls you on the phone. Hang up and contact the company directly.
Scammers Impersonate Social Security Administration (SSA) Officials
More than 35,000 people were contacted by fake SSA officials in 2018. In total, these victims lost $10 million to the scam.
The FTC has posted
audio of one such scam
. I've also received (and recorded) similar scams, which I've posted
on my website
. Go have a listen so you are ready if similar calls come your way.
Some red flags and other things to know:
- No government agency of any kind will call you to threaten arrest.
- Your social security number can not be "suspended."
- Your bank account will never be seized by the SSA.
- No one will ever ask you to verify your entire SSN via phone.
- The real number for the SSA is 800-772-1213.
- SSA will never call to threaten your benefits.
Limiting what Alexa, Siri and Google know about you
The Alexa companion app was the most downloaded app on Christmas Day, indicating just how many smart home devices were gifted during this holiday season.
Using voice recognition technology to control our homes, make purchases, play music, find directions and answer our most burning questions is certainly convenient. But, that convenience comes at a price -- namely unfettered access to our voice data and associated behaviors, as well as any sound or conversation in the vicinity.
To limit that access, it's a good idea to remove your voice command and search histories from the growing variety of virtual assistants you access throughout your day. Here's a quick round-up of how to do exactly that from three popular companion apps:
Amazon Alexa: In the Alexa App > Settings > History > Delete Voice Recordings
Apple HomePod: Apple erases "Hey, Siri" voice commands after analyzing them, so users of Apple HomePod do not need to delete any stored history. Keep an eye on this, however, as companies often change their privacy practices.
5 Easy Ways to Celebrate Data Privacy Day
Ideas from the National Cyber Security Alliance (and one from me)
The Harm in Taking Social Media Quizzes
Before you take one of them, consider this...
Identity theft is probably the last thing on your mind when taking an online quiz like "What Spirit Animal Are You" or "What Food Matches Your Personality." But, according to Prevention magazine, it's a very real risk.
create these quizzes
by asking standard "security" questions, such as your favorite teacher's name, your childhood best friend or your first car. Your answers get added to other information they know about you, like your Facebook username or your mobile number. It's then sold on the dark web where cybercriminals maintain databases full of personal information. As they learn more about you, your profile becomes more usable, and therefore more valuable.
TIP: Use fake information when answering security questions. That way, if you ever get tricked into revealing the real answers in an online quiz (or other scam), the crooks will have a much harder time hacking your accounts.
How to Prevent a Breach: Bouygues Telecom
Mergers and acquisitions often increase security vulnerabilities
Each month in 2019, we'll take a look at a different breach and talk through the ways it possibly could have been prevented. This month, we're exploring the Bouygues Telecom breach announced this week.
The timing of the breach is key in this case. Bouygues Telecome says the vulnerability originated during the merger of Bouygues Telecom and B & You. As various IT systems came together in 2015, a series of tests was run by personnel. During those tests, a computer code necessitating the authentication of the website
was deactivated. Unfortunately, the code was not reactivated after the tests were completed.
Human error strikes again.
So, what are some of the steps that could have been taken to prevent this breach?
- Implementation of more rigorous change controls.
- More thorough testing of software changes.
- Independent oversight of changes (by someone other than the person making the changes).
- Documented policies, procedures and training around software changes and testing.
Understanding risk factors is also incredibly important to preventing unauthorized access to customer data.
This incident was rife with inherent security risks:
- Mergers and acquisitions, during which security and privacy vulnerabilities are often overlooked... or created.
- A contracted (third party) is given access to personal customer data to perform software changes.
- Authentication requirements are disabled for any length of time.
- A worker simply forgets to turn authentication requirements back on and is not covered by another individual or supervisor.
Where to Find the Privacy Professor
In the classroom...
After years of
providing a regularly updated set of online employee training modules for my SIMBUS business clients,
and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes.
As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I host a range of classes for businesses, groups or teams
Do you have a group for which you'd like to coordinate training? We can often arrange a discounted price for organizations and associations based on the number you have participating.
Hope to see you in the virtual classroom sometime soon!
I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**
On the road...
One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond). So far, I have tentative appearances set for February, May and June 2019. Watch for dates in my February Tips issue... who knows, I may be coming to your neck of the woods!
And, if you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch.
On the air...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show
Data Security & Privacy with The Privacy Professor
VoiceAmerica Business network
. All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites.
Hear the perspectives of incredible guests as they talk through a wide range of hot topics.
Some of the many topics we've addressed...
- identity theft
- medical cannabis patient privacy
- cybercrime prosecutions and evidence
- government surveillance
- career advice for cybersecurity, privacy and IT professions
- voting / elections security (a series)
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
In the news...
Bank Info Security
Credit Union Times
Health Care Info Security
3 Ways to Show Some Love
Privacy Professor Monthly Tips
is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this e
mail is sharable (I'd just ask that you follow
It's time to celebrate. We're starting a new year full of possibilities. I hope your 2019 brings everything you hope for and more. Please don't hesitate to get in touch if there's anything my team and I can do to make it the best one yet!
Rebecca Herold, The Privacy Professor