Jan. 28 is Data Privacy Day
When you flip your calendar to 2021, draw a big red circle around Jan. 28, international Data Privacy Day!

One great thing about the day is the diverse ways we celebrate. For my part, I've asked the governor of my home state to formally acknowledge the same date as Iowa Data Privacy Day. She agreed, making this the 12th year in a row our state's governor has recognized this important day.

The physical proclamation is in the mail. We'll be sure to include an image of it in the February Tips.
January Tips of the Month

  • Data Security & Privacy Beacons

  • The Great Amazon Echo Experiment of 2020

  • Don't Be Fooled By Look-Alikes

  • Scammers on Zoom

  • Lonely in Lockdown?

  • The New Credit Calculation

  • A Fresh Spin on Identity Theft

  • Is a Vaccine Passport in Your Future?

  • READER QUESTION: When is 2FA Worth the Effort?

  • 3 Quick Tips

  • Learning Resources

  • Where to Find The Privacy Professor
Data Security & Privacy Beacons*
People and places making a difference

Researchers at Carnegie Mellon University CyLab designed the above opt-out privacy icon to make it easier for website visitors to participate in privacy choices. The icon, one of 12 the researchers created, was ultimately chosen by California lawmakers to support compliance with the California Consumer Privacy Act (CCPA). These same researchers have also developed the IoT Assistant app to alert app users to IoT devices that are within their vicinities. This helps people learn about data being collected, as well as any controls they may deploy, such as opting in or out of data collection. IoT vendors can use the system to contribute their own or use others' templates to describe their systems to users.

National Cybersecurity Alliance has sponsored the international Data Privacy Day each year since 2008. With robust online resources from social media posts to ideas for work, school and community, they make it easy for anyone to get involved. You know what would be a great action to take to get involved? Forward this Tips message to your friends, family and/or employees so they can learn more about privacy issues as part of this month’s Data Privacy Day activities.

Identity Theft Resource Center (ITRC) provides a large amount of information on data breaches, including the personal information exposed by each breach. For many years, they have educated the public on cybercrimes that are occurring, and importantly, the impacts of them. Now with the ITRC's Notified service, anyone can create custom views for five-year breach trends to get summaries of known breaches and exposures.

EDUCAUSE published a new report, "Key Findings on Privacy in Higher Education" to inform the public about the data security and privacy risks faced by college-level students, educators and the many others who support them. Beyond simply reporting on various risks within the sector, the paper also highlights ways higher education, technology and privacy leaders can develop and advance privacy programs and policies.

The National Institute of Standards and Technology (NIST) is celebrating the one-year anniversary of its Privacy Framework published in Jan. 2020. Over the past 12 months, many groups have adopted the voluntary tool to identify and manage privacy risk, as well as build innovative products and services while protecting privacy. NIST has done an excellent job updating the framework based on feedback they've received from the community.

ISACA released a new Certified Data Privacy Solutions Engineer (CDPSE) certification. ISACA's program is the first to address the engineering of privacy, which is critically important in the digital era. The CDPSE promises tech professionals the ability to implement privacy by design, resulting in privacy technology platforms and products that build trust and advance data privacy. (I've already gotten my CDPSE certification!)

U.S. Cyberdome is a non-profit, non-partisan organization launched in mid-2019 that has been working to ensure secure elections. Founded by cybersecurity experts, Cyberdome will absorb the costs of providing cyber protection to campaigns by working with donors and charitable foundations. Given the U.S Cybersecurity and Infrastructure Security Agency (CISA) determination that the November 2020 US general election was "the most secure in American history," it seems their work is having a positive impact.

We're celebrating a few more beacons than usual this month to acknowledge the upcoming international Data Privacy Day!

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
The Great Amazon Echo Experiment of 2020
Echo Show focus for 2021
During December 2019's super sales, I purchased an Amazon Echo Dot to do a year’s worth of privacy experiments. After dealing with a 2020 full of COVID-19, environmental disasters and personal health issues (not related to COVID), my conclusions have been reduced to a few high-level, qualitative results.

How the tests were conducted

Throughout the year, I plugged in and powered on my Echo Dot only during the times I was performing my experiments. This was to ensure no other information mixed with my test data. I would speak about two topics I had otherwise never talked about, written about, purchased or searched for online: NASCAR tires and smoking.

How my personal content changed
Between three and five days a week, I talked around my Echo Dot for a few minutes, specifically about smoking and NASCAR tires. I did this for approximately 30 weeks during 2020. After around 4 weeks, the following began to occur:

  • New ads were delivered to my email inbox
  • New content was displayed on Facebook
  • Amazon made new types of suggestions

The content within each of the above was directly related to NASCAR tires and smoking. I received ads, coupons, special deals and purchase suggestions related to:

  • Smoking cessation (e.g., patches and shock-tactic videos to stop smoking)
  • Vaping items
  • Chewing tobacco
  • Local tire and car shops
  • Tire manufacturers

Prior to my Echo Dot experiment, I’d never received any tire or smoking-related ads.

What's next

With new hope and optimism for a healthier, pandemic-curing-and-controlling, environmental-disaster-free 2021, I am planning a new experiment. My plan with this second Alexa test is to collect enough data points to make a quantitative summary for the results a year from now, at the end of December 2021.

A business friend of mine gave me the very generous gift of an Echo Show this year, as she knows how interested I am in testing these devices. So, I am going to spend 2021 doing some experiments similar to those I performed with the Echo Dot. I will then report to you, dear readers, what I find with the hopes my conclusions are informative and perhaps even prescriptive.

If you happen to also have received an Echo Show for the holidays, take a few minutes to read helpful articles like this one to get familiar with how it works, what your privacy options are and what risks the device may bring into your space.

What you should know

Reportedly, Alexa users can delete past voice recordings and transcripts. There are even supposed to be options for setting auto-delete and opting out of voice recordings altogether. I've read that telling Alexa "Delete what I just said" does exactly that.

However, as we've discussed many times throughout many Tips messages, nothing is 100 percent where the Internet of Things (IoT) is concerned. Where Alexa specifically is concerned, you must consider guests to your home who may not be aware that everything they are saying is being recorded and sent to Amazon's powerful and connected servers. Consider even yourself, fully aware that the device is on and listening, and simply forgetting it's there.
Don't Be Fooled By Look-Alikes
Spoofed websites exist to steal your data
Check out the spoofed website a friend sent me on Black Friday (below). Her 13-year-old son had texted her a link to the Oakley sunglasses on his wish list, and she clicked it. Not until she couldn't use her Oakley rewards points did she realize she'd been on a fake site the entire time.
Your holiday shopping may be over, but there are still plenty of e-commerce reasons to be running around the Internet (e.g., returning gifts, exchanging sizes, tracking missing packages).

Be extra careful to double-check the URL when you land on your intended site. Are you really on oakley.com? Or, like my friend, are you on oakaon.com?
Scammers on Zoom
Con artists prey on older users new to technology
Since COVID-19 shutdowns, many older people are now using apps like Zoom, Facetime and social media to stay in touch with loved ones, conduct business and talk to doctors. Sadly, scammers are taking advantage.

In one example, a Virginia man called a fake Zoom customer service number to try and resolve a payment issue. A scammer on the other end said he’d send the man a $100 gift card to make up for the inconvenience. He claimed to need a credit card number to pay the $4 shipping fee.

Fortunately, the Virginia man's alarm bells went off and he ended the call with no harm done. However, another individual may not have been as lucky. Many people, particularly older generations, are not familiar enough with apps to sense danger. Unlike digital natives who grew up in the digital age, they are not as easily able to sense when something isn’t right. (That said, Gen Z and Millennial consumers have their own unique vulnerabilities opening them up to risks. We'll cover this in our next Tips.)

Even those of us sitting in on some of the estimated 200 million Zoom meetings occurring daily can be tricked. Scammers are launching phishing attacks by sending malicious links that appear to be requests to join a Zoom meeting. Recipients are actually sent to a fake landing page where crooks steal their login credentials. Unless you’re paying close attention to the domain, it can be easy... for anyone of any age... to click without thinking.

NOTE: The three domain names Zoom uses are zoom.com, zoom.us and zoom.us.cn.

Social media traps can snare you, too.

Over the past few months, I've seen well-established, yet still fake, Facebook profiles that could easily fool even those familiar with the social network.

The imposter accounts have all been established several years ago and have even commented and liked some of my posts. When I dig a little deeper though, I see their posts are from multiple international geographies and are dated years back.

This is a good tip to keep in mind when someone requests to connect with you on social media. Check out their likes. Does their profile make them look wholesome, yet they've liked militant groups or commented frequently inside what seems to be a questionable cryptocurrency meetup?

A perfect example is the guy I communicated with via Facebook last month. His profile picture was clean-cut and friendly looking, but there was some “phishy” activity in his recent past. He deleted his profile after we messaged back and forth. However, I noticed he’s back. He just changed his name. [To read the full story, scroll to FRESH PHISH in the December Tips Message.]

Especially with less privacy-aware friends and family trying new things online, it's so important to share stories and tips. There are plenty of wolves in sheep’s clothing scouring the Internet for their next victim. 
Lonely in Lockdown?
Be careful what you disclose
Coronavirus lockdowns and social distancing measures have left many people feeling the effects of isolation. Loneliness is often the culprit for making dangerous connections and sharing private things online that people may not do IRL (in real life).

I recently came across an online conversation between two women. They were publicly sharing with each other (and all of their connections) how lonely they were. They even posted photos of their quiet, empty homes for all to see. This is risky online behavior for two distinct reasons:

No. 1: Criminals prey on lonely people

Disclosing your emotional state in such a public manner opens you up to scammers who are incredibly gifted at telling people what they want to hear. Criminals prey on lonely people by striking up online conversations with them, building rapport and then asking for money. This is nothing new, of course, but it ramped up significantly during the pandemic.

An example: A 62-year-old widow met “Arnold” on a dating site. After months of private messages, the organized criminal gang posing as Arnold wrote that he needed a new laptop. She sent the money to help. After sending a lot more money, she learned it was all fake. In hindsight, the victim admitted to ignoring red flags.

No. 2: Digital images contain location data

With an advanced image search, anyone could find out where photos posted online were taken, right down to the GPS coordinates. Fraudsters examine the metadata contained within digital images to find precisely where they were captured. Even without that data, they can enter an image alongside the name of a city into a search and find exactly where a person is located.

No social post is 100-percent safe

Scammers seek to exploit vulnerabilities, and they rely on a lack of knowledge. However, even privacy-savvy people make mistakes and miscalculations. I've seen it happen within my own networks. So many people either don't know or don't give credence to the fact that cybercrooks and cybercrime rings are very advanced and very talented at their crafts. Everyone has to be on high alert.
The New Credit Calculation
Judged by the (online) company we keep
Lenders in the U.S., and possibly other countries, are now looking at more than just your FICO score to determine financial trustworthiness. They’re examining your online behavior, too. Apparently, what you post online and with whom you're connected on social media can tell creditors whether you can pay back a debt.

Social credit scores rely on surveillance
This is a global trend and one of particular concern in communist countries. In China, for instance, the so-called social credit system enables the government to use facial-recognition to track its citizens. Analysts use this information to determine if an individual's behavior is “good” or “bad." It then adds or deducts points from that person's social credit score. China residents can even be blacklisted based on their scores, making it nearly impossible to travel, buy property or obtain a loan.

U.S lenders do not have as much surveillance and life-altering judgment power as communist governments. And, it should be mentioned that some believe western cultures carry a significant misunderstanding of China’s social credit system. However, we still have reasons to be concerned about the use of surveillance tactics to determine a person's access to financial services.

Algorithms can be wrong... and biased
Forbes reported in-depth on social credit in late 2019. Among the findings was that Facebook patented a loan-approval solution based on social connections in 2015. The idea behind the algorithm was that your connections’ average credit rating had to meet a minimum credit score for you to be approved for a loan.

(Watch out if you have a “Cousin Eddie” among your Facebook friends, as anyone with a bad financial track record could impact the way creditors view you should Facebook move forward with this technology.)
Your Facebook, LinkedIn and other social media profiles, both personal and business, can be analyzed by lenders (or employers, insurance providers, marketers, collectors and others) to make assumptions about your employment, your spending habits and your overall financial standing. The results of that analysis, even if based on "sophisticated" algorithms, can be wrong. After all, algorithms are built by humans, and humans are very often flawed, not to mention biased.

Thankfully, some states are already putting legislation in place to stop credit decisions from being made with online information. New York, for example, put a law (S.2302/A.5294) into effect in 2019 strictly prohibiting it.
There are plenty of negative implications to consider when it comes to using behaviors and social information to determine credit rating, including data privacy and unfair discrimination. We need strict standards in place and are nowhere near that yet. In the meantime, be careful what you post and with whom you connect on social media. (I know that can be hard!)
A Fresh Spin on Identity Theft
Unemployment scammers run rampant
Unemployment rates in the U.S. have skyrocketed this year. In just three months, levels surpassed those over two years during the Great Recession. This, of course, gives scammers new ways to defraud those already down on their luck during the pandemic.

The latest ploy is to file for unemployment benefits under someone else’s name. If they already have your personal data, they can file on your behalf. If they don’t yet have it, they have a variety of techniques to con you out of the information they need.

Gainfully employed are still at risk

Even if you’re not out of work, you could still fall victim to this scam. As this article from Experian points out, fraud like this can difficult to detect.

No one is the wiser until victims try to legitimately file and realize there is already an open claim in their name. Others learn of the fraud when they receive a Form 1099-G for unemployment income reportedly received. Some discovered the identity theft through their employer when a state unemployment official notified the company of the false claim.

What about the money?

What may seem odd about these scams is that often, the identity thieves do not receive any money. In fact, in some cases, the victim receives the unemployment funds they didn't actually file for. That's why the incidents are categorized as identity vs. financial crimes.

What's happening is the scammers are after something even more valuable than money––personal data. Through a variety of really smart tactics, the scammers stick with the victims, watching how they respond with the money, giving them fake websites to visit, fake phone numbers to call and keeping an eye on their financial moves. With access to that intelligence, they can open accounts in someone else's name or sell the personal data on the dark web. It’s like pulling a thread on a woven blanket, it can slowly destroy the person they’ve targeted.

If you think you might be a victim of unemployment fraud, do not ignore it. Experian shares some helpful tips on what you can do.
Is a Vaccine Passport in Your Future?
Privacy claims must be backed with privacy policies
A report on my local news certainly raised my interest, not to mention my concern about the related privacy and data security risks. The story addressed the possibility that we may soon be required to show proof of a COVID-19 test or vaccination to enter concerts, stadiums and maybe even other countries.

The news featured the CommonPass app, the developers of which claim to be very concerned about privacy and committed to privacy preservation. However, they have not addressed a huge red flag...their site has no privacy notice nor any information about data security!

We are going to dig deeper into this issue and the technology being developed around it and will let you know in the February Tips what we find.

In the meantime, watch our sites privacysecuritybrainiacs.com and privacyguidance.com and follow our LinkedIn, Facebook and Twitter feeds for updates related to this and other developing COVID-19 privacy risks.
3 Quick Tips
Fast privacy-preserving steps you can take right now
Uninstall Adobe Flash Player.

Have you uninstalled Adobe Flash Player from your system yet? If not, do it now.

The program will no longer be supported by Adobe as of January 12, 2021. This means important security holes will not be patched by Adobe. And, that's music to the ears of the cybercrooks and hackers who will be actively exploiting newly discovered holes to access your computer applications, systems, data. They may even be able to take over your entire device. Here are some helpful resources:

Backup your files.

When was the last time you backed up your files, including photos, videos, emails and tax data?

Many folks are now using cloud services to make backups. I recommend also putting backups onto your own external drive(s), dedicated solely to backups. I have a separate external drive for each of the different types of files mentioned above.

With the end of year sales, you can find some deep discounts at electronics stores and online for external drives with storage of 1 TB or more.

Create a "What to Do When I'm Gone" document.

This resource should include:

  • Social media IDs and passwords
  • Location of your last will & testament (Create one if you haven't; I'm updating mine this weekend.)
  • List of your life insurance policies, associated values and how to contact the insurance companies
  • Names and contact info for the people you want to be notified when you die (e.g., friends, family, neighbors, accountant, lawyer, co-workers, clients)
  • List of real estate documents and associated locations
  • Bank accounts, stocks, etc.
  • Location of personal photos and whom you want to have them
  • Requests for the re-homing of pets
  • Insurance policies, utilities, credit cards
  • Location of treasure and/or time capsules you buried (Hey, I know a lot of you pretty well, and know you'd do this!)
  • Any other information your survivors should know
Learning Resources
Courtesy of Privacy & Security Brainiacs
Throughout 2020, my son Noah and I, along with a great development and programming team, have been building a new online security, privacy and compliance training SaaS services business, Privacy & Security Brainiacs.

Starting this month, we will provide pointers to the latest Privacy & Security Brainiacs educational releases in each new issue of The Privacy Professor Tips. If you find them useful, please let us know.

We have a list of 20+ other training topics we are working on for the coming weeks.

Latest Videos from Privacy & Security Brainiacs:

Latest Training Modules from Privacy & Security Brainiacs:

Do you have an idea for other types of educational resources for us to consider providing? Or, other specific topics for us to cover? Do you have feedback on our training? Check out the free training videos and please let us know that, too! Send to info@privacysecuritybrainiacs.com
When is a marketing email a GDPR no-no?
In the November Tips, you wrote about an unsolicited email you received that violated GDPR regulations. I can certainly relate to this. But, here's my question... Do U.S. residents fall under the umbrella of GDPR protection distinct from, for example, CCPA?

I am happy for the opportunity to clarify this. If an unsolicited message is sent, generally from anywhere in the world, to EU residents where the GDPR applies, and there was no consent given to receive such emails, it will likely be a violation.

If I were in a GDPR-governed country, it would have been a violation of that regulation.

Because I am in the U.S., CAN-SPAM, on the other hand, applies to all U.S. recipients. And, if I was a California resident, the CCPA would likely have applied, along with other U.S. state and federal laws and regulations, as well as data protection laws in other countries.

Of course, each case is different and must go through analysis to consider the full context to determine whether a cold-call email violates applicable regulations. Various lawyers have debated the question of applicability. However, from experience with my clients, U.S. marketers are covered by GDPR for any messaging sent to EU residents of countries where GDPR applies. Various test cases also indicate that if EU residents are also U.S. citizens, GDPR applies.
Where to Find the Privacy Professor
Here are just a few of the podcasts I've visited recently.
Shoering Up Security
On this episode of CompTIAWorld's Shoering Up Security, MJ Shoer and I talk about how to implement cybersecurity best practices—and how to get everyone involved in the conversation (not just IT). We also offer up advice for anyone thinking about starting their own business, as well as the terrific topic of women in tech.
On this Trility podcast, we discussed infosec and privacy specifically for senior living facilities.
Listen in to learn more about pandemic-era threats to consumer data security and privacy. 
The topic here was how to protect your home, kids, finances, health data and business from hackers. 

Here is another episode that covers privacy risks and impacts of contact tracing, IoT device use and the Surprising Places Your Data is Being Tracked.
Tips4Tech 12 Tech Resources
I was honored to be included in a list of a dozen resources for people turning to tech to help them through the COVID-19 crisis.

A couple recent industry articles to which I've contributed thoughts...
Defense-in-Depth (DiD) Strategies: Protect Higher Ed Users Against Cyberthreats
VA Did Not Disclose Huge Data Breach for 7 Weeks
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

Special thanks to T-Mobile for including this episode in the December issue of the company's security newsletter!

Next Episode

Privacy & Security Education in a Pandemic World of Zoom with Kim Hakim, CEO and Founder of FutureCon Events.

New IoT Cybersecurity Drafts from NIST Will Impact the Ecosystem
On December 15, 2020, NIST released four new draft IoT cybersecurity documents to provide guidance for federal agencies and device manufacturers. Additionally, NIST is updating its catalog of IoT cybersecurity capabilities.
Please provide your feedback to NIST.
NIST Wants Your Feedback
In this video, Michael Fagan, technical lead for the NIST Cybersecurity for IoT program, and I, a subject matter expert (SME) on the NIST Cybersecurity for IoT program team, describe the path that led to the GitHub posting and its role in developing the Federal Profile.
Help Wanted: Growing a Workforce for Managing Privacy Risk
I was honored to be part of all three days of this important NIST virtual workshop, hosted by IAPP.

See the closing session, which includes takeaways from each of the breakout session leaders.

Cybersecurity Risks in Consumer Home IoT Products
Especially ahead of the holiday buying season, this session contains vital information for consumers.

Watch Part 1 of the workshop, which highlighted many considerations impacting the cybersecurity of IoT products.
2021 Resolutions
No doubt, you have plenty of promises vying for a spot on your list of New Years Resolutions. Humor me by adding one more?

I'd love if you'd add learning (and doing!) more about your personal data security and privacy risks in 2021.

Simply reading this email each month is a good start. If you have other quick tips or privacy hacks to make such a resolution more accessible to more people, please reply. I may even share them in a future message.


The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. January 2021 Privacy Professor Tips. www.privacyguidance.com.

NOTE: Permission for excerpts does not extend to images.