Gift Givers, Check Your Lists Twice

The digital era has brought with it a huge number of exciting gift ideas. DNA kits, smart home devices, wearables, digital personal assistants -- the list goes on. But, before you unknowingly saddle a loved one with a personal data siphon, read those privacy policies closely. 

If you're unsure what they mean, ask questions of the providers. If they don't respond, move on. Yes, it's a busy time of year, but every technology company needs to prioritize inquiries about data security and privacy. Those that don't either have something to hide or don't understand the importance and need a wake-up call. 

Read on for even more ideas for limiting your exposure to data security and privacy risks this holiday season. 

I hope you enjoy the photos from my trip to Luxembourg in October.
Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Regional ATM network operator SHAZAM has developed an app to give more U.S. debit cardholders an easier way to monitor their financial transactions. Called SHAZAM BOLT$, the app's functionality mirrors that of apps developed by some of the largest global megabanks (e.g. receive fraud alerts, set spending controls, pause card transactions if card is lost). SHAZAM's clients, on the other hand, are local and regional financial institutions. So, with the advent of SHAZAM BOLT$, debit card users can get the same or similar level of protection regardless the size of their bank. 

DuckDuckGo is a search engine that just added an exciting new feature called Smarter Encryption. It automatically upgrades encryption for sites its users visit. The real cool part is that Smarter Encryption gets more robust the more its used. Whereas similar tools offer the protection on fewer than 150,000 sites, DuckDuckGo already works on 12 million sites. The company gets extra "beacon" points for creating this feature with open-source code so other developers can integrate it with their own sites and platforms. 

The New Jersey Attorney General has launched a new initiative to teach kids and teens how to protect themselves and their data while online. To kickoff the Cyber Savvy Youth Initiative, the AG Office acting director visited an elementary school in Jersey City where he spoke to students about internet safety and shared tips on how to spot potential dangers online. With upwards of 1 million children each year becoming victims of identity theft, it's great to see leaders take a more active role in arming kids with the knowledge to stay cyber safe. 

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
Old Luxembourg view from my landing plane.
real Is Your DNA Profile Private?
A Florida judge's decision says no 

A warrant for DNA, granted in Florida, has set a massively important (and scary) precedent. A judge's decision to support that warrant is one that may open up all consumer DNA sites to law enforcement agencies across the country.

According to the New York Times, the DNA profiles of some 20 million people could be subject to scrutiny now that the door has been opened. 

Sites like 23andme, and GEDmatch are enticing to law enforcement looking to close new and cold cases. Although these sites may say a person's genetic information is private, the warrant granted in Florida allowed access to the full database. That gave detectives access to the personal data of people who had NOT opted in to making their genetic information accessible to law enforcement. 

Of course I believe the solving of cold-case crimes is a wonderful byproduct of DNA research. And, in a perfect world, the innocent would have nothing to worry about. Unfortunately, we don't live in a perfect world.  This horrible invasion of privacy for all who use these sites could lead to a very wide range of other uses of the DNA. The possible resulting harms of misusing the data are virtually unlimited.

The scary facts are that 1) DNA profiles are not 100-percent accurate; 2) samples can be accidentally combined; and 3) the data involves relatives, as well. A recent JSTOR Daily article points to an incident in which a DNA profile led to a child far too young to have committed the murder detectives were investigating. Turns out, the child's uncle, who did later confess, was the real killer.

As you weigh the benefits of participating in DNA collection sites with the potential downside, consider that you're making this decision for more than just yourself. When you share your DNA, you effectively share the DNA of every one of your blood relatives, too. 

If you are thinking about giving the gift of DNA exploration for the holidays, I want you to be aware of what else you may be giving away in the process. 

Another view of old Luxembourg from the bank of the valley where the city is nestled.
wantedFresh Phish: Wanted Dead or Alive
'FedEx Manager' wants to confirm I'm still among the living

We hear often about celebrities falsely proclaimed to be dead, but this was a first for me. 

The email I received recently (below) originated from a domain in Ireland. It's clearly a phishing attempt and not a very good one at that. Could it have been written by a robot? Quite possibly. Notice the many red flags:
  1. The sender's name and the domain name are a mismatch. 
  2. The "DO NOT IGNORE THIS TEXT," is immediately suspicious, particularly given this was an email, not a text. 
  3. The sender claims my doctor has informed him I'm dead. That's not only false, it would be a HIPAA violation. 
  4. The signature, which contains the mispelling of "Sincere" vs. "Sincerely" seems to indicate that Dr. Jan Robert doubles as a FedEx Manager.
Phishing emails like this can be somewhat comical. But, the sinister intent is no laughing matter.

-----Original Message-----
Sent: Thursday, October 17, 2019 7:23 PM
Subject: Attention!!


I've been informed by Dr. Johnson Hale claiming to be your doctor that you are dead and have asked him to come to my office and claim your funds tomorrow morning.

Please reply ASAP and do not ignore else your funds will be sent to his provided account.

get back to us now with this information below

Full Name, Home Address,Cellphone Number.

Dr. Jan Robert
FedEx Manager

Notre-Dame Cathedral in Luxembourg.
Is faithful fitness tracking worth the data security and privacy risk? 

On November 1st, Google bought Fitbit in a $2.1 billion acquisition. The deal has prompted some who don't trust Google to get rid of their Fitbit devices.

Upon acquisition of the wearable device company, Google will also obtain knowledge of every step, heartbeat and health metric of Fitbit users. That's put several people on the market for alternatives, like Apple Watch. 

(Although Apple has been stepping up its "Privacy. That's iPhone." messaging in advertisements, just as many questions loom about their own privacy policies and practices.)

Google has said it will not sell any personal or health data and that users will be able to  review, move or delete their data. However, the company doesn' t have the best reputation around data security and privacy, so trust is not where they'd likely want it to be. 

Consumers are willing to share some data to access relevant information and products. But, should that willingness extend to health data... health data that not only reveals some of the most intimate details of a person's private life but is also highly valuable on the dark web? It's a question every person needs to answer for him or herself. 

Grand Ducal Palace in Luxembourg.
 easyThe Other Side of Background Checks
Data from job applicant investigations must be protected
Uber and Lyft are just two of many organizations that rely on background checks to mitigate risks associated with the people they hire and contract. In light of recent driver assaults and harassment of passengers, lawmakers are calling on these two companies in particular to do any even more thorough job of investigating people before they become drivers. 

Certainly, background checks offer plenty of upside to employers and their customers. But what about people seeking employment? Are background checks good for them?

My main concern with background checks and similar employer investigations is there's rarely clarity around what's done to protect the personal data companies receive from the checks. Most people who will be investigated are not criminals. Even if they are, however, the process of gathering that much private information needs to come with security controls, policies and procedures.

Background checks reveal much more than criminal history. They often include current and former addresses and employers, social security numbers, credit scores - the kind of detail a dark web operator would love to get his or her hands on. Data like this is regularly used to round out stolen identity profiles on the digital black market, bringing in lots of money for cybercrooks.

The other essential piece to this is transparency. Employers need to communicate how they intend to use the information they gather on potential and current employees. Will they, for instance, use it to determine compensation or benefits packages? Another longtime concern of mine is that the personal data of job applicants is often kept even for those who were not hired. These huge repositories of personal data, of people who are not employees, customers, patients, etc., are then often not protected. This creates a huge target for anyone who sees the value in this gold-valued data.

Bottom line, if a potential employer notifies you of an upcoming background check, don't be afraid to ask how they plan to use, retain, share and protect the information. You have every right to understand this, whether or not you have a criminal background.

Outside of the Bock Casemate (Catacombs).
A roundup of the good, the bad and the ugly of holiday gifting
The Good: Gifts for the privacy lover in your life

Privacy Screen Protectors by 3M: Advanced optical technology delivers visual privacy and screen protection... and they make the protectors to fit more than 40,000 different devices!

Anker PowerCore 5000 Portable ChargerMobile chargers like this one prevent device owners from having to use public USB ports, which may be infected with malware or contain small, completely imperceptible skimming devices.  I carry one in my backpack when I travel. Not only am I sure they have not been tampered with, they also allow me to charge wherever I happen to exploring old castles or medieval forests in Europe.

PortaPow 3rd Gen USB Data Blocker: Blockers like this one prevent skimming from malicious USB charging stations, often found in airports, hotels and other public spaces. Besides blocking data siphoning, they also allow the device to be charged.

Integral 32GB Courier FIPS 197 Encrypted USB 3.0Encrypted USB and external storage drives like this protect sensitive data. If an owner loses the device, no one else can access the data on it because it's encrypted. 

This Monthly Tips Message: Offer to sign up a colleague or loved one to stay on top of current data security and privacy threats. After all, it's free!

The Bad: Gifts you may want to reconsider if privacy's a priority

Furbo Dog Camera: The smart device connects to an app that let's you see, talk to and reward your pet (by launching treats into the room). But, it also adds an Internet-connected camera and a microphone to your living space and sends what it captures into the cloud. And, if you've not configured strong security controls, hackers could find the device using an IOT search engine, such as SHODAN, to find it and get into the data and other devices on your home area network. Careful!

Google Home, Echo Dot & Other Digital Personal Assistants These devices store a lot of recorded data in their cloud servers. That data can be accessed and used for law enforcement investigations, lawsuits and more. They record everyone in the vicinity, not just the device owner. Often, your guests don't even realize such devices are in the room. If you give these as gifts, show the recipient how to secure it and to set privacy controls. Advise them to keep the devices off anytime it's not actively being used. If you're unsure how to provide these instructions, I suggest not giving the devices as a gift. 
NOTE: I got myself an Echo Dot to run a series of data security and privacy experiments throughout 2020. Watch this Tips message for periodic reporting on what I find.

The Ugly: Gifts we advise against

Roku Streaming Player: Mozilla named this one of the worst gifts for privacy for the fact it makes more money selling your behavior data than it does selling its devices.

MiSafe's Smartwatch & Other Conversational Smart Toys: Many of these toys are easy to hack, exposing sensitive, unencrypted data like the child's name, weight date of birth and the parents' phone numbers. The My Friend Cayla Doll and the Furby Connect have been found to record children's voices or keep histories of the data kids entered. 

Can any company listen to my conversation through my mobile phone mic, see me through my camera or use my data stored in the phone without my permission? If so, how it that possible?

Great question! As with most questions regarding technology, security and privacy, however, there is not a single, clear-cut answer. 

The first nuance to this answer is that many of the activities you describe are technically possible, but they may or may not be legal.
Here are a few circumstances that allow for smart phone "spying:"
  1. Companies that issue phones they own and control, and that they have programmed to listen, watch, hear and collect the data, are absolutely permitted to do so in many parts of the world. In the U.S., for instance, there are no Federal laws prohibiting these practices, nor any requiring consumers' consent. However, outside of the U.S., some countries legally require organizations to obtain the consent of the employees to do such surveillance.
  2. If you have not secured your phone, there are numerous surveillance technologies that may be on board your device. Public wi-fi is like the Wild West. Basically anything  is possible with regard to surveilling those who use them. If you do not have security set on your phone, others on the wi-fi network could access your phone and its photos, videos and data. They may also be able to take control of your camera or microphone. Your best defense against such invasion is to set strong security controls on your phone and to be careful about which wi-fi networks you use.  
  3. Most mobile apps have very poor security and privacy controls built into them, if any at all. Some of the poorly secured apps you may have loaded on your phone could be sending your photos, video, audio and data to unlimited numbers and types of third parties. This may even include publicly accessible sites. Many app start-ups are lured into making money by selling user data, images, audio and video to third parties. To protect yourself, delete all apps you don't use and only use those with security and privacy settings. Also, strongly encrypt data on your phone. Here's just one of what could be thousands of real-life examples for how unsecured apps provide such access to your phone. 
As an extra precaution, turn off your phone's camera, video and audio recorder when they are not in use. Keep them turned off at all times unless you want to actively use them.
All this, and I've not even touched on the hardware surveillance possibilities through vulnerable technologies that exist today. You can learn more beginning at minute 17:49 of this webinar: Protect Your Small Business Online.

The cobblestone streets and buildings of Old Luxembourg were quite enchanting!
PPInewsWhere to Find the Privacy Professor  

On the road...

I just love speaking, hosting and teaching courses all over the world. I just returned from Luxembourg, in fact. 

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch. And, if you're going to be in any of the locations below, stop by and say hello.

December 13, 2019: Speaking about privacy at the Iowa Infragard December meeting, 8:30 a.m. central at the Farm Bureau facilities in West Des Moines.

May 21, 2020: Speaking at the Contact Center Association of the Philippines (CCAP) Privacy Summit. More details to come!

On the air... 


I'd love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Authentic macarons, a scrumptious gift from my PWC Luxembourg host and his wife. 
This time of year, we give ourselves permission to let fly with generosity. As you give into the temptation to be your most benevolent self, be aware of the privacy misgivings that may be hidden beneath the ribbons and bows. They are becoming more prevalent with each passing year, and you'd hate to the bearer of bad tidings. 

Have a generous AND privacy-aware December!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. December 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter