Harvesting Data They Don't Need

How often have you downloaded an app, made a purchase or signed up for a service and thought, "Now, why do they need to know that piece of information?" It happens all the time - organizations asking for way more data than they really need.

Because data is the new currency, everyone is after it. The most valuable of all is the data that reveals information about people and their lives. And when we indicate a willingness to give away some of our information, the data hungry among us begin to salivate. "Give me more!"

Unless we push back, the overconsumption of our valuable and private data will continue. It's up to each of us to be aware of what we're giving away and to follow up with the tough questions.

So, the next time you wonder why they need that information, ask. Just the simple act of inquiring does a lot to keep these companies on the straight and narrow.  

It's nearly harvest time in my home state of Iowa, USA. Thought I'd do a little farm theme with the pictures this month in honor of the honest, hard work family farmers put in all year long.

Facebook Isn't Satisfied Yet
Social giant wants purchase histories, dating data to round out collection

My son on the farm, circa 2016
Since Facebook's CEO went before Congress to answer questions about the company's security and privacy failings, it seems the social giant has become even more aggressive in its pursuit of private information.

Facebook now wants...
  • Financial data: So users can access their banking features from within Facebook.
  • Dating preferences: So users can build "real, long-term relationships" within Facebook.
Inquiries from lawmakers are clearly not enough to slow Facebook and other social media companies in their race to own every piece of private information about its users; but it should be enough to get Facebook's users asking serious questions. Before enrolling in either of the above "features," ask yourself if the data trade-off is worth it.

In August, I spoke with financial journalist Roy Urrico about the issue. Check out Facebook's Proposed Financial Data Use Ignites More Controversy to learn more.

hero2Privacy Heroes: Dr. Larry Ponemon and Susan Jayson     
Industry leaders first to collect privacy statistics and research

Dr. Larry Ponemon and his wife Susan Jayson are co-founders of the Ponemon Institute, a research think tank dedicated to advancing privacy, data protection and information security practices.

They were the first researchers to collect and maintain privacy statistics, as well as perform analysis on those statistics. It was an incredibly important contribution to the field. The data has been instrumental to the creation of a rich history, detailing how privacy trends in many different industries and areas of life have evolved over time.

I've personally relied on Ponemon Institute stats and research for years, and have seen firsthand how so many organizations depend on Dr. Ponemon's and Ms. Jayson's work to guide their privacy and information security decisions.

Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management (RIM) framework. Security Magazine named him one of the "Most Influential People for Security." In addition to being a researcher and advocate, Dr. Ponemon is an educator. He is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute and a fellow at the Center for Government Innovation at the Unisys Corporation.

With more than 20 years of experience in financial communications, Ms. Jayson now serves as executive director of the Ponemon Institute. She has worked in investor relations and communications for The Financial Relations Board (FRB) in New York and Qorvis Communications in Washington D.C. Ms. Jayson was also the technical editor of Management Accounting magazine for more than 10 years.

Please join me in celebrating another dynamic duo the security and privacy industry. We are so fortunate to count them among our community's leadership!

We want to know: Who is your privacy hero?
Throughout 2018, we'll introduce an individual or team who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply  drop us a note and explain why we need to know your hero.
At the end of December, we will announce our Privacy Hero of 2018. The hero will receive a token of appreciation and commemoration of outstanding work.

dnaGoogle Flies Under Radar, Collects Far More Data
"I'm glad I don't use Android."
That was the note a friend sent me along with a pointer to this article from Digital Content Next: Google Data Collection Research.

Just some of the disturbing take-aways:
  • Google continues to track location data even after a consumer has turned off the setting. 
  • A dormant, stationary Android phone communicated location information to Google 340 times in 24 hours. 
  • "Anonymous " advertising identifiers can be associated with a user's real identity through passing of device-level data to Google servers by an Android device.
As the researchers point out, Facebook has been taking a lot of the heat lately, but Google has the ability to collect "far more personal data about consumers across a variety of touchpoints."

Hey, Apple & other OS users... 

Don't be completely relieved. Just because we've not seen similarly detailed research on Apple and other devices, doesn't mean risks don't exist. Be diligent in securing every type of system you use.

worldPrivacy as a 'Business Issue of Note'
GDPR forces many to reconsider how they are collecting data
The European regulation that caused so many businesses and other entities that gather personal information to scramble for compliance has so far generated at least one really great outcome: 

Businesses are taking data security and privacy much more seriously.

As writer Naomi Eide put it in her CIO Dive coverage, "More companies are considering privacy as a business issue of note, not an afterthought."

I spoke with Ms. Eide last month about several topics, including where data collection on the Internet really started (e-commerce). We also discussed how people have become much too comfortable giving away their data without stopping to consider who will get it and how it will be used to make decisions about them.

In isolation, single data points are fairly harmless, especially when they are truly anonymized and encrypted. However, single data points are rare today (as is real anonymity and good encryption). Because consumers give away so much data - often without even realizing it (e.g. our cell phone's GPS locator in always-on mode) - it's much easier to uncover who even isolated data belongs to and what it means. 

Big data analytics and machine learning algorithms are taking all that isolated data, blending it together and coming away with a freakishly accurate profile of the target. And that target is you!

Fortunately, in-roads to awareness are becoming better traveled. And, we have GDPR to thank for much of the progress.

Harvesting corn on my farm a few years ago.
youAn App for Voting?
Why cyber security experts are nervous

When the Daily Wire asked for my thoughts on the implications of a proposed "mobile voting platform," I was more than happy to give them. While the spirit of such an innovation is spot-on (encouraging more people to vote), the deployment will be tricky. 

Here's a bit of what I told the reporter:
  • Because apps are often viewed as "breachable," some voters may be nervous about using such a platform. 
  • That said, all technology has the possibility of doing good. It should be engineered correctly with layers of security and thoroughly tested. That testing should happen well before deployment and then repeated throughout administration and management of the innovation.  
  • The app Daily Wire was reporting on doesn't appear to have been tested by objective third parties to ensure all identifiable risks have been appropriately resolved. A good test will involve enough subjects within a wide enough range of situations and digital environments. 
I'd love to hear what you think about mobile voting. Is it something you would participate in? Send me a note and I may include your thoughts in an upcoming episode of my radio show Data Security & Privacy with The Privacy Professor

My guests and I have devoted several episodes to the topic of voting security, each of which you can listen to on-demand. I'm also planning another show on voting security, which will air first on Sept. 11, and a few more in the weeks and months to follow. Just visit the site archive at Voice America online or subscribe through iTunes, Stitcher or wherever you get your podcasts. 

leakAll Data Leakage is Not Digital
Physical threats to data just as bad today as decades ago

My grandfather in a plowing contest, circa 1948
Breaches happen in more spaces than digital. Unauthorized access to physical forms of information is a big problem facing many different industries, especially in healthcare, government, education and law enforcement. 

Here are just three of the more common mistakes businesses, agencies and organizations make with physical forms of personal information. 
  • Placing boxes of customer or patient records on the curb for trash pickup
  • Not restricting access to small data storage devices, such as USB drives and external hard drives
  • Failing to lock down access to backup media
There are numerous other missteps that expose personal and other types of sensitive information. But with all the news hackers make, digital vulnerabilities comprise the majority of today's headlines. 

That's why I decided to tackle the issue on a recent episode of Data Security & Privacy with the Privacy Professor. My guest, Andrew YsasiVice President of Kent Record Management and President of IG Guru, talked about some of the more bizarre incidents involving physical breaches he's seen. Click on the icon below to listen in. 

readerqustionReader Question: Electronic Voting Systems
" I wondered if you'd seen The Economist piece on how much more secure the electronic voting systems are compared to the known issues with the paper based versions?"

Thank you for sending that article my way! 

Let's start with the obvious, and that's the click-bait headline: Voting Machines in America Are Reassuringly Hard to Hack. Ask most any cyber security pro who has studied these terminals and their associated systems; you will not hear the word "reassuring" in any of their remarks. 

Second, the article completely omits critical details about the wide diversity and ages of voting systems currently in use throughout the U.S.  The Federal government does not establish any requirements for voting systems; that is the responsibility for each state & territory. Because of this, the range of data and cyber security risks varies greatly throughout the country.

Lastly, some of the information within the article is just plain incorrect.


Check out this research report about election security in all 50 states. The main takeaway is that all states have room for improvement; some much more than others.

My radio show guest Marian Schneider, President of Verified Voting, and I will be covering the topic on my show Sept. 11: Voting Systems Security & Risk Limiting Audits. You can also listen to my recent discussion with Maurice Turner about the security of voting machines. Maurice provides some great insights, but I can't promise they'll be "reassuring." :)

Listen On-Demand: 

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

After years of  providing a regularly updated set of online employee training modules for my SIMBUS business clients,  and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes. 

As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I will host a full schedule of classes

Do you have a team or group you'd like to coordinate training for? We can often arrange a discounted price for organizations and associations based on the number you have participating.

Hope to see you in the virtual classroom sometime soon!
 ** I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**

On the road...

My other son on the farm, circa 2016
One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

September 5: Giving keynote, "Understanding the Privacy Impact of Cloud Services & Social Media," at Spotlight on Security Speaker Series hosted by ISSA, ISACA, Women in Security, netskope and Sprint. Event is at the Sprint World Headquarters in Overland Park, Kansas.

September 19-20: Giving keynote and workshop at Data Privacy Asia, Manila, Philippines.

October 10-11: Giving keynote at SecureWorld Dallas in Texas. 

November 7-8: Giving keynote at SecureWorld Seattle in Washington. 

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics. We've addressed identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, government surveillance, swatting and GDPR, just to name a few. Several episodes provide career advice for cybersecurity, privacy and IT professions.

Please check out some of my recorded episodes, and let me know what you think! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

CIO Dive

Credit Union Times

Daily Wire

Health Care Info Security

Secure World

Segurança Informática


Techno Chops

Trend Hotspot

CWIowa Live

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Keep an eye on my YouTube channel, where you can catch up on many of my visits to CWIowa Live. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show or on my Voice America radio show? Or, a question I can answer in my next monthly Tips? Let me know!

Recent Recognition

My other grandparents in a corn shucking contest on their farm, circa 1940s.

3 Ways to Show Some Love

The Privacy Professor Tips of a Month is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

This time of year always inspires me to get outside and dig in the dirt. I've always loved working on the farm, in the garden or around the yard. It reminds me of everything "real." The earth never takes more from us than what it needs. Can we say the same?

As you're enjoying the very start of the fall season, be mindful of what others are asking you to disclose. When you can, say no if you feel it's too intrusive. And never be afraid to ask why. 

Have a terrific September!

Rebecca Herold, The Privacy Professor

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. August 2018 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message stating that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter