Advertising Now Available!

After repeated requests from some exciting brands, we've decided to open Tips of the Month up to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

The Trouble with Snippets

The time each of devotes to consuming media is shrinking exponentially. It's the whole reason Twitter got its start. 

To satisfy the demand for easy-to-digest content, traditional and social media publishers compress "news" to clickable snippets, a.k.a. click bait. All could be fine if the reader could distinguish between a flashy headline and real news, but not everyone can. 

Professors and other teachers have begun to notice sources like showing up in students' research papers. People formulate opinions on brands, organizations and other people based on false or exaggerated stories. And, voters rely on social "news" to formulate their decisions on election days. 

Those of us in data security and privacy circles have observed the extension of the snippets trend to things like privacy policies and terms / conditions related to use of technology. To make content more digestible or technology more usable, providers are taking transparency shortcuts resulting in a lot of confusion and mistrust. 

All of this is to say you should *trust, but verify.* Anytime you hear or see something that feels off, trust your gut. Dig in, do the research and come to your own conclusions. Sadly, the onus is on each of us to beware of what we "buy."

us  Data Security & Privacy Beacons
People and places making a difference**

Dr. Lance Eliot wrote  an in-depth article to raise awareness of the personal data collected by vehicles, in particular smart cars and rental cars... and even junked vehicles. Among the takeaways, the article explains how that data (everything from playlists to contacts) can be used to invade the privacy of drivers. Definitely worth a read!

The City of San Francisco is the first city, and likely not the last, writing legislative bills at the major municipal level to  prohibit the use of facial recognition until privacy risks have been appropriately addressed. In addition to offering real privacy protections, the efforts are raising awareness about the potential misuse of facial recognition. The city is the first in the nation to ban law enforcement use of facial recognition technology in the name of privacy. Federal lawmakers are also now writing bipartisan bills at the Federal level to strengthen consumer protections. They seek to prohibit companies that use facial recognition technology from collecting and re-sharing data for identifying or tracking consumers without their consent.

United Airlines passengers called for the airline to mitigate the privacy risks posed by on-board surveillance cameras in recently installed back-of-seat video monitors. Kudos to the passengers for voicing their concerns and to the airline for listening and responding by covering the devices. (Although, we would have liked to see them think about privacy *before* installing the monitors.)

Tenants of a Manhattan apartment building sued their landlord for using smart lock technology to secure their homes. The residents were naturally upset by the smart lock company's  privacy policy, which said its app could collect location data and use it for marketing purposes. In a settlement, the landlord agreed to provide physical keys to tenants who don't want to use smart locks. The smart lock vendor also indicated they will update their privacy policy "to make things clearer." We will look forward to reading that updated privacy policy!

Human Rights Watch exposed the widespread use of illegal mass surveillance in locations throughout China. Through reverse engineering of a policing mobile app, the organization was able to prove that law enforcement was  illegally gathering information about "people's completely lawful behavior and using it against them."

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
realRepeating an Exhausting Pattern              
Facebook co-founder shares 20-20 hindsight views

I read Facebook co-founder Chris Hughes' 6,000-word opinion piece, "It's Time to Breakup Facebook," with great interest. 

Having long since left the company, it's easy for him to have 20-20 hindsight on all the missteps the social giant has made. 

That said, there were two points in the article that stood out to me. The first was Hughes' characterization of the way consumers, business leaders and others react to the often blatant disregard of data privacy and security protections when we learn of them: 

...every time Facebook messes up, we repeat an exhausting pattern: first outrage, then disappointment and, finally, resignation.

And it's not just Facebook. We seem to repeat this "exhausting pattern" regardless of the violator or how royally they've messed up. 

Plainly, that needs to stop.  The question is: How can we accomplish this?

The second part of the article I find interesting is the overall call on regulators in the U.S. to apply greater scrutiny to acquisitions in the digital space. Hughes argues that Facebook's takeover of WhatsApp and Instagram created a monopoly in the social networking category. 

Here again, hindsight is 20-20. But, that's what has happened historically. A corporation grows  quickly , acquiring others at a break-neck pace, and suddenly people realize they have a virtual monopoly in the space. The key at that point becomes determining what can be done  about it. 

As humans and societies evolve, we have to be comfortable with retroactive protections. Bike-helmet requirements, no-smoking laws, facial-recognition bans... all of this comes as we learn of the dangers and respond appropriately. 

The tool is great in theory, but what about... 
I've been looking into Google Password Checker, and I have at least two concerns.

The recently launched Chrome extension offers to alert users if a password they enter into a site was  exposed in a data breach somewhere along the way. 

Here's what concerns me...

Google says the passwords it collects for checking have been hashed and encrypted. Is there any objective validation of this claim? And how strong is the encryption being used? Many tech companies have claimed to have security in place, and then a breach or other incident proves they did not, in fact, have the proper protections in place. 

If you are thinking about installing Google Password Checker, consider this: You have likely given Google substantial access to significant amounts of your data already. Do you really want to give them all of your passwords, too? 

Until I see verifiable, objective proof of Google's encryption claims, I'm not going to use it. We've heard similar promises before only to find out, after a breach, that they were just that... promises. In this situation, I will verify first and then consider if I want to trust Google with the digital keys to my online accounts.

Be cautious before volunteering your cameras
One of the police departments near me recently launched what it calls a "Community Camera Program." Residents and businesses can register their security cameras with the department. Police will contact them if a crime occurs near their property and they believe the camera may have captured something helpful to the investigation. 

The idea is certainly noble. But, have all the privacy risks been addressed?

Well-meaning citizens may want to exercise caution before volunteering to be a part of this or similar programs. Consider the following:
  • You don't have to have your camera registered with the police to offer them a look at footage captured. 
  • How are police protecting the list of registered camera owners? What might a criminal (or a lawyer, a private investigator or an insurance company) do with that information if the list is compromised or shared?
  • Video, especially that triggered by motion or light, can fail to capture important context. How might your sharing out-of-context footage with law enforcement aid in the misdirection of an investigation?
  • Police could assume ownership of any video they collect. (In the case of the Community Camera Program, the Acknowledgement statement indicates ownership of the video is the property of the registrant "until it is requested" by police.) Once that happens, it's no longer in your control. How will they use it? With which entities will they share it?
I recently spoke about these concerns and others with the Wall Street Journal for their reporting on smart doorbells and the video they may capture. Check it out and let me know your thoughts. 

The bottom line is police departments must think through the privacy of the security camera owners, as well as those captured on video. They must establish rules and procedures and be transparent with the public about their short- and long-term plans for using any footage collected through these and similar programs. 

 easyWhat Exactly is a 'Sophisticated' Attack
Hyperbolic adjectives attempt to shift blame
Have you noticed how often companies are breached by "sophisticated" or "advanced" attacks? WhatsApp provides a recent example. A spokesperson of the social messaging app (owned by Facebook) said "an advanced cyber actor" recently found a way to exploit a security flaw. 

Sounds a lot better than saying a "low-level hacker with no experience" found his way into the system, doesn't it?

The fact is that most breached entities rarely know exactly who attacked them or even exactly when they were attacked. Describing an attacker as "sophisticated" is a pretty obvious attempt at shifting the blame away from the company. This is e specially true in circumstances when the company lacked appropriate security controls, allowing the breach to happen in the first place.

When organizations are the keepers of personal data, it's their responsibility to continually test and retest their systems for vulnerabilities and to understand the pain those weaknesses could cause users if exploited. Anything less is completely irresponsible, and is increasingly the subject of legal and financial sanctions. 

5 Things You Can Do 

If your business collects and stores personal data, ensuring protection boils down to these five basics:
  • Establish effective, consistently followed and documented information security and privacy policies and procedures
  • Manage policies and procedures through a position or a team that has documented responsibilities and can be held accountable.  
  • Provide frequent training to all workers who use systems and applications, as well as those who access personal data and business information in any form. 
  • Implement multiple layers of security and privacy technologies customized to fit the business environment. Examples include 2-factor authentication, strong encryption, data access logs and firewalls at all perimeters of the network.
  • Perform regular risk assessments along with IT, security and privacy audits.

Are cyber attacks on business more harmful than physical attacks? 
Earlier this month, I received the above question from a high school student in Michigan who was working on a cybersecurity research paper for school. (I love that there are teens interested in learning about information security and privacy!)

Here's how I answered:

While both can be very dangerous in multiple ways, it's important to consider that cyberattacks can have deadly consequences. For instance:
  • A particularly insidious cyberattack on a vulnerable hospital system could allow a cyberterrorist to change medical devices settings. The result could be patient injury or even death. Physicians and other caregivers may not even recognize the cause of the increased incidents. (They would typically analyze physical symptoms of the patients and not look, at least right away, at systems settings.)
  • Malware implanted in utilities can change the settings on power grids, shutting down heat, water, transportation and emergency systems and other key systems and devices on which people depend, sometimes for life.
What's more, many organizations have gone out of business following cyberattacks. The loss of data, followed by the loss of trust and customers, as well as the domino effect of fraud committed through their stolen data, can be devastating to not only the impacted individuals, but also the business. Additionally, the value of fines, penalties and court judgments now commonly go into the tens, and even hundreds, of millions of US dollars... and increasingly, more fines are being applied throughout other countries.  
So, in general, yes, it is quite possible for cyberattacks to be more harmful than a physical attack.

PPInewsWhere to Find the Privacy Professor  

At your next event...

Photo Credit: SecureWorld
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet,
please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 


Recent awards / honors

I was honored to be included in the new book, " Women Know Cyber: 100 Fascinating Females Fighting Cybercrime."  Check out the free online PDF or find the hard copy in major online bookstores.

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Did you ever play Grapevine as a kid? Maybe you called it Telephone or by another name. 

It starts with one person whispering a funny phrase into the ear of another, who then turns to the next person and whispers what is supposed to be the same phrase. Depending on how many players you have, the original phrase is typically so distorted by the end, it sends everyone into fits of laughter. 

The world we're living in reminds me so much of this game. The facts of original stories, after being run through the grapevine of social media, go completely awry. The only difference is real-world distortions are far from funny.

This summer, make a commitment to spending a few extra minutes to verify what you see and hear. And if you find any good examples of skewed facts or click bait stories, send them my way. I may share them in an upcoming Tips of the Month. 

Have a beautiful and safe June,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. June 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter