Imposters Around Virtually Every Corner

Technology presents a double-edged sword where personal identity is concerned. 

On the one hand, we have a plethora of authentication tools to help us determine if someone is who they say they are. On the other, clever crooks have gotten really good at using digital technology and social engineering to fool even the most advanced identify verification, not to mention human senses. Today, what we see with our own eyes and hear with our own ears often can't be trusted. 

The proliferation of biometric-gathering surveillance technology is partly to blame. Our faces, irises, voices, fingerprints -- even the unique patterns made by the veins in our palms -- are collected, stored and shared digitally. This puts them at an increased risk of being intercepted by criminals looking to impersonate us for any number of nefarious reasons.  Add to that the long-standing problems with passwords.

Read on to discover a few of the more concerning issues related to overreaching personal data collection, the explosion of surveillance technologies and scams related to digital disguises. 


us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Sen. Edward J. Markey (D-Mass.) is asking some tough questions of doorbell-camera firm Ring. He is rightly concerned about the company's hundreds of video-sharing partnerships with U.S. police agencies. Citing " serious privacy and civil liberties concerns," the senator said he believes people are potentially at risk and wants to learn more. It's g ood to see these types of tech companies put on the hot seat by legislators. Hopefully they will provide honest and straightforward answers, and Sen. Markey and other lawmakers will push back if they don't. See my comments on the risks of Ring to the Wall Street Journal.

The Portland, Oregon, City Council  is having meaningful discussions about the risks of facial technology use in their city. Council members are even considering a ban on such technology. It's good to see elected officials considering the privacy risks of technology and associated practices before  something bad actually happens. Perhaps this will motivate law enforcement to sort through and mitigate all privacy risks and be able to answer all privacy questions, before launching such programs.     
Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy wants to amend the not yet enforced California Consumer Privacy Act (CCPA) through a ballot initiatives in 2020. Whether or not you agree with his initiative, he certainly is dedicated to promoting and protecting people's privacy. 
Lawmakers in Montana have passed legislation that "aims to protect student data from educational software companies that may collect information, including the names of students and their dates of birth, educational records, disciplinary records, test results, special education data, Social Security numbers and addresses and even criminal and medical records." Will other states start enacting similar laws to protect student privacy? We'll let you know. 

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
real Artificial Intelligence Mimics CEO's Voice
Cybercrooks can impersonate executives to force financial transfers   

Imagine the surprise when a European executive discovered it had not actually been his boss on the phone asking for that wire transfer of 222,000 euros. In fact, it was a cybercriminal who had used  artificial intelligence (AI) to mimic the CEO's voice to order the transfer. 

The executive who took the voice-spoofing call said he recognized attributes of his boss's voice, including his slight accent, when he took the phone call. 

Voice-spoofing attacks are just one of several AI-enabled cybercrimes expected to increase in the coming months and years. As the technology becomes more accessible, it takes fewer resources to deploy, opening the door for all kinds of crooks to pull off high-tech masquerades. 

With digital impersonation on the rise, it's more important than ever to have good controls in place. Written policies and procedures, on which employees are frequently trained, sent reminders and held accountable, are crucial for maintaining a cyber safe environment. 

Homeland Security requesting five years worth of social usernames 
Anyone coming to the U.S. will now have to share their social media usernames from the past five years. The Department of Homeland Security (DHS) says the agency will use the information to help determine if people can enter the country or receive immigration-related benefits. 

The initial list of social media platforms featured on the updated DHS forms will include Facebook, Flickr, Instagram, LinkedIn, Myspace, Reddit, Tumbler, Twitter and YouTube. 

Over-reaching? Absolutely. Effective? Not likely. Plus, how many people will forget they even signed up for some of these sites then simply stopped using them? That could lead to other problems for them if the DHS finds old, unused accounts the person didn't list.

Ethical, appropriate, privacy-aware use of this personal data will depend on a large number of factors, not the least of which is how many people share their actual usernames. It doesn't take an experienced terrorism or social justice expert to anticipate the use of fabricated or borrowed usernames. H ow many people will use the accounts of others to throw off an investigation into their identity or association with others?

And, how will DHS protect, share and use the data it's collecting around social media usernames? For instance, will the agency analyze posts made by the applicant alone, or will they also be looking into posts of the applicant's connections? As we learned in the Cambridge Analytica / Facebook scandal, inappropriate use of data often extends beyond the primary target. 

Cybercrooks mess up heating, play rude songs 
A Wisconsin couple's Nest smart home system was the recent target of an attack. After discovering a pathway into the home network, the hackers turned the thermostat up to 90 degrees Farenheit. 

What's more, the crooks found a way to communicate with the homeowners through the Nest camera, first speaking and then playing what's being described as "rude songs."

Unplugging the camera and resetting the passwords was not enough to stop the invasion, according to the homeowners. 

It's likely the hackers gained access to the entire home network, exposing potentially thousands of personal data files, live video / audio feeds and who knows what other kind of information on each of their connected devices. 

Keep incidents like this in mind as you shop for smart devices this upcoming holiday season. That dream gift you give may turn into a nightmare. 

WHAT ABOUT SMART TVS? Researchers discovered several smart TVs that are leaking private user information to Google, Facebook, Netflix and potentially others. Of the 34,586 controlled experiments the researchers ran, they found 71 out of 81 devices send information to destinations other than the device manufacturer. Read more.

WHO ELSE IS LISTENING? Smart devices are getting a lot of negative attention for listening in and recording our conversations, which is disguising some other well-know brands that have been doing the same for years. It was recently revealed that Skype contractors working for Microsoft have been listening to personal, sometimes very intimate, conversations. Read more.

WHAT CAN WE DO? Smart-home data security and privacy is just one of the many areas we hope to impact with the roll out of the NIST Privacy Framework... which I'm so excited to announce is steps away from completion. The team, of which I'm proud to be a part, has just released the preliminary framework, created and revised after gathering 45-days worth of feedback. Have a look and let us know what you think!

 easyWhat You Post Online Will Come Back to Haunt You
Valuable lesson about the indelible existence of social posts
During a highly publicized college football game in my home state this month, a fan held up a poster asking people to 'send beer money.' The sign, which was supposed to be funny, included the fan's Venmo username. As a result, hundreds of dollars began flowing into his account. 

Shocked and surprised, the fan decided to turn that money into a donation to a children's hospital. Local media picked up the story, and it quickly became national, garnering support from some major brands who offered to chip in, some even committing to matching all future Venmo donations to the hospital. 

The fan became famous over night, and was becoming something of a national hero.

But then, the Des Moines Register decided to poke around his Twitter account

After finding posts that were racist and offensive -- posted more than 8 years ago when the fan was a minor -- the Register confronted the fan with the content. When the fan was a sophomore in high school, he made posts that quoted jokes and referenced the show Tosh O. He apologized, saying he was embarrassed and "stunned to reflect on what I thought was funny when I was a 16-year-old." 

Embarrassment, however, was just the tip of the iceberg. 

One of the major brands that had promised matching funds for the hospital has severed ties with the fundraising. Who knows what kind of impact that will have on the fund-raising effort, which to-date has raised more than $1 million. Will there be implications for the fan at his job? What about future employers? Future relationships? 

Just like his Tweets, the news coverage of this story will live on forever. 

PARENTS, use this story as a reminder to keep an eye on your children's social media accounts (at least until they are 18). Guide them regarding inappropriate content, not only of their own but of their contacts. Teach them to delete any posts that could have significant public impact on their lives, are inappropriate in general or could financially impact them. Talk with your teachers, too. Consider suggesting they cover the potentially life-long implications of inappropriate social media posts. 

REPORTERSuse discretion please. You can still do you job and be mindful of your subjects' privacy. Reporting on a minor's bad social posts in context of the great things he is as an adult does nothing for the "public good," as the Des Moines Register claimed in the above case. In fact, in this case, it caused major donors to cut ties with a public good. If you determine you must report on this type of situation, please do so with FULL  context. Social posts can easily be twisted or skewed to appear to be something completely different than they, or the associated persons, really are.  

balloonSurveillance Balloons Launched over Midwest USA
Data security and privacy concerns around 'persistent surveillance system'
When I heard about the launch of networked surveillance balloons over my home state and surrounding states in the Midwest, I decided to dig a little deeper. Here's what I found...

A massive area is being watched

Based on an FCC filing for the test, it looks as though the balloons were scheduled to maneuver over and surveil all of Iowa and as many as seven other states.

Drug trafficking and homeland security are the stated purpose

The filing also revealed the objective of the testing and the eventual system is to locate and deter narcotic trafficking and homeland security threats. 

Vehicle monitoring is the goal

About 24 balloons were to fly at an altitude much higher than a commercial airplane (65,000 ft), making them undetectable to people looking up to the sky. They would use radar to track individual vehicles that travel across the states. 

Data security and privacy not addressed

There are so many privacy and data security questions about this testing. None of them is addressed in the FCC filing, which is incredibly brief. There is a long list of things I'd like to know, which you can see on my LinkedIn article. Here are just a few...
  • Was a privacy impact assessment (PIA) done for this surveillance project prior to the launch?
  • What data will be collected (e.g, images, coordinates, more)? What subsequent data will be generated based upon analysis of data collected?
  • Which data, cyber security and privacy controls are in place for the information collected?
Join me in asking questions when you see news like this. If we don't ask, government, law enforcement, private companies and plenty of other entities will just keep on collecting, storing and sharing data without a care in the world. 

droneSuper Camera Can Pick You out of a Stadium Crowd in an Instant
500 megapixel cloud camera is powered by AI
Chinese scientists have come up with a machine that's being dubbed a "super camera." Capable of capturing thousands of faces simultaneously in perfect detail, the system can also instantaneously upload facial data to the cloud.

The Global Times reported that "some have expressed data safety and privacy concerns." No kidding. :)

While people may argue that these cameras will only be used in public spaces, where we have no reasonable expectation for privacy, that's not exactly a fair representation. With five times the resolution of the human eye, it's not exactly fair to compare being seen -- not to mention photographed and analyzed -- by artificial intelligence floating thousands of feet above you with being seen by someone you know or are aware is nearby.

Keep in mind, the camera can also capture video. Think of how many silly or inappropriate things you've seen people do at sporting events (maybe you've done them yourself). Imagine if that moment shows up in your inbox alongside an extortion email. We already know how taking situations, such as videos or photos, out of context can have significant personal impacts. 

This type of scenario may seem like a stretch today. But, with the combination of AI, facial recognition, real-time monitoring and cloud computing technology, it's more possible than you think.

PPInewsWhere to Find the Privacy Professor  

On the road...

I just love speaking, hosting and teaching courses on data security and privacy. If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

October 1, 2019:  NSBA Cybersecurity Webinar, 1 p.m. eastern. Event will address questions on cybersecurity, major computer chip defects and the growing pains of the 5G network.

October 24 & 25, 2019: Giving two talks at PwC Cybersecurity Day  and then a half-day keynote the next day , in Luxembourg City, Luxembourg

May 21, 2020: Speaking at the Contact Center Association of the Philippines (CCAP) Privacy Summit. More details to come!

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network

I'd love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

After repeated requests from some exciting brands, we've decided to open Tips of the Month up to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

I've shared before how much I love Halloween time. Decorating the house, shopping for spooky stuff and picking out our disguises is just the best. 

At the same time, it reminds me that scary can go from fun to terrifying very quickly, especially when you've been tricked into believing something that isn't real. 

Keep your guard up this fall and don't be afraid to double check. That email, that call, that video message you got -- it may not be from the person you think. 

Have a spooky, but safe, Halloween season!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. October 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter