A Very Unnatural Disaster

Sometimes it seems like once something bad happens, other bad things follow. Like so many other places throughout the world, we're certainly feeling that in Iowa. While dealing with a deadly pandemic, out of nowhere came a destructive derecho that introduced a completely different type of disaster into our lives.

If you're not familiar with the term "derecho," don't feel bad. Not many of us here in Iowa were either until August 10 when we experienced the devastation of straight-line winds often above 100 mph (reaching a measured 140 mph in some locations). Some have likened the wreckage to a tornado or hurricane. However, in both of those circumstances, there's usually some warning. The Iowa Derecho came seemingly out of nowhere and left a massive path of destruction in its wake. 

Some people were left without homes. More than 10 million acres of farm crops were destroyed or severely damaged beyond harvestability. And, more than 600,000 households were left without power. The outages went on for weeks in some cases, making Zoom's dramatic and horribly timed outage seem like a blip. Work-from-home went from merely inconvenient to downright impossible. 

We all know what happens when disaster strikes. Bad guys and gals come out of woodwork. The opportunistic scammers count on anxiety and shock to usher victims right into their snares. Sadly, it works. 

Read on to learn what the crooks, hackers and cyber actors are getting up to as the rest of us move toward recovery. Awareness is your best weapon against them and their tricks. 

I was nearly Dorothy heading to Kansas when the derecho hit my neighborhood on Aug. 10, 2020. This is a view of part of my backyard from the 3rd floor of my house. The oak tree is very old and was very tall. The tallest branch was ripped out of the center of the tree and somehow did not crush my house!

DSPBData Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

The Better Business Bureau (BBB) again receives a Beacons nod for its excellent awareness campaigns. In August, the BBB shined a light on a scam known as brushing. It occurs when foreign, third-party sellers send unordered merchandise to a victim's home. Their goal is to make it appear as though a verified buyer wrote a glowing online review of their merchandise. But, as the BBB points, the fake review is just the beginning. Armed with your name, mailing address and (likely) your phone number, the crooks can pull off "porch pirate" scams, ordering merchandise to your home and then snagging it from your door. Check out the BBB's warning for tips on what to do if you become a victim of a brushing or porch pirate scam. 

The U.S. National Conference of State Legislatures (NCSL) has done a terrific job providing great information about state privacy activities. Their archive includes a frequently updated collection of state privacy and security laws. The list of social media privacy laws is particularly interesting. Many U.S. states began introducing legislation in 2012 to prevent employers, as well as colleges and universities and landlords, from requesting social media passwords to get / keep a job, a spot in school or a home. Twenty-six states have enacted employer laws, and 16 apply to educational institutions (so far just one to landlords). Find the complete list on the NCSL's roundup

The information security, privacy and IT professional association ISACA has created a new certification specific to the field of data privacy solutions engineering. The Certified Data Privacy Solutions Engineer designation helps more professionals showcase their technical skills. For too long, privacy certifications were focused primarily on laws. It's great to see a certification for the actual engineers building privacy protections into data-enabled technology from the very beginning of the development life cycle. The designation will also be great for those who manage privacy-related physical operations and administrative activities. I was honored to write the governance section of ISACA's soon-to-be-published "CDPSE Review Manual."

The Ponemon Institute and ID Experts have published a study on consumer privacy that enumerates privacy concerns as we all become more dependent on digital technologies. Among their findings: 74% of consumers feel they have little control over the personal information collected on them; and 86% are very concerned about their privacy when using free online tools like Facebook and Google. Importantly, the report, "Privacy and Security in a Digital World: A Study of Consumers in the United States," includes actions consumers can take to protect their digital privacy.

Privacy advocates in Utah, sponsored by Rep. Karianne Lisonbee, are bringing much-needed attention to a little-know privacy threat in their state. The University of Utah's Huntsman Cancer Institute has for years collected personal information from the Utah Driver License Division without the permission of residents. The advocates are pushing for an opt-out option to be made available as people renew their driver's licenses. Lisonbee said, "In this day and age where no data is 100% secure, it is important that we inform the residents of Utah that their data is being shared and allow them the opportunity to consent to that transference of data." The cancer institution is pushing back in the name of research, saying their database, which has helped in some of the institute's key discoveries, could be ruined if the opt-out reduces the amount of data available to them. 
  • The above is a perfect example of how privacy must be considered even when health research is involved. Often, when individuals are given a choice to have their health data used to make disease breakthroughs, they will agree to sharing it. But, when no choice is given, it creates suspicion for what other uses the data may be used to. Transparency not only supports privacy, it engenders trust. 

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
One of many Iowa farm co-op grain bins that were destroyed, along with the grains within them. SOURCE: Western Iowa Synod
DCTCSSDigital Contact Tracing Creates a Slippery Slope
Automated data surveillance leads to privacy concerns
This pandemic continues to get worse in the U.S. We all want to find cures and treatments. However, once more, the balance between privacy and health must be addressed with transparency and choice instead of secrecy and unexplained data sharing practices.

While some insist that contact tracing is critical to slowing the spread of COVID-19, the data privacy and security threats of contract tracing technology could outweigh the benefits depending on the methods of execution. Several different tracing techniques, especially those that rely on digital surveillance, are raising red flags among technologists and consumers alike. 

In a nutshell, contact tracing works to identify and communicate with people who have tested positive and those they've come into close contact with. Most solutions today use human agents to encourage infected individuals to voluntarily self-quarantine. Although likely more effective and definitely more privacy friendly than an automated solution, manual tracing is extremely work-intensive.

In the August episode of Data Security and Privacy with The Privacy Professormy guest, Dr. Katina Michael, and I covered this topic in-depth. Dr. Michael, a professor at Arizona State University and a National Science Foundation-funded researcher, provides her expertise on the various methods of contact tracing, as well as the privacy concerns with them. We tackled a big question: 

How can we use contact tracing to curb the spread of COVID-19 while also protecting people's privacy?

On the podcast, we talked through how different governments have handled contact tracing to-date.
  • Outliers, like Germany, made a point to take privacy into account when building contact tracing applications. This causes me to question countries like the U.S., leaders of which said there wasn't time to implement privacy procedures. Organizers jumped headfirst into gathering information without a clear plan of how it would be used or protected.
  • The Test Iowa initiative, for instance, gathered a wide swath of unnecessary data. Things like date of birth, address and phone number could be linked to a positive COVID-19 result.
  • A California bill has gone so far as to endorse a blockchain-based system that would turn COVID-19 test results into permanent records used to allow people entry into public places and transportation. Holy cow! Imagine the implications of a false positive or data error in that circumstance. 
Apps Built by Data-Hungry Developers?

Contract tracing apps that monitor precise locations and movements are being developed as we speak. It's critical we pay attention to the entities behind these apps. How many "developers" would like access to an entire country's worth of personal data? That's a virtual treasure trove. 

Aside from who is behind such apps and their intentions, there are plenty of other concerns, such as...

...when will the tracking end?

...who would data be shared with?

...how can individuals find out who has been given their data?

...who is accountable for misused, stolen or sold data?

Google and Apple have said they will work with governments to build out tech-centric capabilities for contract tracing. It's a nice offer, but how many of those governments will take them up on it? The U.S. Congress has grown fond of grilling Big Tech CEOs about their business practices. Undoubtedly, digital surveillance through consumer smartphones will raise even more questions in the minds of legislators. 

For Now, Manual May be Best Bet

I've gotten many questions on this topic, and it's no wonder. The privacy implications of contact tracing are many, and present a slippery slope. Information about who has tested positive, what they're doing, where they're going and when must be protected with intention and intensity. 

As Dr. Michael emphasized, the best method remains the manual method. Her advice is to take personal responsibility for your own health and to communicate broadly. Wash your hands, use sanitizer, wear masks, socially distance, get tested if you are experiencing symptoms. Certainly, notify those you've come in contact with if you test positive.

Data accuracy and management when it comes to contact tracing is still highly questionable. Therefore, taking personal precautions to help minimize the effects of this pandemic remains one of our best defenses.

USHL Team Buccaneer Arena in Des Moines, Iowa. SOURCE: Waterloo Cedar Falls Courier
KCNPSPKnock Codes Not the Perfect Security Promised
Smartphone security promises from LG fall flat 
Smartphone maker LG's so-called "perfect security" has turned out to be anything but. The technique, a method of replacing passwords, was inspired by knock codes that have their roots in turn-of-the-century Russian prisons. Perhaps that should have been our first clue that the secure password technology was not all it was *cracked* up to be. 

Created with the goal of replacing passwords (a big win that many, many developers have been chasing for years), the technique has fallen short of expectations. Fast Company even called it "surprisingly easy to hack."

Here's how it was supposed to work: You're given a 2x2 grid to create any "knock" or tap pattern you like. (LG says there's more than 86,000 combinations.) 

The problem is the knock patterns people create lack even more creativity than passwords. 

Security researchers found that 18 percent of all codes consisted of the same four patterns. Further research found that given 10 tries, someone could guess your knock code 28 percent of the time. On top of that, 20 percent of people who set up a knock code couldn't remember it 10 minutes later.

Although knock codes may sound good, passwords and PIN codes are much harder to guess and have significantly more combinations the longer they are. As a result, they are more secure. Of course we all wish we didn't have to remember a bunch of letters and numbers. But for now, at least mathematically speaking, passwords are a safer option than the "knock off" version.

Camp Mitigwa, Woodward, Iowa. SOURCE: Mid-Iowa Council of the Boy Scouts of America
NDGSNew Data on Grandparent Scams Shows COVID-19 Twist
Consumer Affairs digs into threat with research      

In response to our Privacy Beacon pointer to the FTC's warning about grandparent scams, published in the May 2020 Tips, Consumer Affairs reached out to share research they've done into the threat. 

The research combines the FTC's scam tracking data with Population Reference Bureau statistics, as well as survey results from Consumer Affairs. 
The full report is available at ConsumerAffairs.com, but here are some of the top takeaways:
  • California, Florida and New York have the most reported incidents of grandparent scams. Pennsylvania and Maine round out the top five states.
  • Scammers are using social media more than ever before to learn more about their victims.
  • Con artists have added a COVID-19 twist: They claim a grandchild suddenly developed coronavirus symptoms and had an accident on the way to the emergency room. They plead with the grandparent to wire $3,000 and keep it secret from the parents. 
In an exclusive interview with Consumer Affairs' Mark Huffman, he told me that although it's hard to quantify the average loss per scam, the average loss for someone over 70 is a whopping $9,000. "And that's just the average, so some losses are much higher," Huffman said. "I recently saw a report that a woman lost $18,000 to the grandparents scam."

Top two tips for avoiding grandparent scams:
  1. Devise a code word that can be used for communication between grandparents and grandchildren. 
  2. Make sure grandparents understand how common scams are.  
Have you or someone you know been contacted? 

Thirty percent of respondents to the Consumer Affairs survey had been contacted by a con artist pretending to be their grandchild or another family member in need of money. Send us your story, and we may publish it in an upcoming Tips message. 

Camp Mitigwa, Woodward, Iowa. SOURCE: Mid-Iowa Council of the Boy Scouts of America
UCCPAUpdates to the California Consumer Privacy Act
Changes are effective immediately

California's sweeping privacy legislation, barely 7 months old, has already undergone an update. 

On Aug. 14, the California attorney general announced the Office of Administrative Law had approved the final regulations under the California Consumer Privacy Act (CCPA). They went into effect immediately.

So what changed? The following requirements were removed...
  • Section 999.305. Notice at Collection, Subsection (a)(5). This provision prohibited a business from using a consumer's personal information for a materially different purpose than disclosed in the notice of collection unless it obtained explicit consent from the consumer.
  • Section 999.306. Notice of Right to Opt-Out, Subsection (b)(2). This provision required a business that substantially interacts with consumers offline to provide a notice to the consumer by an offline method.
  • Section 999.315. Requests to Opt-Out, Subsection (c). This provision required that a business's method for submitting requests to opt out be easy for consumers and require minimal steps. It also prohibited a business from using "a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's decision to opt-out."
  • Section 999.326. Authorized Agent, Subsection (c). This provision permitted a business to deny a request from an authorized agent in which the agent does not submit proof they are authorized to act on the consumer's behalf.
There were also a few minor changes throughout I won't go into here. If you're interested in hearing more about those, drop me a note

In addition to the newly-updated-just-eight-months-in-effect CCPA, there is another major update possible in California's near future. The California Privacy Rights Act of 2020 (CPRA) is on the California ballot this November as a proposed successor to the CCPA. CCPA went into effect on January 1, 2020, and enforcement just started on July 1, 2020. If CPRA passes in November, it will become law on January 1, 2023, and enforceable on July 1, 2023.

A common sight in many cities throughout Iowa. SOURCE: The Associated Press

WBOLYPWhen Buying Online, Layer Your Precautions
Just one step won't do the trick

Tips reader Jill brought up an important point in response to our article on safer online shopping, published in the July Tips message

The article provided six steps consumers should take to help limit their risks when making purchases on the Internet. One of those six was to ensure a site's URL contains HTTPS (S for security) as a prefix or an icon of a padlock in the left side of the URL bar for Chrome browsers. 

Jill wrote in to say that, according to research she had seen, "the presence of the padlock is really no longer something that can be trusted," and asked if I agreed. 

And yes, I do agree! On their own, HTTPS and the padlock are not enough to warrant a consumer's confidence. I wouldn't want anyone to think doing just one of the six steps we enumerated was enough to ensure online shopping safety.

Cybercrooks are, indeed, beginning to use SSL and HTTPS, so that alone does not mean it's a safe site. However, the indicators are still something to look for, along with the other five tips listed

As a general rule of thumb, if you do not see HTTPS right off the bat when visiting a a site that will ask for your credit card data or other personal information, move away from the site! No need to even check the other five indicators.

Who doesn't use encryption anymore?

There are still many online shopping sites that aren't using SSL or encryption, so that is the first sign of a site to avoid when doing online shopping. Many of these sites were put up in haste at the beginning of the pandemic, selling items that were being hoarded. Or, they weren't even selling anything at all...just hoping to collect personal data and financial information. 

And, even well-known brands make mistakes with regard to how they present their security. Zoom, for instance, is being taken to court over claims it falsely presented its security as end-to-end encryption.

Any time we're using online or digital tools, well-known or otherwise, it's best to have multiple checkpoints to data and privacy protection.

One of many damaged buildings in Iowa. SOURCE: Daniel Sanchez

shopFour Disaster Threats You Need to Know About
Storms and health threats bring out the worst in already bad guys  

Although there are many scams brewing amid the threats posed by COVID-19 and various natural disasters in the U.S., here are four that appear to be growing in popularity. 

Hired Contractor Rip-Offs: Many working to clear tree limbs and fix damage in the wake of our freak storm in the Midwest are being hit with another blow from scammers looking to capitalize on people's misfortune. The Iowa attorney general's office gives tips on potential scams after the derecho. Iowa is not alone; scams like these are also being attempted in areas hit by hurricanes, wildfires and other natural disasters.

Home Test Kits and Fake Vaccinations: According to the FTC, scammers are selling products to treat or prevent COVID-19 without proof that they work. Ignore these offers and rely instead on confidential communication with your healthcare provider or approved testing site. 

Stimulus Check Scams: As reported by Forbes, callers suggest that you might qualify for a special COVID-19 government grant and that you must first verify your identity. Variations on the scheme come through text messages, social media posts and messages. Especially now, with so much confusion over whether a second stimulus may be coming, it's really important to keep your guard up. 

Increase in Data Breaches: recent Verizon report found COVID-19 hackers are relying on an increase in human errors, lax security around passwords, ransomware and phishing emails that play on emotions. This makes it extra important for you to continue practice good personal data hygiene, such as changing your passwords often and being extra careful about how and where you disclose your data. 

BREAKING NEWS: Research says Kindle device collects large amounts of data

Do you have a Kindle? If so, be aware of new research from Duck Duck GoThe report starts, "The Kindle sends device information, usage metadata and details about every interaction with the device (or app) while it's being used. All of this is linked directly to the reader account." It includes several screenshots showing some of the types of data collected.
I don't have a Kindle device, but I have some Kindle books I've gotten from Amazon. I read them on my Windows 10 system computer via my Chrome browser. I now need to see about how much data is being collected through reading the Kindle e-books using this method.

RQREADER QUESTION: Is Anti-Cheating Software Secure?
The university I attend will soon be using online invigilation software to ensure students don't cheat while taking online exams. Proctorio works through a Chrome extension downloaded to the student's device. It accesses the device's webcam and microphone to track eye movement, noises and other clues that the students may be cheating. It also installs a keylogger and can take screenshots of their desktops.

There has been a considerable social media backlash to this from students, and I am unsure how I should feel about this. Several students are concerned that this data isn't secure. What is your opinion?

Thank you for this important question. While remote learning for universities is sometimes necessary (and certainly is necessary for the health safety of students at all levels during a pandemic), it also introduces new privacy risks. 

Tracking eye movement, noises and other clues that students may be cheating is, in and of itself, a privacy risk. Because the software uses artificial intelligence, I have two key concerns:
  • How well does the AI work? Was it tested to ensure a very low false positive rate? If the software is not rigorously engineered, it could be flagging students as cheating when they are not.
  • Was the software verified to be bias-free? If it was not built to account for a diverse student population, it's possible bias may result in false accusations
The Proctorio site claims to abide by "Privacy by Design" principles and that data is encrypted. It also provides a security assessment report from White Oak Security (completed July 24, 2020). The assessment is very brief and focused on "determining whether or not encrypted video and audio is stored in appropriate data centers/regions to satisfy national/local data privacy laws." That's a rather vague statement and a very narrow scope of consideration for a security assessment.

Here are a few additional observations about the assessment:
  • There was a finding that metadata tracks a student's location. It labeled this as low risk and did not include any further discussion nor any associated details. Why was this determined to be a low risk?
  • The report did not mention anything about security implemented to prevent unauthorized keylogger use, unauthorized desktop screenshots or unauthorized webcam footage.
  • I could not find any lists of entities with whom Proctorio shares student data (one can assume that at the very least, they are sharing info with the schools that use the software). It also didn't describe the types of data collected, stored and shared, and did not describe how accuracy of the monitoring tools is confirmed.
I suggest you submit questions about the aforementioned issues to your school. Along with these:
  • How many school instructors, administrators and others within the school system have access to student data collected/analyzed by Proctorio?
  • Are they all required to secure their access to that data and not use that data for any other purposes?
  • Who are the third-party entities (e.g., administration, parents, law enforcement, marketing companies) with whom the school is sharing student data, including test results, and student information like name, birth date, address, etc.?
In my opinion as a long-time professor, an institution of higher learning should be prepared to answer questions like these from their students. What better way for students to demonstrate understanding than to recognize where there may be security and privacy risks? 

Great job, and keep up the tough questions!

More of the oak trees in another part of my yard.

WTFPPWhere to Find the Privacy Professor 

On the air... 
  • I was a speaker and panel member during the 2-day NIST online workshop, "Building the Federal Profile For IoT Device Cybersecurity: Next Steps for Securing Federal Systemson July 22 and 23. You can see videos of the full event at the NIST website. The video of my talk and panel is here.  
  • On Aug. 28, I joined Bob and Ben Siegel from Privacy Ref to talk about work from home privacy and security, IoT device privacy and security and HIPAA and healthcare privacy.
  • I'm looking forward to being a guest on the Trility podcast. During the episode I'm scheduled for, we'll discuss infosec and privacy for senior living. 
  • I recently appeared on the Easy Prey Podcast, as well, to discuss pandemic-era threats to consumer data security and privacy. 
  • I'm also looking forward to being a guest in September on the We Get Real AF podcast with Sue Robinson and Vanessa Alava


I'm so excited to be hosting the radio show Data Security & Privacy with The Privacy Professor on the VoiceAmerica Business network

Here are my newest shows:
Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety 
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen, let me know what you think! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

National Institute of Standards and Technology (NIST)

White Paper NIST Technical Note (TN) 2066. "OpenFMB Proof of Concept Implementation Research." The paper focuses on the cybersecurity risk implications of deployments and a proof of concept implementation of OpenFMB.

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! There are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this email is sharable (I'd just ask that you follow

A friend's daughter standing before her campsite in Woodward, Iowa.
It's been an incredibly trying time for so many people in the U.S. and around the globe. Data security and privacy risks are like adding salt to the wounds of so many. Yet, we can't ignore them. The more aware we are, the more protected we are. 

Like this month's Reader Question signifies, consumers are paying much closer attention to their risks. I'm thrilled to see this and want to hear more of your stories. They are so encouraging to me as an advocate for awareness. Send them on over! 

Have a happy, healthy and cyber safe September,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. September 2020 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn   Follow us on Twitter