Heed the 'Storm' Warnings

As we enter the stormy season here in Midwest U.S.A., I'm thinking about the terrific progress that's been made to our severe weather warning systems. 

Whereas citizens were once beholden to the way the sky looked off in the distance, we now have everything from radio broadcasts to smartphone alarms to give us the heads up we need. Often the warnings we get are extremely detailed, letting us know down to the minute when and where storms will be the worst. 

While the red flags that signify data security and privacy 'storms' are not quite as accurate, they are still much more sophisticated than in the past. The trouble is, people have to heed the warnings for them to be effective. 

How much attention are you paying to data security and privacy warnings? Reading this month's Tips message is a good indicator you are doing pretty well. Keep up the good work; heads-up awareness is one of the best things you can do to prevent a data security and privacy storm from destroying your life.  

us  Data Security & Privacy Beacons
People and places making a difference**

MIT researcher Joy Buolamwini voiced her concerns about the limitations of facial recognition software used by law enforcement to identify suspects. After studying the platform, she learned it badly misidentified darker-hued womenIn speaking out, Ms. Buolamwini went up against a very big company you may have heard of -- Amazon. Why isn't speaking up the norm? It certainly should be, but people who do are often faced with "hostile reactions."  Thank you for speaking up, Joy Buolamwini!

Princeton University created a very cool tool that identifies Internet of Things (IoT) devices in a particular area. Called the  Princeton IoT Inspector, the tool allows users to see  a list of all IoT devices on a home network, as well as when they  exchange data with an external server. Importantly, it tells users when that communication is and is not encrypted. This is a fantastic example of an organization arming consumers with the tools they need to interact smartly with the connected devices around them. 

Sidewalk Labs, a Google sister company, has created street and other public space signs to notify people they are being watched and tracked. The signs are a representation of the privacy policies currently being drafted around the data collection technology. We'll certainly keep an eye out for those policies, but this is a nice first step. (Thank you for the pointer to this beacon,  Dr. Katina Michael!)

Illinois lawmakers have passed a bill that seeks to ban internet device manufacturers from collecting audio from internet-connected devices without consumers' consent. It's good to see lawmakers taking action to require strong security and privacy controls. The requirement for device makers to notify consumers when their devices are recording audio in the vicinity is long overdue.

New York lawmakers are asking citizens to share their privacy concerns via a data privacy surveyIt's refreshing to see a government agency take explicit steps to gather consumer opinions about activities that are privacy invasive. We'll see what ends up actually being done with the insights they uncover through the survey.

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
realReal-Life ATM Skimmer Story             
Hackers invest very little to reap big rewards 

The actual device Jim N. removed from the ATM.
When my Facebook friend Jim N. posted photos of the ATM skimmer he ran across, I was reminded how prevalent these devices are becoming.
The reason they are so popular among the criminal element is because they are cheap and effective. 
Jim found and removed the device by pulling on an unusual black tab he saw shoved into the ATM's card slot. 

"My card was way too tight as I pushed it in the ATM," he posted on Facebook. "I pulled on the black tab and the skimmer came right out." 

Notice you can see the data transmitting device (It's the tiny black square in the pictures). Don't worry; Jim's card was not compromised.

Side view of the device.

How to Spot a Skimmer

If you detect any of the below red flags while using an ATM or gas pump, do not use the machine and call the bank or station that operates it to report what you experienced.
  • The part where you insert or slide your card can be wiggled easily.
  • There are unusual gaps or spaces around the terminal's front-facing components. 
  • A small hole for a tiny camera appears near the receipt slot. 
  • Something looks suspiciously different from the last time you used the terminal. 
  • Inserting or removing the card is difficult.
Impersonator uses urgency as ploy
A common tactics in the phishing scammer's playbook is to create a sense of urgency. Among other things, it can force the recipient to stop thinking clearly. Because the sender (who is often posing as a boss or supervisor) appears to be in a rush, the recipient can feel pressured to do as the scammer asks. 

Fortunately, in the real-life case I was alerted to below, the recipients were security aware and did not fall into the popular trap. 

RED FLAG WARNING:  As you can see in the screenshot below, the person posing as me was not using my real email address. That is a huge red flag. 

Keep in mind that anyone can associate any name to any email they send. The person who is being spoofed has virtually no control over this. I've had many people with good intentions contact me over the years to say, "You've been hacked! You need to change your password!" However, a spoofed message has nothing to do with a compromised password. It's nothing I, nor anyone else who has gotten impersonated, could have prevented.

Never rely on the name; always verify the email address. If you're unsure, contact the sender to check as my friend did here. Better safe than sorry! 

worldAmazon Adds HIPAA-Compliant Alexa Skills
Actual employees may hear your medical conversations.
In addition to checking a bank balance, ordering a pizza or creating a shopping list, Alexa will now allow users to perform a variety of healthcare tasks. So long as their provider has enabled the Alexa skill (Amazon's term for "app"), patients can  make an appointment and even manage prescriptions

While this kind of access and connectivity has great potential to improve healthcare services and engagement, there are a few data security and privacy caveats we must all consider. 

My advice to those considering using Alexa for healthcare (or any) purpose is two-fold:
  1. Make sure all the Alexa-enabled device's security and privacy controls are set to the highest level (Never rely on default settings to protect you.). 
  2. Fully turn off the device when you don't want the possibility of anything you say or anything that's going on in the environment to be heard (Mute is not good enough.).
THIS JUST IN:  A recent report by CBS News found computers, algorithms and artificial intelligence robots aren't the only ones that hear what's going on around Alexa devices. In fact, there is an entire group of Amazon employees who listen to Alexa recordings, as many as 1,000 per day, transcribing and annotating them to then feed into Amazon's machine learning and voice recognition platforms. 

 easyOn the Facebook Front
Privacy news from the world's most powerful social media company
Facebook never ceases to raise data security and privacy concerns. They give us something new to talk about seemingly every day. Here's a few eyebrow-raising moments from recent months. 

Instagram passwords not protected: Facebook, which owns Instagram, admitted  millions of Instagram passwords were stored in plain text on its servers, making them accessible to employees. There are several things you can do to protect yourself. Check out my advice in a recent Bustle article.

No more Moments: Any Facebook users who may have been relying on the Moments feature to archive their histories will soon be out of luck. This is an excellent reminder to never rely on any one feature, technology, device or provider to maintain your memories. If you print photos, print doubles and store them in a second location. If you only have digital copies, have back ups, also stored in separate locations. 

Why am I seeing this post? A new feature from Facebook will allow users to view a list of variables that explain how their past interactions on the site lead to News Feed's prioritizing some posts over others. This is a decent first step towards more transparency from Facebook as to how it uses behavioral data. That said, it will be interesting to see how much they actually disclose when this is put into practice. 

Should I really download this app? 
I finally got around to opening a holiday gift that arrived late from China. It was an angel nightlight that could also play music from a nearby Bluetooth device.  

In the package was a USB cord and instructions (written in Chinese only) to plug the nightlight into a laptop computer. However, to turn the light on, you needed to have an app, which the instructions directed me to download using a QR code. 

Against my better judgement (curiosity got the better of me), I scanned the QR code, got the URL and then typed the URL into my phone's browser. It took me to a Chinese-language website that Google wouldn't translate. 

I got a bad feeling and stopped. Did I do the right thing, or do you think chances are good it would have been safe for me to download the app and plug in the nightlight?

First, great job NOT connecting a device you didn't trust into your computer. More people need to listen to that gut instinct. 

Second, your concerns around the technology's country of origin are understandable, given all the media attention around the topic. And, it's great to know you are aware of the risks in general. 

The details you shared are definite red flags, and you did the right thing. One other step you may consider next time is checking the URL's safety by entering it into a URL security checker before visiting the actual site. A couple of good ones are safeweb.norton.com and zulu.zscaler.com, both of which will tell you if the URL is safe, based on their analytics, before you visit. 

Overall, great job heeding the warning sides and erring on the safe side. A nightlight is certainly not worth the potential risks to your personal data and privacy.

I'd like to ask a question of my own relevant to the above... 

To my readers in China, what do you think about the concerns around technology originating from your country? Are the growing global perceptions around Chinese technology accurate? Please share your perspective by emailing me at rebeccaherold@rebeccaherold.com

PPInewsWhere to Find the Privacy Professor  

On the road...
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Funnel cloud forming right over our home last spring

When witnessed from a safe distance, storms can actually be quite magnificent, sometimes even beautiful to watch. If we are far from the impact, we can have a hard time sensing the real danger. 

Threats to our data and privacy can be experienced in much the same way. There's a tendency to let apathy or a false sense of security take over. This month, find ways to engage in the threat mitigation. Read more articles, ask more questions, and when possible, take action. 

If you ever have questions about what you can do in your neck of the woods to make a difference, certainly get in touch. I'm always happy to brainstorm ideas with this wonderful community.

Have a beautiful and safe May,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. May 2019 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter