Ringing in a New Year of Privacy  



January 1 represents a fresh start for many people. It's a chance to try something new, to revisit something from the past or to explore a new way of living. Twenty-seven days later, January 28, marks another important date on the calendar: Data Privacy Day. And it's the perfect time to reinvigorate our commitment to data security and privacy. On this day, companies, organizations and even some individuals will take part in activities, launch initiatives and give recognition to the importance of protecting sensitive information. 


How will you celebrate?


Over the past several years, I've worked with the Iowa Governor's Office to be sure our state recognizes January 28 as Data Privacy Day. Over the holidays, I received the official Iowa state proclamation in the mail. Receiving that reminder of our state's awareness and recognition of this important day was a wonderful Christmas gift for me!


I will be helping EDUCAUSE celebrate the importance of privacy throughout the entire month of January by kicking it off with a free webinar, "Are You Smarter Than Your Phone?" on January 9. I'll be providing tips for protecting privacy when using these convenient little devices. Do you have any questions you'd like for me to answer during the webinar? Drop me a line and let me know!  


Of the many things I'm looking forward to in 2013, continuing to connect with you all through this monthly Tips message is at the top of my list. Read on for a few of the data and privacy notables on my mind this month... 

Is Your Digital Camera Spying on You?    


Most new-model digital cameras, including those in smartphones, embed what is called EXIF (Exchangeable Image File) data into image files. This data contains information like shutter speed, focal length and if a flash was used. But it also lets a viewer see the date and time a photo was taken, and some even record and embed GPS settings so viewers can learn exactly where the photo was taken.
Most recently, EXIF data helped apprehend a "person of interest" whose photo was taken while attempting to remain hidden. GPS data embedded in the photo ultimately helped law enforcement catch up with him.
Getting at this data is fairly simple... just Google it and you can find all kinds of helpful tips on how to view EXIF data. Fortunately, there are also great online resources for how to remove this information from your image files using your camera's settings.

Careful with your Instagrams


Boy did Instagram ever find itself in hot water just before the holidays! When the popular photo sharing social network updated its policies on sharing users' images, the backlash was immediate. 
For any Tips readers using Instagram (which is now owned by Facebook), please be aware of the upcoming changes, taking effect January 16. You will not be able to opt-out. Be sure to read the new Terms of Use; if you don't like them, you may want to delete all your Instagram accounts and content before Jan 16.
In response to the severe negative reaction, Instagram has apologized, saying the misunderstanding is due to what it calls "confusing" language in the Terms of Use statement. They have promised to revise it and said "it is not our intention to sell your photos." 
Yet it remains unclear exactly how much access will be given to user content... and to whom. Stay tuned, as I will be watching the new Terms of Use language closely and will plan to report on it here in the Tips message.  


More Privacy Changes from Facebook


In November, Facebook made changes, including several improvements, to its privacy policies. At the same time, those changes allowed everyone who has a Facebook account to become searchable. Whereas users were once able to block certain people from finding them on the social network, that functionality has now been removed.


This has implications for victims of stalkers, violent ex's, or really anyone others are trying to track down. By finding a person in a search, there are ways to then get more information about them through unsecured or unblocked information posted on their Facebook friends' timelines. 


The recent changes had some unintended consequences that ultimately resulted in a private photo of no-other-than Mark Zuckerberg going viral. This is a good example of how you should expect ANYTHING you post online could be seen by the world, even if you think you have privacy settings set correctly.


You can still block certain users from seeing some of your content. However, you will be findable as a Facebook user. Be aware of this, particularly if you have certain people interested in locating you, learning of your connections, your whereabouts or your appearance.   



Protecting Your Personal Info Online

If you want a good litmus test for how much of your personal information is available on the Internet, try Spokeo.com. The site even compiles personal information on children. Spooky.


Thankfully, you can easily opt out of Spokeo. This won't remove all of your information from the Internet, obviously. But it will make it less simple for someone to find your information all in one place. Hayley Kaplan put together a great step-by-step process on her "What is Privacy?" blog to make it even easier.


This is one example of a great way your company or organization can contribute to the greater privacy good. If you have tips or tricks on how to opt-out of your own or another entity's data-collection processes, publish them and make them easy for your customer or client community to find and follow.   

How to Catch a Phish

Thanks to Tips reader J.P. for this helpful hint on spotting a phishing-scam email before it's too late:


You can detect a fake email very quickly simply by focusing on the "From" field in your email header. Most malicious e-mails say they are from a legitimate company, but the address in the "From" field does not match that in the signature.


If you are unsure of the sender's legitimacy, you can also use free tools on the Internet to verify any email address quickly. Be aware, however, that some of these phishing artists are very adept at masking their identities.  



Skim-at-the-Pump Scams Blow Up
The pay-at-the-pump skimming scam we discussed in a recent Tips message is continuing to expand.

One southern California detective in charge of arresting two skimming criminals told the news media that these scammers are "all over the place."  


This year, commit to being more diligent as you use gas-pump payment systems. Follow the tips suggested by Andy O'Donnell at NetSecurity.About.com. Among them are:

  1. Know what skimming devices often look like.
  2. Compare your gas pump to the one next to it. Do they look the same?
  3. Follow your gut and move to another station if something feels "off."
  4. If you can, use your debit/credit card's credit option to avoid using a PIN that might be recorded by a nearby camera.

My family and I try to visit manned gas stations as often as possible. We have a superstore near our home that employs attendants who are always outside monitoring the gas pumps. Criminals often take the path of least resistance, so while it's not fool-proof, having employees around the pumps at all times minimizes the chances of a skimmer successfully installing his device. 


It's a Bird... It's a Plane... No, It's a Drone!
Throughout the world, there is an increasing use of drones to perform a wide variety of surveillance tasks. The unmanned aerial vehicles are probably best known for military airstrikes. But today they are being used more for domestic surveillance activities, such as monitoring traffic, police work, crop dusting and environmental observation. Many of these drones are indistinguishable from a bird or insect when they are flying through the air, and some drones are built to look like birds and insects to fool those who may see them above.
Such surreptitious surveillance activities are sparking significant privacy concerns. I recently provided some of my thoughts about the emerging and increasing uses of drones to the online version of CSO Magazine

Term of the month




Geotagging, in general, means geographical identification has been added to various media you may have created, such as a geotagged photographs, videos, websites, SMS messages, QR Codes, or RSS feeds, just to name a few. 


Look at a recent Facebook post you made. Was your location included with it, such as shown in this example? 



That is one type of geotagging. 


Simply by posting a photo of a meal you have just been served or the great trick your kid performed on the playground, you are potentially broadcasting your whereabouts. This can be very dangerous, so consider disabling your smartphone's and/or mobile device's GPS embedding feature. 


Upcoming Trips

Are you looking for information on security and/or privacy training or certification? If so, consider joining me at the following events!

January 30: IAPP CIPP Foundation course at the Microsoft Bellevue, WA, campus (open to public registration) 

January 31:  IAPP CIPP/IT Foundation course at the Microsoft Bellevue, WA, campus (open to public registration) 
March 5: IAPP CIPP Foundation course (just before the Global Privacy Summit) in Washington, DC 
March 6: IAPP CIPP/US course (just before the Global Privacy Summit) in Washington, DC
May 13: Secure 360 Pre-Conference class, "Vendor Information Security and Privacy Management" in St. Paul, MN

We're at the dawn of another great year, undoubtedly to be filled with plenty of technological and social advancements. As you navigate 2013, be mindful of the ways your information is being shared and the ways you may be inadvertently sharing the personal information of others within your own community.


Wishing you a healthy, happy and safe 2013.


 Happy New Year! 


Rebecca Herold, CISSP, CIPP
The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564, Business: 515.996.2199