Gratitude for Changing Attitudes
The days of data security and privacy tricks are numbered. The more we learn, the easier they are to spot. Increasing awareness is setting a new standard, and changing attitudes will be No. 1 on my gratitude list this Thanksgiving.

New Look and Feel

You may notice a few style changes to the Tips this month. One is the use of a bold, amber font for some terms. This is to draw your attention to a few key points, making takeaways easier to find. Let us know if you find it helpful.
November Tips of the Month

  • Data Security & Privacy Beacons

  • AI Isn't Always Right

  • Apple's 'Significant Locations' a Significant Privacy Violation

  • Pay with Your Hands, Play with Your Safety

  • Bad Marketing May Also Be Illegal

  • Work from Home Elevates Training Need

  • How to Defeat Internet Trolls

  • Where to Find The Privacy Professor
Data Security & Privacy Beacons*
People and places making a difference
The Iowa Secretary of State did a great job sending email messages during Cybersecurity Awareness Month. They put out an entire newsletter series in October. We especially loved, "4 tips and tricks for staying cyber secure while working at home." Work-from-home data security and privacy practices have been a strong focus for our team in recent months.

Google's Scam Spotter provides a set of pretty nifty tools to raise privacy awareness. Being able to spot and avoid scams, particularly during COVID-19, is critical. Does Google do a lot of privacy-invasive things? Yes they do. But, it's equally as important to recognize the positive actions they take.

Mashable shared a really important privacy tip with readers this month: How to blur your house on Google Street View. In addition to showing how it can be done, the article also pointed out why a homeowner may want to do this. Among the reasons are that the service can sometimes offer unobstructed views of a home's interior and even show people in embarrassing situations.

NIST's The Phish Scale helps employees avoid becoming victims of phishing scams, something that is particularly important now as many remote workers are conducting business outside usual firewalls and other data security controls. The Phish Scale goes beyond typical phishing training programs by giving the CISOs who run them a deeper understanding of whether a particular phishing email is harder to detect.

CNN is another media outlet receiving a Privacy Beacon for excellent privacy-aware reporting. Recent coverage shared instructions on spotting deep fake videos and images, which are becoming a real problem now that access to AI software and advanced editing tools is so easy. Among the clues the article shared was to look at actions like head motion and blinking, as those natural movements are difficult to replicate.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
AI Isn't Always Right
Facebook algorithm flags a vegetable as 'suggestive'
A Business Insider story recently reported that Facebook’s artificial intelligence (AI) tool flagged an ad from a Canadian garden center. The ad contained an image of Walla Walla onions, which Facebook's algorithm identified as having violated rules against "positioning products or services in a sexually suggestive manner.

Although Facebook reinstated the ad after a subsequent manual review, this is a perfect example of how easily AI-based technology can go awry. In fact, as Facebook’s head of communication said in a public apology, AI doesn’t know an onion from a “you-know-what."

We simply can’t rely on AI alone. Yet, so many people, organizations and even security companies believe AI can do no wrong. No doubt, AI is accomplishing some very big, very meaningful things, and there's great potential for even more. But, we're not all the way there yet.

Human judgement must supplement AI outcomes for now (maybe for always). We only have to look to The Office's Michael Scott for a demonstration of how abandoning common sense while interacting with automation can go horribly wrong. Fans of the American TV show will remember the hilarious incident in which Michael drives into a lake because his car told him to. This is just one example of how blindly trusting AI can fail us.

Using AI can make your life easier, but it doesn’t completely absolve us of the responsibility for important decisions. Be thankful you have common sense and use it.
Apple's 'Significant Locations' a Significant Privacy Violation
Digital tabs on everywhere you've been
A Forbes contributor encourages readers to consider whether convenience is more important than privacy when it comes to a feature called Significant Locations in Apple iOS.

The feature, which is essentially a hidden location tracking center, is tucked away in the privacy settings. By default, it is on and running.

Significant Locations continually builds a data repository of the locations visited by the Apple device's owner. It includes details like times, dates, maps and even the mode of transportation taken to get there. If you're an Apple user, you can see what's been gathered on you by following this navigation:

Settings > Privacy > Location Services > System Services > Significant Locations

I’m sure many people just learning about this will be creeped out. Fortunately, you have the option to remove Significant Locations. Simply follow the navigation in yellow above and direct the tool to delete a single or all locations.

Apple claims that what happens in iPhone stays in iPhone, and that Apple can’t access the data. Even if we buy that, this is still a huge privacy issue. As the BBC recently reported, smart devices and the data they contain are often exploited for domestic abuse. The feature may provide users with personalized services related to their location (e.g., predictive traffic routes), are those conveniences worth the invasion of privacy?

That’s a decision each of us has to make for ourselves. However, many of us are also making these decisions for our children.

A covert feature in a popular smartwatch for kids was recently found by researchers at a Norwegian cyberthreat response company. They looked at an app on the XPLORA 4 smartwatch called Persistent Connection Service.

The researchers sent an encrypted control message to the watch to see what kind of action it would trigger. The action, scary enough, was to track locations and take a picture, which was then sent to the vendor’s cloud server... all without approval. Even scarier, the researchers found this is just one of a few unusual control messages built into the watch.

There is a potential bright side to the story, however. After the Norwegian researchers contacted the smartwatch manufacturer, they reportedly deployed a security patch. That bright side dims a little bit, though, when you think about all the smartwatch wearers (kids!) who won't initiate an update to get the patch. What's more, it boggles the mind to think that this device made it to shelves with such an apparent disregard for security and privacy in the first place.

As we approach gift-giving season, please be smarter than the devices you buy, especially if you intend to give them to children. Do your homework, and if you come across any questions, shoot me a note. I'd be happy to give you my opinion.
Pay with Your Hands, Play with Your Safety
Amazon's a new way to spend
Amazon is genius at helping consumers part with their money. The e-commerce giant is a pioneer of many different payment innovations, from stored card credentials to the "buy now" button.

Their latest rollout is a point-of-sale device allowing consumers to pay for merchandise using their hands. Apparently cash, cards and smart devices are not enough.

The so-called palm recognition technology is known as Amazon One. The innovation is built to identify people through their hands by "reading" lines and ridges to create individual “palm signatures.”

Several things are concerning about this development. For starters, uploading the bio data of millions into potentially vulnerable cloud servers is like dangling bait off the side of a boat... a boat floating in the deep, dark web. Cyber criminals are salivating at the prospects of stealing that kind of personal data to round out the identity profiles they're busy building on each of us. Remember, no technology is 100% secure, which makes implementing layers of security so important.

Less tech-savvy criminals may see other opportunities with this kind of technology, especially as it's used for other authentications, such as entering a building or secure space. Forcing someone into a state of unconsciousness (or worse, death) could allow them access to any number of things.

Please remember as you engage with new methods of payment and authentication that the technology is just that... new. The bugs and kinks have yet to be worked out. It bears repeating, no technology is 100% secure! Are you willing to be the guinea pig that helps Amazon and other developers like them discover the patches that need to be made to make them as safe as possible?
Bad Marketing May Also Be Illegal
Legislators say unsolicited mass emailing
An unsolicited email I just received last month set off my privacy alarm bells. It came from a first-level LinkedIn connection. I did not know this individual personally.

The message explained the sender had recently switched careers. It turned quickly into a sales pitch.

Not only was the cold-call email bad etiquette, several factors made it a clear violation of data privacy.

  1. All recipient emails were visible. In addition to me, the email was sent to about 50 other people. How do I know? The sender put everyone in the "To" field, making all email addresses visible to each of us. Any one of us could very easily have grabbed those addresses and spammed them, too.
  2. The sender did not obtain consent. I never authorized this individual to send me emails of this nature. That violates Global Data Protection Regulation (GDPR) rules. You may recall receiving requests to resubscribe from companies a couple years ago when GDPR went into effect. What's more, this is likely a violation of the CAN-SPAM Act in the U.S., which was signed into law in 2003.
  3. There was no unsubscribe option. GDPR and CAN-SPAM stipulate that senders must provide a way for someone to unsubscribe.
Of course, GDPR and CAN-SPAM are not the only regulations that would govern this kind of mass, unsolicited emailing effort. For example, California has also passed a law that affects email marketers -- the California Consumer Privacy Act (CCPA). Under that set of rules, companies must disclose the information they've collected on customers, such as an email address, and clearly communicate how they intend to use it. There are many among other requirements under the CCPA, like providing consumers the ability to opt-out of personal data use. And, there are many similar laws around the world providing consumers the right not to receive spam.

Privacy violations weren't the only issue the email I received highlighted. There were also potential security issues.

The sender committed a cybersecurity no-no by attaching a Word doc to the email. Such an attachment could have easily contained a virus or malware.

Even though I believe this particular email was likely a naïve mistake by someone who wanted to drum up business in his new role, he could still face legal action -- as could his employer. Violations of this kind can result in hefty fines and penalties.

Incidents like this serve as good reminders that email addresses are personal information. It must be treated with the same level of data security and privacy respect as any other type of personal data.
Work from Home Elevates Training Need
What employees don't know *can* hurt them... and others
Is your child's school prepared to respond to ransomware attacks?

In September, a hacker published Social Security numbers, grades and other private information online after it was stolen in just such an attack. The victimized school, which received a ransom demand for unlocking computer servers, refused to pay up. In retaliation (or maybe just because the hacker could), the data was uploaded to the Internet for all to see.

This is not happening just to schools. It's happening to all types of organizations, healthcare and public health sectors, in particular. And, it's only getting worse with employees working remotely. In many cases, workers are going about their duties online as usual, but without the benefit of on-site security controls. These individuals MUST receive training specific to their new environment, or we're going to see ransomware attacks increase to a level we've not seen before.

It's important to know that today's ransomware attacks often go beyond locking down data. They can also have life and death consequences. As we write this, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an important advisory alert, “Ransomware Activity Targeting the Healthcare and Public Health Sector.” Everyone who works in or for a healthcare provider, insurer or clearinghouse organization should read this alert to avoid falling for the tactics described.    

Already experts predict a dramatic uptick as companies continue to operate with remote workers. One estimation has businesses in 2021 falling victim to a ransomware attack every 11 seconds.

Speaking of remote worker risks, I'll be speaking about remote and work-from-home security and privacy at the November 5 Silicon Valley ISACA chapter webinar, “Security & Privacy Compliance in Work from Home Situations,” from 6pm – 7pm PST. Please attend if you can.

Also, our team has assembled a series of training tools and resources to help employers keep their team's awareness and procedures up-to-snuff. To check them out, visit Privacy & Security Brainiacs.
How to Defeat Internet Trolls
Responding to online comments with dignity
I’ve experienced hecklers on my social media sites in the past. But, my recent podcast on voter security really had them coming out of the woodwork.

The show discussed the results of solid and objective research on various U.S. voting methods, including verifiable findings that actual fraud is rare. Throughout, I was extra careful not to show overt support for any political party or pundit. Still, internet “trolls” and even some people I’m acquainted with on LinkedIn and Facebook were not deterred. I'm not surprised. Online harassers love to stir up trouble, starting uncalled-for fights for myriad reasons. But when they cross the line, it is important to take action, given the increasing hate we see in this world.

If you’ve ever been attacked online, you know it can be both disappointing and hurtful, but also scary. Negative and bullying comments sometimes even turn into vile name calling and physical violence threats, which I personally experienced.

For threats that include physical violence, the first step is to contact your local police department and/or the FBI, as I did. However, if the comments are simply upsetting, offensive or seem to be intended to get some sort of rise out of you, it will often be effective to simply delete the message.  

Here are some additional tactics for defeating, or at least dealing with, internet trolls and threat makers. Consider using some or all of these, depending on the type of harassing comments and the capabilities of the site on which the cyberbullying is occurring:
  • Take screenshots or copies of the messages. You may need evidence.
  • Report the harassment or threats to the site admin. Facebook, LinkedIn, Twitter and other sites have procedures for taking such reports.
  • If part of an online group, report to the group organizer/admin. That person typically has the ability to warn the offender to stop bad behavior, or to even kick the person out of the group.
  • If the messages persist, block the person/account making them. Most social media sites have tools for this.
  • If it continues still, talk with an organization like Civilination, the American Civil Liberties Union or the Anti-Defamation League. They will provide assistance. (If you know of other groups to add to this list, let us know.)
  • If your immediate safety is endangered, and you are in the USA, contact your local law enforcement and/or the FBI. For other countries, contact your law enforcement. Do you have other suggestions for whom to contact? Drop us a line.
FOR EMPLOYERS: Incorporate online behavior rules for employees to follow when they post on behalf of your business, from your business network or accounts or are associated with your business (e.g., LinkedIn or online industry groups). I’ve seen many negative and hateful comments on LinkedIn, which is not only disappointing, but far outside the purpose of professional networking online. (Why does LinkedIn allow users to create posts that do not support its stated mission to “connect the world’s professionals to make them more productive and successful?" How do hateful and harassing comments, or threats, support productivity and success?)
Bad behavior by employees online can have negative impacts, not only on the cyberbullying targets of your employee, but also on your business. Here's just one example of a recent headline-making incident: Former eBay Employee Pleads Guilty in Aggressive Cyberstalking Campaign.  

Best Practices for Governing Employee Online Behavior 
  1. Include prohibitions against online trolling and threats within your security, privacy or HR policy. Make it clear that trolling posts will not be tolerated and will result in disciplinary action up to dismissal and the potential involvement of law enforcement.
  2. Establish responsibility for monitoring online threats and harassment. Such activities can often be performed using online tools (both within and outside certain sites) or by using businesses that offer such services.
  3. Report. When your employees are the targets of hateful posts, or see such activities occurring, direct them to contact a specific department and/or team within your organization to report the activity. The advice may simply be to delete the messages and see if the trolling stops. But, depending on the type of threat, your organization may want to go beyond such action.
Words matter. In the U.S., everyone has a right to free speech, both the good and the bad. And certainly the right of individual expression is important. But, when words turn into harassment and threats, they become a personal and public safety issue that must be addressed. While simply ignoring online trolls will sometimes work, and may be best to do when such situations pop up, if it continues on, action may need to be taken.
Where to Find the Privacy Professor
Here are just a few of the podcasts I've visited over the past few weeks.
On this Trility podcast, we discussed infosec and privacy specifically for senior living facilities.
Listen in to learn more about pandemic-era threats to consumer data security and privacy. 
The topic here was how to protect your home, kids, finances, health data and business from hackers. 
Privacy Piracy
It's always a pleasure to talk with Mari Frank. My recent visit to her show, Privacy Piracy, was a blast. We discussed the many different facets of data security and privacy within work-from-home circumstances, which happens to be the basis of both my new service Privacy Brainiacs and my upcoming book, "Security & Privacy When Working from Home & Travelling."
A couple recent industry articles to which I've contributed thoughts...
Defense-in-Depth (DiD) Strategies: Protect Higher Ed Users Against Cyberthreats
VA Did Not Disclose Huge Data Breach for 7 Weeks
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

NIST Wants Your Feedback
In this video, Michael Fagan, technical lead for the NIST Cybersecurity for IoT program, and I, a subject matter expert (SME) on the NIST Cybersecurity for IoT program team, describe the path that led to the GitHub posting and its role in developing the Federal Profile.
Help Wanted: Growing a Workforce for Managing Privacy Risk
I was honored to be part of all three days of this important NIST virtual workshop, hosted by IAPP.

See the closing session, which includes takeaways from each of the breakout session leaders.

Cybersecurity Risks in Consumer Home IoT Products
Especially ahead of the holiday buying season, this session contains vital information for consumers.

Watch Part 1 of the workshop, which highlighted many considerations impacting the cybersecurity of IoT products.
Thankful for YOU!
You've made it to the end, which tells me I'm connecting with a true data security and privacy advocate!

I so appreciate your attention to this month's Tips Message, and hope you have a wonderful November.

For those to you in the U.S., here's to a safe, enjoyable and healthy Thanksgiving!

The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. November 2020 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.