Testing, Testing, 123

Living and working in Iowa, I had a front row seat for the fallout of poor technology testing during the February Iowa Caucus meltdown. The failure of a new caucus results reporting app was a classic example of how broken tech can kickoff a series of unfortunate circumstances. 

Rampant speculation, conspiracy theories and misinformation are just a few of the negative consequences you can expect when technology fails. Elections, already under a massive amount of scrutiny, simply can't take the added pressure of a technology snafu. 

The solution to preventing unproven technology from cause a mess like this in your world? Testing, testing and more testing!

For more on the topic of insecure elections and voting systems, check out the Data Security & Privacy with the Privacy Professor podcast. Several experts in election and voting security have joined me to discuss this far-reaching issue. This includes my guest Theresa Payton, an elections security expert who joined me for an episode that will air on March 7

Here are direct links to a few of the episodes on this topic in particular:
While testing doesn't solve every problem, it certainly goes a long way toward securing optimal outcomes. The good news in Iowa is that all the caucus goers recorded their candidate choices on cards, so those can be used to ensure accurate results, despite the failure of the app.

Read on to learn about the value of thinking ahead to prevent a wide range of data security and privacy problems. 

us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

The Microsoft Edge Chromium browser is built around empowering users to avoid being tracked on the web. The browser offers three levels of privacy settings, and the default automatically blocks trackers from sites users haven't visited before. This blocks harmful trackers and also improves the relevancy of ads users allow. Some are comparing the browser to Ghostery, the  open-source privacy and security browser extension developed by in 2010 by David Cancel.  Have you used it? Do you like it?

Decent Security has dedicated a page specifically to malware and phishing that helps would-be and actual victims report attacks. The feature essentially enables the blacklisting of phishing sites, protecting more people from becoming exposed to what are often fast-spreading scams. 

U.S. Lawmakers across party lines have come together to pass the TRACED Act, which will make it easier for people to spot incoming robocalls, a system often used by scammers to reach more victims faster. The legislation calls on telecom carriers to implement a number-authentication system so you can see who is on the other end of the line. It also increases penalties for companies that fail to implement a robocall mitigation program. 

NIST has created a Privacy Engineering Collaboration Space where practitioners can discover, share, discuss and improve upon open-source tools, solutions and processes that support privacy engineering and risk managementThe online venue is open to the public, which is really important, as it provides a terrific resource for consumers to see the plethora of options available to tech developers. There simply is no excuse for not implementing good data security and privacy controls with a resource like this available.

Etsy recently impressed me with its procedure for double-checking user requests to change passwords. I've saved their emails as excellent examples of good privacy-awareness communication. Give me a shout via email if you'd like me to forward you a copy. 

Carnegie Mellon researchers have created the Internet of Things (IoT) Assistant app to informs users about the IoT technologies around them and what data they are collecting. And, if the technologies detected offer privacy features, like opting in or out of data collection, the app helps users access them. How cool is that!

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
real The Ever-Expanding Internet of Things (IoT) 
New monthly feature to spark IoT awareness 

As a member of the NIST Cybersecurity of IoT Program, which I started doing work for in January of this year, I've committed to, among other things, helping raise awareness of the risks posed by Internet of Things (IoT) devices. So, each month, I'll add a new piece of news or commentary on an IoT trend here in this space. 

This month, I'm offering up a round up of the different IoT infographics the team and I have created over the past several years. 

Please take a look and let me know if you have any questions. I'm happy to prepare different file formats if that helps you share these with the people in your community. Just shoot me a request via email. 

6 Places Crooks Steal (Then Ransom) Your Data: Where there's an Internet connection, there's a data napper. Here are six of their favorite hang outs.

Your Health Data Available for the Taking: Is your health data really private? Examine these scenarios to decide for yourself.

Who Has Your Health Data? Health data is copied and shared millions of times by hundreds of medical devices, networks and systems. 

How Many Times a Day Are You Handing Over Your Information? From the moment we wake -- and turn on that WiFi-enabled "smart" coffeemaker -- to the time we make our final Facebook sign off, we are leaving a digital trail. 
wanted Will You Let Alexa Ride in Your Car?
The hidden privacy data issues of Alexa Built-In

When I learned of the new Encore GX car with Alexa Built-In, my mind went straight to the privacy concerns. While the automaker is promoting this as a high-end feature, not everyone will want this new-era digital surveillance built into their vehicle. 

With Alexa on board, Amazon (and countless third parties with access to Amazon data) will know every minute detail of drivers' and their passengers' habits. This includes the businesses they visit, the music they listen to, the conversations they have while riding down the road and anything else they might do in their cars. 

Embedding Alexa into our personal devices certainly isn't a new concept. You can find it in the Lexus ES, the Fitbit Versa 2, the ecobee4 Smart Thermostat, Sony headphones, the Vector Robot by Anki, to name a few. While the convenience of Alexa integration is nice, consumers shouldn't have to pay with their privacy.  It would be a real privacy-beacon move for Amazon to build easy-to-use privacy capabilities into Alexa and Echo to allow for quick and intuitive ways to completely shut off listening/recording.

Devices Gain in Popularity Despite Security Bugs

Amazon and plenty of other Big Tech companies have come under fire for data privacy issues, as this CNET article  highlights. S ecurity researchers found an  error, tucked away in a calculator app, that could allow malicious apps  to enable continuous listening. Any provider the size of Amazon that allows a third-party app to eavesdrop on its users should be penalized, at a minimum by a reduction of interest in their products. Yet, Alexa-enabled devices continue to grow in popularity. 

Take Amazon Up on Its Privacy Offers

Consider what could be construed if Alexa misheard a question and responded with something completely out of left field that made you appear to be someone you're not. Amazon's updated privacy measures allow you to ask Alexa why she responded the way she did to clear up any confusion. But it's still a scary thought to consider the implications of your voice data taken out of context. 

Amazon has also put measures in place to make it easier for users to determine (and delete) voice data recorded via Alexa. How many people take advantage of these features, though?

As of now, we can still choose whether we want Alexa and other IoT devices in our private spaces. That could change, however. The benefits of Alexa and other cloud-based voice services are easily sold, but the downsides are often unknown to the consumer. It's becoming more of a default to have them embedded within products we buy, like a vehicle, where previously we weren't forced to think about a threat to our privacy.

worldsLow-Tech Ways to Safeguard Your Privacy
Mitigating data security and privacy risks in the physical realm 

Protecting yourself digitally is important. So, too, is keeping an eye on your physical surroundings. Below is a round up of quick tips for staying safe IRL (in real life). 

Avoid abbreviating the date in 2020: When signing documents, don't shorten the year to "20." Scammers can modify a date written as "3/3/20" to read "3/3/2017" or "3/3/2018," opening the door for all kinds of fraud. 

Finely shred paper documents: Your sensitive and personal information lives in a lot of places these days. Properly disposing of paper data is just as critical as deleting your digital info. Check the link for some of the best home shredding products available. 

Write or whisper personal information: When personnel in banks, clinics, stores, etc. ask for your Social Security Number, birthday or other confidential information, don't feel like you have to speak it out loud so those around you can hear. Sketch it down on a piece of paper or lower your voice so others around can't hear. If this happens to you often, carry a note pad or small notebook with you to make such communications.


 oldOld Laws, New Tricks
The uptick in global epidemics has generated a call on the health care industry to share patient data with government health agencies, all in the name of research. In my opinion, that would be a huge mistake. 

It reminds me a lot of government insistence on building backdoors to encryption. Lawmakers, with limited knowledge of technology and the data security and privacy risks it creates, propose programs (and sometimes laws) without thinking through the ramifications. 

HIPAA can't protect everything

Sadly, I'm afraid government agencies will get exactly what they are asking for. And, if they don't, they'll have plenty of other options. Just look at what's happening with the the U.S. government's covert, albeit legal,  use of personal cell phone data to track people. They simply buy the data from third parties who gather location information from games, weather or e-commerce apps. 

Under HIPAA, medical providers and health insurers cannot share "protected health info," which is generally defined as any health information that can be used to identify an individual, and that was created, used or disclosed in the course of providing a health care service. But, consider all the health data out there that was not collected by doctors, health care providers or health insurers. Our purchase histories alone are pretty good indicators of the ailments and issues we're dealing with. And then there are the fitness, smoking cessation and menstrual cycle trackers, none of which are governed by HIPAA. 

You'll often hear proponents of data-sharing programs tout anonymity as a privacy mechanism. But, when it comes to harvesting and monetizing data, anonymity is rarely even possible. Researchers found more than  99 percent of individuals in a data-security study could be identified  using machine learning. 

This is a distinction that needs to be addressed either in  new legislation or an update to HIPAA. We need to ensure ALL health data, regardless of the source, is protected in this  new era of digital health care.

trackingHow Accurate is Location Tracking?
Google tracked me for a year, even when Maps was disabled
Just last week, I got a sneak peek into w hat Google t hinks  it knows about my habits. 

Google Maps sent me an unsolicited report of my comings and goings in 2019. For the majority of the year, I didn't even have Google Maps installed (I disable and uninstall when not in use). And yet, my whereabouts were still being tracked. 

Per Google's email I received, the creation of the log was due to my Location History setting being turned on within the Google Maps app.

If Google or any of its third-party partners wanted to know I'd been to Iowa City or Newton or Boise, or that I ate at Flying Mango, it was all right there. 

The fact that a year's worth of my location data is available, and potentially up for sale, is disturbing enough. Worse is that Google's records contained inaccurate data.  For example, I did not visit Bubba's Bar-B-Que as the report indicated. There are many aspects of location tracking that disturb me, but easily accessible misinformation tops that list. 

Have you received a similar notification from Google? Was it accurate? Send me a note to share your experience. 

noticesPrivacy Notices Flooding Inboxes
New legislation and increased awareness force providers to rework policies  

The California Consumer Protection Act (CCPA) and a general increase in consumer a wareness of data security and privacy risks have created a virtual flood of updated privacy policies. (And, there's no time like the present for companies to be working on this important initiative. The first lawsuit involving CCPA noncompliance was just filed last month.)

I analysed about a dozen or so of the privacy policy updates I've received over the past several weeks, and two key takeaways stood out:
  1. Most changes are clearly to comply with CCPA. The unfortunate side of this is that many of the policies exclude customers outside of California from having some of the same rights to their personal information. I expect this will generate plenty of complaints, if not also lawsuits. 
  2. The breadth of sources from where providers are collecting information about customers is staggering and ambiguous. I asked Lee which third parties were sharing information about me with them. They did not respond. I will try again.

I encourage you to read as many of the privacy policies as you can. And, ask questions of the businesses, providers and organizations you entrust with your personal data. Be persistent. Consumer attention to data security and privacy is ramping up, and it's likely to affect change. 

veinsWhat Amazon Wants with Your Veins
New tech identifies you using vein patterns in your hands  

In addition to taking over our shopping experiences, Amazon may also have its sights set on our bodies. The tech giant recently filed a patent for technology that scans human palms with infrared light while a camera snaps a photo of the vein structure. Similar to fingerprint scanning and facial recognition, it's a way to authenticate identity, something that's becoming increasingly difficult in the digital era. 

If reading your vein structure seems a bit invasive to you, you're not alone. Part of the issue is with the entity using the technology. I've seen some credit unions, for instance, use vein-scanning technology. But, generally speaking, they are using the  information in a siloed (and hopefully well protected) manner. Amazon, on the other hand has links to hundreds of thousands of partners with whom it is very likely to license its technology and share its data. 

If approved, Amazon could use its patent to link consumers to an associated bank account and track items they pick up in the physical world, say at an Amazon Go or Whole Foods location. That information could then be used to market to you, among other potential uses. To be sure, the behavior and habit insights they gain will be enticing to many more than marketers.

While I am a customer of Amazon, I'm also a critic. At times, I feel they overreach and need to be called out for it. 

Between Amazon, Google, Facebook and Apple, it seems every bit of information about us could be up for grabs. Today it's our veins and all the places they travel. Who's to say what it will be tomorrow? Virtually any part of our bodies -- from our ears to our gaits to our speech patterns, can be used for some type of benefit or use by others. In fact, this is already underway. The introduction of various biometric tech solutions that provide access to unique-to-you body parts opens up all kinds of security and privacy concerns .

Think of it this way... what would happen if a data breach of biometric data were to occur? You can change your password or close an account fairly easily, but can you change your vein structure? I think not. 

PPInewsWhere to Find the Privacy Professor  

On the air... 


Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

It's always been important to let your voice be heard. But it's never been more critical than today.

Democratic elections are a wonderful system when they are functioning correcting and the technology to enable more voters is vetted and tested... and then tested again. So, don't be discouraged by the news of the day. Get out there and participate in the process!

Here's to a wonderful March (spring is on the way!),

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. March 2020 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter