Researchers at Carnegie Mellon University CyLab designed the above opt-out privacy icon to make it easier for website visitors to participate in privacy choices. The icon, one of 12 the researchers created, was ultimately chosen by California lawmakers to support compliance with the California Consumer Privacy Act (CCPA). These same researchers have also developed the IoT Assistant app to alert app users to IoT devices that are within their vicinities. This helps people learn about data being collected, as well as any controls they may deploy, such as opting in or out of data collection. IoT vendors can use the system to contribute their own or use others' templates to describe their systems to users.

National Cybersecurity Alliance has sponsored the international Data Privacy Day each year since 2008. With robust online resources from social media posts to ideas for work, school and community, they make it easy for anyone to get involved. You know what would be a great action to take to get involved? Forward this Tips message to your friends, family and/or employees so they can learn more about privacy issues as part of this month’s Data Privacy Day activities.

Identity Theft Resource Center (ITRC) provides a large amount of information on data breaches, including the personal information exposed by each breach. For many years, they have educated the public on cybercrimes that are occurring, and importantly, the impacts of them. Now with the ITRC's Notified service, anyone can create custom views for five-year breach trends to get summaries of known breaches and exposures.

EDUCAUSE published a new report, "Key Findings on Privacy in Higher Education" to inform the public about the data security and privacy risks faced by college-level students, educators and the many others who support them. Beyond simply reporting on various risks within the sector, the paper also highlights ways higher education, technology and privacy leaders can develop and advance privacy programs and policies.

The National Institute of Standards and Technology (NIST) is celebrating the one-year anniversary of its Privacy Framework published in Jan. 2020. Over the past 12 months, many groups have adopted the voluntary tool to identify and manage privacy risk, as well as build innovative products and services while protecting privacy. NIST has done an excellent job updating the framework based on feedback they've received from the community.

ISACA released a new Certified Data Privacy Solutions Engineer (CDPSE) certification. ISACA's program is the first to address the engineering of privacy, which is critically important in the digital era. The CDPSE promises tech professionals the ability to implement privacy by design, resulting in privacy technology platforms and products that build trust and advance data privacy. (I've already gotten my CDPSE certification!)

U.S. Cyberdome is a non-profit, non-partisan organization launched in mid-2019 that has been working to ensure secure elections. Founded by cybersecurity experts, Cyberdome will absorb the costs of providing cyber protection to campaigns by working with donors and charitable foundations. Given the U.S Cybersecurity and Infrastructure Security Agency (CISA) determination that the November 2020 US general election was "the most secure in American history," it seems their work is having a positive impact.

We're celebrating a few more beacons than usual this month to acknowledge the upcoming international Data Privacy Day!

During December 2019's super sales, I purchased an Amazon Echo Dot to do a year’s worth of privacy experiments. After dealing with a 2020 full of COVID-19, environmental disasters and personal health issues (not related to COVID), my conclusions have been reduced to a few high-level, qualitative results.

Throughout the year, I plugged in and powered on my Echo Dot only during the times I was performing my experiments. This was to ensure no other information mixed with my test data. I would speak about two topics I had otherwise never talked about, written about, purchased or searched for online: NASCAR tires and smoking.

Between three and five days a week, I talked around my Echo Dot for a few minutes, specifically about smoking and NASCAR tires. I did this for approximately 30 weeks during 2020. After around 4 weeks, the following began to occur:

If you happen to also have received an Echo Show for the holidays, take a few minutes to read helpful articles like this one to get familiar with how it works, what your privacy options are and what risks the device may bring into your space.

However, as we've discussed many times throughout many Tips messages, nothing is 100 percent where the Internet of Things (IoT) is concerned. Where Alexa specifically is concerned, you must consider guests to your home who may not be aware that everything they are saying is being recorded and sent to Amazon's powerful and connected servers. Consider even yourself, fully aware that the device is on and listening, and simply forgetting it's there.

Check out the spoofed website a friend sent me on Black Friday (below). Her 13-year-old son had texted her a link to the Oakley sunglasses on his wish list, and she clicked it. Not until she couldn't use her Oakley rewards points did she realize she'd been on a fake site the entire time.

Your holiday shopping may be over, but there are still plenty of e-commerce reasons to be running around the Internet (e.g., returning gifts, exchanging sizes, tracking missing packages).

Be extra careful to double-check the URL when you land on your intended site. Are you really on oakley.com? Or, like my friend, are you on oakaon.com?

In one example, a Virginia man called a fake Zoom customer service number to try and resolve a payment issue. A scammer on the other end said he’d send the man a $100 gift card to make up for the inconvenience. He claimed to need a credit card number to pay the $4 shipping fee.

Fortunately, the Virginia man's alarm bells went off and he ended the call with no harm done. However, another individual may not have been as lucky. Many people, particularly older generations, are not familiar enough with apps to sense danger. Unlike digital natives who grew up in the digital age, they are not as easily able to sense when something isn’t right. (That said, Gen Z and Millennial consumers have their own unique vulnerabilities opening them up to risks. We'll cover this in our next Tips.)

Even those of us sitting in on some of the estimated 200 million Zoom meetings occurring daily can be tricked. Scammers are launching phishing attacks by sending malicious links that appear to be requests to join a Zoom meeting. Recipients are actually sent to a fake landing page where crooks steal their login credentials. Unless you’re paying close attention to the domain, it can be easy... for anyone of any age... to click without thinking.

NOTE: The three domain names Zoom uses are zoom.com, zoom.us and zoom.us.cn.

Social media traps can snare you, too.

This is a good tip to keep in mind when someone requests to connect with you on social media. Check out their likes. Does their profile make them look wholesome, yet they've liked militant groups or commented frequently inside what seems to be a questionable cryptocurrency meetup?

A perfect example is the guy I communicated with via Facebook last month. His profile picture was clean-cut and friendly looking, but there was some “phishy” activity in his recent past. He deleted his profile after we messaged back and forth. However, I noticed he’s back. He just changed his name. [To read the full story, scroll to FRESH PHISH in the December Tips Message.]

Disclosing your emotional state in such a public manner opens you up to scammers who are incredibly gifted at telling people what they want to hear. Criminals prey on lonely people by striking up online conversations with them, building rapport and then asking for money. This is nothing new, of course, but it ramped up significantly during the pandemic.

An example: A 62-year-old widow met “Arnold” on a dating site. After months of private messages, the organized criminal gang posing as Arnold wrote that he needed a new laptop. She sent the money to help. After sending a lot more money, she learned it was all fake. In hindsight, the victim admitted to ignoring red flags.

Scammers seek to exploit vulnerabilities, and they rely on a lack of knowledge. However, even privacy-savvy people make mistakes and miscalculations. I've seen it happen within my own networks. So many people either don't know or don't give credence to the fact that cybercrooks and cybercrime rings are very advanced and very talented at their crafts. Everyone has to be on high alert.

Lenders in the U.S., and possibly other countries, are now looking at more than just your FICO score to determine financial trustworthiness. They’re examining your online behavior, too. Apparently, what you post online and with whom you're connected on social media can tell creditors whether you can pay back a debt.

This is a global trend and one of particular concern in communist countries. In China, for instance, the so-called social credit system enables the government to use facial-recognition to track its citizens. Analysts use this information to determine if an individual's behavior is “good” or “bad." It then adds or deducts points from that person's social credit score. China residents can even be blacklisted based on their scores, making it nearly impossible to travel, buy property or obtain a loan.

U.S lenders do not have as much surveillance and life-altering judgment power as communist governments. And, it should be mentioned that some believe western cultures carry a significant misunderstanding of China’s social credit system. However, we still have reasons to be concerned about the use of surveillance tactics to determine a person's access to financial services.

Forbes reported in-depth on social credit in late 2019. Among the findings was that Facebook patented a loan-approval solution based on social connections in 2015. The idea behind the algorithm was that your connections’ average credit rating had to meet a minimum credit score for you to be approved for a loan.

(Watch out if you have a “Cousin Eddie” among your Facebook friends, as anyone with a bad financial track record could impact the way creditors view you should Facebook move forward with this technology.)

Your Facebook, LinkedIn and other social media profiles, both personal and business, can be analyzed by lenders (or employers, insurance providers, marketers, collectors and others) to make assumptions about your employment, your spending habits and your overall financial standing. The results of that analysis, even if based on "sophisticated" algorithms, can be wrong. After all, algorithms are built by humans, and humans are very often flawed, not to mention biased.

Thankfully, some states are already putting legislation in place to stop credit decisions from being made with online information. New York, for example, put a law (S.2302/A.5294) into effect in 2019 strictly prohibiting it.

There are plenty of negative implications to consider when it comes to using behaviors and social information to determine credit rating, including data privacy and unfair discrimination. We need strict standards in place and are nowhere near that yet. In the meantime, be careful what you post and with whom you connect on social media. (I know that can be hard!)

Unemployment rates in the U.S. have skyrocketed this year. In just three months, levels surpassed those over two years during the Great Recession. This, of course, gives scammers new ways to defraud those already down on their luck during the pandemic.

The latest ploy is to file for unemployment benefits under someone else’s name. If they already have your personal data, they can file on your behalf. If they don’t yet have it, they have a variety of techniques to con you out of the information they need.

Even if you’re not out of work, you could still fall victim to this scam. As this article from Experian points out, fraud like this can difficult to detect.

What about the money?

What may seem odd about these scams is that often, the identity thieves do not receive any money. In fact, in some cases, the victim receives the unemployment funds they didn't actually file for. That's why the incidents are categorized as identity vs. financial crimes.

If you think you might be a victim of unemployment fraud, do not ignore it. Experian shares some helpful tips on what you can do.

A report on my local news certainly raised my interest, not to mention my concern about the related privacy and data security risks. The story addressed the possibility that we may soon be required to show proof of a COVID-19 test or vaccination to enter concerts, stadiums and maybe even other countries.

The news featured the CommonPass app, the developers of which claim to be very concerned about privacy and committed to privacy preservation. However, they have not addressed a huge red flag...their site has no privacy notice nor any information about data security!

We are going to dig deeper into this issue and the technology being developed around it and will let you know in the February Tips what we find.

In the meantime, watch our sites privacysecuritybrainiacs.com and privacyguidance.com and follow our LinkedIn, Facebook and Twitter feeds for updates related to this and other developing COVID-19 privacy risks.

Have you uninstalled Adobe Flash Player from your system yet? If not, do it now.

The program will no longer be supported by Adobe as of January 12, 2021. This means important security holes will not be patched by Adobe. And, that's music to the ears of the cybercrooks and hackers who will be actively exploiting newly discovered holes to access your computer applications, systems, data. They may even be able to take over your entire device. Here are some helpful resources:

When was the last time you backed up your files, including photos, videos, emails and tax data?

Many folks are now using cloud services to make backups. I recommend also putting backups onto your own external drive(s), dedicated solely to backups. I have a separate external drive for each of the different types of files mentioned above.

With the end of year sales, you can find some deep discounts at electronics stores and online for external drives with storage of 1 TB or more.

This resource should include:

Throughout 2020, my son Noah and I, along with a great development and programming team, have been building a new online security, privacy and compliance training SaaS services business, Privacy & Security Brainiacs.

Starting this month, we will provide pointers to the latest Privacy & Security Brainiacs educational releases in each new issue of The Privacy Professor Tips. If you find them useful, please let us know.

We have a list of 20+ other training topics we are working on for the coming weeks.

Latest Videos from Privacy & Security Brainiacs:

Latest Training Modules from Privacy & Security Brainiacs:

Do you have an idea for other types of educational resources for us to consider providing? Or, other specific topics for us to cover? Do you have feedback on our training? Check out the free training videos and please let us know that, too! Send to info@privacysecuritybrainiacs.com

I am happy for the opportunity to clarify this. If an unsolicited message is sent, generally from anywhere in the world, to EU residents where the GDPR applies, and there was no consent given to receive such emails, it will likely be a violation.

If I were in a GDPR-governed country, it would have been a violation of that regulation.

Because I am in the U.S., CAN-SPAM, on the other hand, applies to all U.S. recipients. And, if I was a California resident, the CCPA would likely have applied, along with other U.S. state and federal laws and regulations, as well as data protection laws in other countries.

Of course, each case is different and must go through analysis to consider the full context to determine whether a cold-call email violates applicable regulations. Various lawyers have debated the question of applicability. However, from experience with my clients, U.S. marketers are covered by GDPR for any messaging sent to EU residents of countries where GDPR applies. Various test cases also indicate that if EU residents are also U.S. citizens, GDPR applies.