It's That Time of Year Again 

Opening a fresh new calendar is especially exciting for privacy people like me. That's because international Data Privacy Day is celebrated each year on Jan. 28. 

I t's officially less than a month away! What will you do to mark the day?

I'm thrilled to announce a couple ways we're observing the now 11-year-old holiday. For starters, we will be announcing our first ever Privacy Hero of the Year... in this very issue

Second, our state's head legislator, Iowa Governor Kim Reynolds, has declared Jan. 28, 2019, to be Iowa Data Privacy Day. This hyper-local recognition of a global awareness initiative is a very special acknowledgement we've been successful at securing for nine consecutive years. 

This monthly email is one of several ways I'm proud to raise awareness of data security and privacy issues, concerns and trouble spots. This year, I'd love to make it even more relevant by incorporating feedback from you. So, shoot me a quick note to let me know which topics you'd like me to cover in 2019. I may address them here, cover them on my weekly radio show or explore them in several keynote addresses I'm scheduled for throughout the coming year. 


Yet Another Facebook Bug Uncovered
Private photos made available to app developers

Facebook's in hot water again. This time for exposing the private photos of millions to a sea of app developers. 

Among those photos exposed are ones users uploaded, but for whatever reason, decided not to post. (Yes, Facebook still has access to those!)

The trouble spot... again... stemmed from the "Sign In with Facebook" feature, which allows users to create accounts on third-party sites using their Facebook credentials. 


Data security and privacy experts advise against using "convenience" features like "Sign in with..." because it flies right in the face of another no-no. We tell consumers NEVER to use the same password more than once. Using "Sign in with" shares your passwords across multiple accounts. 

The other thing that often happens when you grant a third party app permission to access your sign-in credentials is that third party can also see the data you've uploaded to the initial site. In this case, a Facebook bug allowed app developers to see a broader range of Facebook photos than are typically allowed. 

How to tell if your photos were exposed

According to LifeHacker, anyone curious to see if they were impacted by the Facebook bug can check by logging into Facebook and then visiting this page. It will tell you which apps may have had access to your photos. 

hero2Privacy Hero 2018: Tara Taubman-Bassirian         
Two privacy champions gather votes from community 

We've tallied the votes from our Privacy Hero of the Year poll, and the results are in...  Tara Taubman-Bassirian is the winner! 

The poll's runner up,  Philip Zimmermann, is equally as deserving of the recognition... as is each of the nominated parties, which you can learn more about on the Privacy Guidance website

(Big thank you to the community of voters for participating in our first ever Privacy Hero of the Year initiative.)

Hopefully you will get a chance to hear from Tara and Philip on upcoming episodes of my radio show, Data Security and Privacy with The Privacy Professor. I've extended invitations to each today, so stay tuned for more details. 

For those who may have missed our profiles on Tara and Philip, here are the recaps...

Tara Taubman-Bassirian: Early adopter learns tech so she can teach others

Tara goes by many titles: lawyer, advocate, mediator, researcher, consultant, speaker and writer. With incredible expertise in areas like privacy, intellectual property and data protection, she has made a name for herself in several areas of the world, most notably the UK, France and the US.

An early adaptor of emerging technologies, Tara makes it her business to understand intimately the challenges presented by regulations in the era of high connectivity. This year, the EU GDPR was a heavy focus for Tara. This is how she has become a trusted advisor to individuals and businesses looking to navigate the legal pathways to justice in the Internet age.

Tara is heavily involved raising awareness around privacy issues, rights and regulations. She is a member of ICANN's Noncommerical Users Constituency, the European Network and Information Security Agency (ENISA) and Society for Computers Law. She co-authored "Online as Soon as It Happens" and is a volunteer mediator for Meditation North Surrey where she extends community mediation to copyright conflict resolution.

A few years back, Tara and I co-founded the Facebook group Fly a Kite, dedicated to coping with and eradicating cyber-bullying, something near and dear to the two of us.

Philip R. Zimmermann: Creator of "Pretty Good Privacy" (PGP) encryption

The first personal encryption tool I ever used back in the early 1990s was PGP, developed by Philip R. Zimmermann. The free solution effectively democratized high security for individuals and small businesses, which prior to PGP's development simply couldn't afford to encrypt sensitive and personal data.

Philip is also the author of a favorite q uote of mine: "If privacy is outlawed, only outlaws will have privacy."

In 1991, after Philip published PGP for free on the internet and it began to spread worldwide, he became the target of a three-year criminal investigation. The U.S. government alleged he had violated U.S. export restrictions on cryptographic software. Thankfully, the case was dropped in early 1996.

Philip went on to become an advisor and consultant to PGP Corporation, which was ultimately acquired by Symantec in 2010. For the last 15+ years, his focus has been on secure telephony for the internet. He developed the ZRTP protocol, as well as Silent Phone and Zfone, and co-founded Silent Circle, a provider of secure communications services.

Rightfully so, Philip has received numerous honors and awards. In 2014, he was inducted into the Cyber Security Hall of Fame, and Foreign Policy Magazine named him one of the Leading Global Thinkers of 2014. The next year, Philip received the U.S. Privacy Champion Award from the Electronic Privacy Information Center.

votesPrivacy Votes Highlight 2 Big Privacy Issues
What's behind your choices
While the Privacy Hero of the Year voting results were not scientific, I did find it interesting that our winners were so closely associated with two very big issues in privacy advocacy: GDPR & e ncryption.


Around the globe, organizations are facing immense pressure to address the EU GDPR. Tara Taubman-Bassirian has been providing exactly that to many, and it's clear from the active participation in our poll, they are grateful. 


Long valued for protecting our data and privacy, encryption is another tool that has inspired gratitude among many. And while PGP was introduced almost 28 years ago, there are still many grateful for Philip Zimmermann's  leadership in promoting the need for strong encryption tools with no back doors

The results of our poll were based on those who took the time to express their gratefulness to these specific individuals. It certainly does not take away from the great achievements of the others nominated for this honor. I personally admire and greatly appreciate each of them.

I believe initiatives like this help to establish a type of barometer for what is important to individuals at a given point in time. Today, having a comprehensive privacy regulation to protect the privacy of individuals and having strong, effective tools anyone can use to protect their own data are priorities (at least among our readers!). 

ftc2 FTC Alerts That Should Get Your Attention
Attackers set sights on your SSN and your Netflix account
The U.S. Federal Trade Commission (FTC) is warning of two winter-time scams. Take a look and then spread the word!

Scammers Impersonate Netflix

The below screenshot came to the FTC from police in the U.S. state of Ohio.  

Clever timing on this, as people are hunkered down for couch time with loved ones. If you were planning a night in with Netflix and this came through, you might be very likely to click. 

But, if you did, you may find yourself keying credit card information into a fake website and directly into the hands of greedy cybercriminals, ready to use those accounts for themselves or sell them on the dark web to potentially hundreds of other crooks. 

TIP: If you get a notification about problems with your payment details, check it out independently. Navigate to the website of the company in question on your own, WITHOUT clicking on an email, text or sharing with a person who calls you on the phone. Hang up and contact the company directly. 

Scammers Impersonate Social Security Administration (SSA) Officials

More than 35,000 people were contacted by fake SSA officials in 2018. In total, these victims lost $10 million to the scam. 

The FTC has posted audio of one such scam. I've also received (and recorded) similar scams, which I've posted on my website. Go have a listen so you are ready if similar calls come your way. 

Some red flags and other things to know:
  • No government agency of any kind will call you to threaten arrest. 
  • Your social security number can not be "suspended."
  • Your bank account will never be seized by the SSA. 
  • No one will ever ask you to verify your entire SSN via phone. 
  • The real number for the SSA is 800-772-1213. 
  • SSA will never call to threaten your benefits. 

Limiting what Alexa, Siri and Google know about you
The Alexa companion app was the most downloaded app on Christmas Day, indicating just how many smart home devices were gifted during this holiday season. 

Using voice recognition technology to control our homes, make purchases, play music, find directions and answer our most burning questions is certainly convenient. But, that convenience comes at a price -- namely unfettered access to our voice data and associated behaviors, as well as any sound or conversation in the vicinity.

To limit that access, it's a good idea to remove your voice command and search histories from the growing variety of virtual assistants you access throughout your day. Here's a quick round-up of how to do exactly that from three popular companion apps:

Amazon Alexa: In the Alexa App > Settings > History > Delete Voice Recordings

Google HomeGoogle Account > Personal Info & Privacy > Manage Your Google Activity > Go to My Activity > Follow directions found in this article

Apple HomePod: Apple erases "Hey, Siri" voice commands after analyzing them, so users of Apple HomePod do not need to delete any stored history. Keep an eye on this, however, as companies often change their privacy practices. 

 easy5 Easy Ways to Celebrate Data Privacy Day
Ideas from the National Cyber Security Alliance (and one from me)
youThe Harm in Taking Social Media Quizzes
Before you take one of them, consider this... 

Identity theft is probably the last thing on your mind when taking an online quiz like "What Spirit Animal Are You" or "What Food Matches Your Personality." But, according to Prevention magazine, it's a very real risk. 

Scammers create these quizzes by asking standard "security" questions, such as your favorite teacher's name, your childhood best friend or your first car. Your answers get added to other information they know about you, like your Facebook username or your mobile number. It's then sold on the dark web where cybercriminals maintain databases full of personal information. As they learn more about you, your profile becomes more usable, and therefore more valuable. 

TIP: Use fake information when answering security questions. That way, if you ever get tricked into revealing the real answers in an online quiz (or other scam), the crooks will have a much harder time hacking your accounts. 

breachHow to Prevent a Breach: Bouygues Telecom
Mergers and acquisitions often increase security vulnerabilities

Each month in 2019, we'll take a look at a different breach and talk through the ways it possibly could have been prevented. This month, we're exploring the Bouygues Telecom breach announced this week. 

The timing of the breach is key in this case. Bouygues Telecome says the vulnerability originated during the merger of Bouygues Telecom and B & You. As various IT systems came together in 2015, a series of tests was run by personnel. During those tests, a computer code necessitating the authentication of the website  was deactivated. Unfortunately, the code was not reactivated after the tests were completed. 

Human error strikes again. 

So, what are some of the steps that could have been taken to prevent this breach?
  • Implementation of more rigorous change controls.
  • More thorough testing of software changes.
  • Independent oversight of changes (by someone other than the person making the changes).
  • Documented policies, procedures and training around software changes and testing.
Understanding risk factors is also incredibly important to preventing unauthorized access to customer data. 

This incident was rife with inherent security risks:
  • Mergers and acquisitions, during which security and privacy vulnerabilities are often overlooked... or created.
  • A contracted (third party) is given access to personal customer data to perform software changes.
  • Authentication requirements are disabled for any length of time.
  • A worker simply forgets to turn authentication requirements back on and is not covered by another individual or supervisor. 
PPInewsWhere to Find the Privacy Professor  

In the classroom... 

After years of  providing a regularly updated set of online employee training modules for my SIMBUS business clients,  and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes. 

As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I host a range of classes for businesses, groups or teams

Do you have a group for which you'd like to coordinate training? We can often arrange a discounted price for organizations and associations based on the number you have participating.

Hope to see you in the virtual classroom sometime soon!
 ** I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond). So far, I have tentative appearances set for February, May and June 2019. Watch for dates in my February Tips issue... who knows, I may be coming to your neck of the woods!

And, if you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

Bank Info Security

CISO Platform

World's Top IT Security Influencers What a great honor to be included in this list!


Credit Union Times

Health Care Info Security


Think Advisor


3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

It's time to celebrate. We're starting a new year full of possibilities. I hope your 2019 brings everything you hope for and more. Please don't hesitate to get in touch if there's anything my team and I can do to make it the best one yet!

Happy January!

Rebecca Herold, The Privacy Professor
Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. January 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter