"You Can't Make Me!"
When my boys were little, they were brilliantly sly. Like most toddlers, they sometimes liked to see just how far they could bend the rules. As they grew into preschoolers, there were times they tried some pretty ridiculous things. And when they'd get in trouble, we knew what was coming: "But you never  said  I couldn't."   

Surveying the world today,  I can't help but be reminded of those lovable, sometimes devious, little boys ( now grown into  responsible, smart young men, of course) .   We're in such a rush to develop "the next great thing" that we've reverted to a preschool mentality. 

In no space is this  more true  than data security and privacy. 
Building in th e necessary controls to secure data and protect privacy  is not something many developers  see as a priority.  Nor can they be bothered with c onsidering the unintended consequences of  their "disruptive" innovations.  No one is telling them they can't, so they do. The small portion of developers that *do* see this as important usually have executives who put the kibosh on something they do not see as legally required.  

There are dangers in this preschool privacy mentality. Don't you think?  

The Computer Says You'll be Dead Soon
Tech that scans your organs can also foretell your lifespan

Researchers used 
computer-based analysis to  predict which patients would die within five years and they got it right  69 percent  of the time. Scary, isn't it?  

Now i magine how valuable that information could be  to people other than you, your family or your doctor. I'm thinking specifically of  employers,  insurance companies, funeral home or hospice marketers, estate planners, not to mention criminals who make hay preying on widows and widowers.  

I imagine there are  many,  many others  who would love to get their hands on that level of predictive detail .  

This is an innovation we will want to keep an eye on, as there are  huge implications for  both  security (controlling access) and privacy (controlling who the  data is  shared with and how  it's  used).
Apps Sharing Your Data with the World
Users are rarely given a choice
Think of the last app you downloaded to yo
ur smartphone. Did you pay close attention to the services it asked to access?   

If you did read down the list of services, did you accept them? Or did they give you a bad enough feeling that you decided not to download the app after all?   

The really unfortunate thing, for both app developers and users alike, is that today's app world is  largely  "take it or leave it." It's rare to find an app that says, "It's okay if you don't want us to access your contacts. Just opt out, and you can have the app with fewer features."  
Sadly, I don't  see this changing anytime soon. No one is requiring the developers to change, and for the most part, app users aren't as concerned as they probably should be.   Not to mention, the data collected, analyzed and sold is making a lot of people a lot of money. And when the money comes fast, change comes slow.   

WHAT YOU CAN DO: Make it a habit to read the services your apps are requesting access to.  C onsider whether it's worth it. Remember, it's not a question of whether you trust the app provider to  use properly and  keep safe your data. You also have to consider the same for all the other third-party entities the app provider is sharing your data with.  Why's that? Because...   

SCARY STAT: 7 in 10 smartphone apps   share your data with third parties

WANT TO BE EVEN MORE PROACTIVE? Contact the app vendor and ask them "Why do you need access to the information?" Ask, "Who are you going to share it with? And how are you going to use it?" If you get answers, please let me know! With your consent, and either with your name included or anonymized, we will share your results with others in an upcoming issue so they can learn from your experience.
From Average Joe to Private Detective
Smart contacts transform wearers into super spies

Remember when Google Glass was just coming on the scene? Hospitals,  banks even bars , had to ban them so patients,  customers  and patrons  didn't have to worry they were  being secre tly  video taped  or photographed.  

Google  tried  to  calm  fears by explaining it was  obvious when a photo or video was being taken with Google Glass . The "photographer" would  have to be staring at his or her subject and an indicator  light would be on.   

Still,  we anticipated the day when no glasses, nor  indicator  lights, would  be there to clue us in . In fact, I even talked about it in keynotes in several locations such as Bogotá, Colombia, and Melbourne, Australia, as far back as 2012. Well, the day has arrived. With the advent of smart contacts people will soon be able to  film what they see and play it back all with the blink of an eye.
It begs the question, "How will bars ban these?"

Fresh Phish: Examples of Phishing Email

Here are two scam emails  I've received in recent weeks

Thanks to those of you who identified even more red flags in the June Tips example of real-life scam emails. Here are some more for you to inspect. Do you see what I saw that says, "I am a scam message!" Let me know!

ransomRansomware Scammers Reach a New Low  
'Pay up or spread the malware instead'  
Just when you thought data thieves couldn't get any worse, they came up with this crafty crime. 
Popcorn Time , a particularly nasty version of ransomware, spreads by offering victims an alternative to paying up.
The person attacked can either send the ransom in bitcoin or send the malware to two people they know. Kind of reminds me of the old chain letters from the 1980s, except much more sinister. 

It is never a good idea to pay a ransom for your data.  (Of course, that doesn't stop even large organizations from paying up to  $1 million to the data nappers .)  For starters, there's no guarantee you'll get your data back. Even if you do, it is quite likely they kept a copy and may be selling it to other crooks. Second, it only encourages the scammers by expanding the profitability of their game. The same is true for offering to infect your friends.   

When it comes to ransomware, your best bet (in addition to keeping your systems updated, of course) is to back up your files. That way, if you are attacked, you'll have no reason to pay -  nor  to spread the malware.
scary4 Scary Things You Need to Know
Here's a quick round up of what's new in the world of personal privacy risk 
Google Chrome flaw allows for secret audio/video recording  A design flaw in the browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication the user is being spied on.  NOTE: I've been worried about this possibility since they built videocams into computers. And, yes, I've kept that little camera lens covered with a sticky note at all times I wasn't actively using it. Better safe than sorry!

Facebook users reveal shocking details about themselves when they "like"  -  As the power of the  social media  "like" grows, political campaigns and companies are  using  it to influence and track  our  behavior.  Something to keep in mind when you are pressured to "like" a relative's or friend's post if it is something you wouldn't ordinarily look at. I know what it's like; I've also "liked" posts I usually would never read upon request just to not hurt someone's feelings. And as a result, those posts are now part of what people think is my personality.

Identity thieves targeting kids   -  The clean slate of a child's social security number and credit history can be too much for a greedy crook to ignore. What a disgusting thing to ruin a kid's financial standing before they can even talk or walk. And even more despicable when it is done by a parent or family member. Get a credit report on your kids at least once a year to make sure they've not become unsuspecting victims.   

You could become infected just by hovering your mouse  - It's true. There is a PowerPoint trick that allows scammers to send you a file capable of spreading malware to your computer... without even clicking anything! Among other precautions, remember if someone you don't know, or wouldn't expect to get a file from, sends you a PowerPoint file (or any file for that matter), simply delete the entire message. It is not worth the potential problems that any associated malware could cause.


Task Force Eyes Medical Devices
A special task force has declared that the health care industry needs to step up its game when it comes to cybersecurity. I could not agree more, and am happy to see such actions being taken! 

Among the recommendations made by the task force were increased  security  on medical devices, something data security and privacy advocates have been clamoring for... for at least the past ten years
Medical device developers and the hospitals, clinics and medical offices that use these devices (and other connected technologies) should heed this as a wake-up call. Based on the task force's recommendations, the HHS, OCR and the FDA could begin auditing these devices for effective controls.  And, those responsible for the devices could be held accountable for HIPAA noncompliance and face associated penalties.  

If you want to learn more about this, as well as a wide range of medical device innovations, anticipated new technologies, and associated security and privacy risks, join me on July 27. We'll be conducting a 2.5-hour webinar,   Internet of Medical Things III: Engineering and Cybersecurity for Connected Devices ,  which is set to include members of HHS and the FDA.  
PPInewsPrivacy Professor On The Road & In the News  

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

July 27, 2017, 1:00 p.m. to 3:30 p.m. EDT:  Internet of Medical Things III: Engineering and Cybersecurity for Connected Devices, hosted by the BioPharmaceutical Research Council, Princeton, NJ.

August 15, 2017: Using the ISACA Privacy Principles to Perform a GDPR PIA, webinar hosted by ISACA.  More details soon.
September 13, 2017: SecureWorld Expo keynote, Detroit, MI. More details soon.
October 11, 2017 : Private Executive Briefing on healthcare security and privacy in the Internet of Medical Things in northern Rhode Island.

Privacy Professor In the news...

Credit Union Times

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio in June.  I enjoyed discussing Russian hacking, "digital exhaust," the need for MUCH BETTER and ESTABLISHED MINIMUM SECURITY STANDARDS REQUIREMENTS for election systems, and ransomware with Lou Sipolt, Jr and Jackie Schmillen.

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

My little troublemakers at ages 2 and 4.
There are so many things we can learn from our preschoolers. Things like curiosity and imagination. At the same time, there's a reason we mature as human beings. When it comes to data security and privacy, we must apply our more evolved sense to the problems that challenge our society. But follow that proclivity to ask a lot of questions...especially when others are asking for and using your personal information.

When you see evidence of the preschool privacy mindset, speak up. The only way to rid our communities of this attitude is to remind one another of its dangers.  

Best of luck to you and have a wonderful, fun and & safe July,

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor®, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, [email protected] 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter