Do You Know Where Your Data Is?

With an ever-increasing number of devices, gadgets, sensors and scanners gathering our personal data, it's difficult to know where it all goes. Yet, to meaningfully increase cybersecurity and privacy effectiveness, each of us, from members of the general public to leaders of all types of organizations, needs to remove our digital blinders.

While we may never have a full understanding of where all of our information is stored, there are things we can do to minimize its collection... or at least be aware of who has it. 

Read on to learn more about the people, places and things siphoning our data and what you can do to limit that access. 


us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

PayPal and Apple are each providing content on their websites to help people tell if emails appearing to be from the companies are legitimate. Here is what PayPal tells visitors to the page; here's Apple's information. I discovered each of these pages myself after receiving phishing attempts to my inbox, one of which is below

LinkedIn has made changes to its Groups settings. The enhancement allows administrators of groups to select either Listed or Unlisted. If they choose Unlisted, the group cannot be found in search and will not be visible on members' profiles. This allows LinkedIn members to participate in groups they may not want others to know they are in (a good privacy move). Of course, it's  important for users to remember, however, that posts to unlisted groups are as vulnerable as anything else on the Internet. Fellow Unlisted group members can screenshot and share content; LinkedIn could experience a breach; any number of slip ups or break-ins could expose your posts to the world. 

The Denver Elections Division  really impressed me earlier this month when I reached out to ask a few questions about the security of their systems. Not only did they respond quickly, they did so thoroughly. And, I really like the online resource they created, "Ballot Life Cycle." It shows, through an simple-to-navigate interactive page, what happens at every stage of an election ballot's life -- from the certification of candidates to a risk-limiting audit and authentication of voting results. It's both refreshing and encouraging to see such care given to transparency and communication from a U.S. state election division.   
USPS has begun to offer its customers an "Informed Delivery Daily Digest." The free service sends users grey-scale images of the letter-sized mail pieces that will be delivered to their mailboxes. It also shows packages expected to arrive that day. Are there privacy risks? Yes, if you share your email notification with others. And, the first Daily Digest email I received via email was not encrypted. I've experienced problems with mail being taken or delivered to other houses. So, it's good to be able to compare what I receive to what I am expecting. It's worth noting that not all mail is included in the service; things like coupon flyers, magazines and catalogs are not scanned by USPS. I need to check into this a little more, but so far I like it, particularly because I can see payments and bills coming in.

The FTC has banned a company from selling stalkerware, software that monitors consumer mobile devices. MobileSpy, PhoneSheriff and TeenShield allow people to monitor others' smartphone activity without their knowledge. This is  the first time the FTC has brought a case against developers of stalkerware apps... hopefully it's far from the last!

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
real Stalker Finds Data Through Reflection in Eyes
A warning about posting photos online

If you're posting photos online, you'll want to take heed. With continuous enhancements to smartphone cameras, snapping and sharing high-resolution photos is easy to do.
The problem?
The photos are of such amazing quality that even the finest details can be captured.
Take the recent incident with a Japanese popstar whose photo led to her attack by a crazed fan.  Newsweek reported the story.
When arrested, the stalker explained how he zoomed in on the photo, which revealed a reflection of a bus stop in the singer's pupils. Using Google Street View, he was able to identify where she lived and assault her in her home.
The danger in this situation was a lot more than meets the eye - it was in the eye.
How to protect yourself
It's not just pop stars who can be targeted by digital stalkers. Everyone should take precautions, such as reducing the quality of images or disabling photo geotagging on your phone.
To keep your iPhone camera from tracking your location:
  1. Go to Settings and tap Privacy
  2. Select Location Services and tap Camera
  3. Select Never
To keep your Android camera from tracking your location:
  1. Open your camera app
  2. Click the Setting button
  3. Find GPS Tag and turn it to Off

A fake thank-you email sends up red flags.
The click bait subject line, "Thank you for your order," is nearly impossible to resist.

You think, "Did I place an order I forgot about? It's been known to happen!"

At first glance, an email like the one below seems legitimate. But, savvy scam spotters will quickly recognized what it is -- yet another phishing attempt.

Can you spot the red flags?

  1. While the name in the From field is "Apple Store," the domain name is clearly a mismatch <>.
  2. Hovering over the hyperlink in the email reveals a completely unrelated site.
If you receive an email from Apple that looks suspicious, read these tips from the company before clicking any links. Their tips  apply to fake messages appearing to be from other companies, as well.

A roundup of risks from common apps and devices 
A New Internet Explorer Bug Can Take Over Your Entire PC, So Stop Using It : One click and your entire system can be compromised. Hackers can delete, change or add accounts at will. If you're still using it, it's time for a change; the IE browser has known security problems, and has for years. I use Firefox, Chrome and occasionally TOR on my Windows 10 desktop and laptop.
Apple iOS 13 Is Full of Bugs, Reports Warn : Did you recently install the Apple iOS 13 software? After numerous reported problems, including a "significant security flaw," warnings were issued for millions of users. Apple has released an update (13.1.3), which I would encourage you to install on your phone.
Kids Amino App Ask Girl, 10, For Topless Photo to Verify Age : Kids' dress-up anime game displayed a disturbing message, one that said it was from an "employee of Amino," threatening to ban young girl from the site if nude picture wasn't sent. I encourage everyone to know and regularly check the apps their children have on their phones. Immediately remove those that present privacy and safety risks.

Samsung: Anyone's thumbprint can unlock Galaxy S10 phone: A software flaw...that SHOULD have been found by thorough testing prior to release to the public... was discovered in the new phone. It allows any user with a thumb to access the phone's data. This is a particularly significant risk because the technology provides users with a false sense of security. When people feel protected, they tend to exercise riskier behavior. Remember, devices and apps you use are only as secure as the engineers, software developers and testers made them. Sometimes they don't test much!

 easyCops Request Access to Smart Doorbells
How will law enforcement ensure data security and privacy?
Across the nation, cops are asking smart doorbell owners to voluntarily register their devices. The idea is to crowdsource an  easily searchable  database of surveillance cameras in the area. When crimes occur, the cops can then contact homeowners nearby and request video. 

Before participating in a program like this, however, I strongly encourage you to ask a few questions of the law enforcement agency:

1. Can I deny access to any videos you request?
2. How will you securely store any personal video I share with your agency?
3. Which third parties will also have access to my video, and how will they secure it?
4. Has your agency completed a privacy risk assessment for the program? If so, may I see  a copy of at least the executive summary?

Consider this...

It's important to keep in mind that doorbell cameras capture much more than crime. There have been several cases in which embarrassing moments are "caught on tape." Posted online, they often go viral, exposing the person captured to exponentially more embarrassment. 

What's more, most doorbell cameras are only activated upon motion, so important context can be missing. Imagine an assault caught on camera. What happened just prior to the incident? Or how about a caregiver or house cleaner who mistakenly enters the wrong home. Might they be accused of attempted burglary? 

Even more troubling is the existence of deepfake videosrecordings that look and sound real but have been manipulated in some way. According to CSO, "...anyone can download deepfake software and create convincing fake videos in their spare time." Could Ring footage stolen in a law enforcement agency breach be used to create the next viral deepfake video?

Surveillance does not equal safety. It's almost always retroactive and sometimes quite invasive. Just be sure to ask questions before you take part in programs that are intended to make communities safer. You know what they say about good intentions...  

balloonData Breach Notifications: Compliant Is Not the Same as Complete
Consumers left scratching heads after most notices
A popular hotel chain recently notified me of a breach that exposed some of my contact information. They sent a fairly standard form letter that raised more questions than answers. This is a common problem among breached entities. 

While there are laws requiring organizations to send out such notices, those laws do not provide enough guidance on how to make them or what information to include. The way each organization reacts to a breach differs greatly. The ultimate breach victims (consumers whose information is stolen) deserve more consistent types of information following these incidents. 

If (or more likely when) your organization is breached, follow these best practices in your notification efforts:

1. Avoid vague language. Explain what happened to the best of your knowledge, but run it past a communication expert to ensure it's not laden with jargon no one can understand. 

2. Connect the dots. Consumers may not understand the risks associated with your breach, so explain how a fraudster or hacker might use their stolen information.

3. Make it right. Trust in your organization is on the line. Do what you can to make up for the gaps in your security or that of your vendor that exposed the data. 

4. Keep lines open. Establish an inbox or hotline for consumers to contact you with questions. Staff it adequately so people feel listened to and inquiries are answered quickly. 

The other day, I opened my Android Maps app and began to navigate to my destination, a sports complex where I'd planned to meet my husband and kids. Right next to the pin that noted the complex was another I didn't recognize. Next to it was my husband's name and the words "is here." 

The app was showing me my husband's exact location. That had never happened before. Do you have any idea what's going on with this, and if anyone else can see my husband's location? How can we find out?
It sounds like your husband either knowingly or accidentally shared his location with you (and potentially others). The Maps app and plenty of other location apps allow for such sharing. 

Sometimes location sharing is helpful, such as when you are traveling in a group and could get separated. Once you no longer need that feature, however, it's best to completely turn it off. Many people forget to do so. 

The majority of apps use GPS locations as part of their feature set. If you don't need (or want) your location revealed, turn off your phone's location. Doing so usually overrides any of your apps that attempt to share your location. Even if an app wants to know where your location is, your phone won't give it (unless there are other flaws in your phone system allowing such access).

PPInewsWhere to Find the Privacy Professor  

On the road...

I just love speaking, hosting and teaching courses all over the world. I just returned from Luxembourg, in fact. 

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch. And, if you're going to be in any of the locations below, stop by and say hello.

December 13, 2019: Speaking about privacy at the Iowa Infragard December meeting, 8:30 a.m. central at the Farm Bureau facilities in West Des Moines.

May 21, 2020: Speaking at the Contact Center Association of the Philippines (CCAP) Privacy Summit. More details to come!

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network

I'd love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Keeping track of our information is much harder today than even a decade ago. But, it's crucial to be aware of who is tracking what and the decisions they are making with that information. 

Be sure to ask questions of the technology providers in your life. Let them know you care about how they are using your data and with whom they are sharing it. That's the only way they will know how much data security and privacy has come to mean to their customers.

Have a beautiful November!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. November 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter