Independent and free from snoops

Cause for Celebration

In my neck of the woods, people are putting the finishing touches on their Independence Day plans. Some will be traveling to be with family, others staying at home and hosting a BBQ for friends. We're celebrating, in the U.S., the individual freedoms we've come to love even more in recent years.

Indeed the U.S. is strong. But with great strength comes great responsibility.

As we join leaders in other great nations in the pursuit of happiness for our citizens, data and personal privacy must be a priority on the agenda. Recent headline- and scandal-making news has once again shined a light on the importance of protecting personal and other sensitive information, whether you're the NSA, a hospital, a bank, a retailer... or just an average citizen.

In this monthly tips message, we'll take a look at several of the threats to our personal privacy and freedoms, each of which is caused by overzealous collectors (and sharers) of information.

Have You Hired a Leak?

It's hard to go an hour without hearing the name Edward Snowden. Either an accused leaker or heralded whistleblower (depending on who's talking), one thing is for sure about Snowden. He's inspired many employers to take a second look at their employment practices.

Background checks that are reasonable for the type of work that will be done and common-sense practices are two successful hiring strategies, but what else does your company have in place to be sure only trustworthy individuals are given access to your most confidential information? How tightly written and understood are your confidentiality agreements? How motivated is your staff to live up to the terms of these agreements?

And importantly, what policies have been written and communicated to employees about the proper procedures for reporting actions that they believe to go against those policies or to be immoral, unethical or criminal? Sometimes all it takes to satisfy a disgruntled employee is a friendly ear and trust that something will be done to correct the perceived mistakes or misdeeds of the company.

If not for the protection of your own company, consider beefing up your company's employment practices to protect your customers, patients and employees. (Of course, you'll want to do so in accordance with privacy protections.) After all, criminal employees aren't always going after your data; they may be after the identities of your most valued clients.

Did You Know?

Here's a quick round-up of some of the technologies and products collecting your information.

Apple's Siri stores queries for as long as two years.
Total strangers are recording and publishing the images and/or conversations of others, some with consequences, others without.
Cars now store information on driver contacts, calls, texts and even home addresses. (Thanks to my friend Joe for this pointer.)
Street-view video cameras and amateur smartphone cameras capture images that can be used to wrongly accuse someone of a crime.
Malicious phone chargers are capable of installing malware on smartphones.

Scams to Watch For

Everything old is new again. That adage definitely applies in the world of scam artists. Here's a quick-hit review of some traditional scams finding new life in the digital age.

Prerecorded phone calls trick the elderly into giving out personal information in return for a free medical alert system.
Fake computer tech support asks for access to your computer with the promise of fixing it from a remote location. (One of these scammers actually called me in 2011.)
Identity thieves pose as real estate agents or landlords online and collect personal information from homeowner or apartment applicants.
Scammers hijack Facebook accounts to convince "Friends" to give up personal details. Fortunately, you can set alerts for just such a threat. (Thanks to my friend Faith for this pointer.)

Scammers and other criminals can be stopped. Watching how and what you disclose can cut a criminal off at the knees. As I explained recently to the LA Times: "Whenever you have all these bits and bytes floating about, it's very easy for others to get ahold of it. It's become very easy for a lot of people to access each other's data."

Privacy at Risk in Your Own Home

Celebrities, politicians and the famous-for-nothing's are used to people taking their pictures for money. But what about average citizens? Not accustomed to having their images captured and then repurposed as art without their permission, a group of New York City apartment dwellers were understandably upset when they learned that was exactly what a local photographer was doing to them.

According to ABC News:

Shot from a second-floor apartment across the street from the luxury residence, the photographs show neighbors living their lives in their apartments.

What does "the artist" have to say about it?

For my subjects there is no question of privacy; they are performing behind a transparent scrim on a stage of their own creation with the curtain raised high. The Neighbors don't know they are being photographed; I carefully shoot from the shadows of my home into theirs.

Artist or Peeping Tom? Where do you stand on the question? Now before you answer, put yourself (or your kids) on the wall of that gallery.

It's just one more reminder that an open window - even open curtains - can invite a whole slew of intrusions, from the physical to photogenic. Consider who may be lurking on the other side of your window before leaving those blinds cracked for too long.

People are peering into our private properties more than ever (through cameras, smartphones, Google streetview trucks, drones, etc.). We all need to re-evaluate what people can see of our personal property and activities, not only from the street, but from the skies.

New Targets for Hackers

Criminal hackers can generally be divided into two groups - thieves and showboats. They breach secure systems either to steal or simply to demonstrate that it can be done. A few recent hacking incidents indicate the showboat sect may be picking up steam.

Smartphone used to hack into a plane cockpit
The power and rapid evolution of technology is exposed by a security researcher armed with an Android.

"By using a Samsung Galaxy handset, Teso demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates. He was able to insert code into a virtual aircraft's Flight Management System, and by passing the code between the aircraft's computer unit and the pilot's display, Teso was able to take total control of what the aircrew would see in the cockpit.

Scientist's voice hijacked during high-profile presentation
Hackers accessed the computer synthesizer controlling Stephen Hawking's voice during a public speak he was making to a large audience, overriding his control and forcing him to make statements against his will.

"It wasn't until hours later when the Syrian Electronic Army - a group of hackers working in support of Bashar al-Assad - claimed responsibility for the attack, breaking into Stephen Hawking's voicebox one last time to announce "the Syrian Electronic Army was here" just as the scientist was leaving the stage."

Your Tattoo Password

It's no secret that passwords are increasingly vulnerable to thieves and other criminals. So it's easy to see why new methods for authentication are generating a fair amount of buzz - from fingerprints and retina scans to tattoos and pills. Yes, pills. Sound like science fiction? It's eerily close to reality, reports WeLiveSecurely:

"I take a vitamin every day, why can't I take a vitamin authentication every day?" asked [Regina] Dugan, [who leads special projects for Motorola.] "Your entire body becomes an authentication token. It becomes your first superpower. When I touch my phone, my computer, my door, my car I am authenticated."

While biometrics have many advantages (no password to forget or access card to lose), there are still many things that can go wrong with biometrics and physical alterations for authentication, not the least of which is the increase in kidnapping risk for certain types of professions, or in certain geographic locations. Or worse. Without getting too gruesome, imagine the only thing standing between a criminal and the building he wants to get inside is your arm. How might he solve his problem?

Not to mention, that for individuals who feel compelled or forced to get a tattoo like this, that could very well be a privacy invasion of the person/body.

Reader Question

Hi Rebecca,

I received a postcard from a neighbor announcing use of nextdoor.com for neighborhood news, community events, etc. He said, "It's free and less intrusive than Facebook." We don't use any social networks. Do you know anything about nextdoor.com? Thanks.

Thanks for the question! I had not heard of this social network, but have since done a little digging. Here's what I found out (but I'd like to hear what others think):

The intent seems great - a virtual online neighborhood watch. So the idea is that only those in your neighborhood that you personally know will be able to see your information, know about where you live and what you are doing.

Second, they have a fairly good, transparent posted privacy policy. However, their "Contractors/Service Providers" section is vague, and indicates that third parties, in addition to their parent company, will have access to the data you share. How many and who are they?

They also use various privacy-invasive technologies, such as cookies and web bugs (though most sites do), and they log your use of the site (again like most sites). However, given the details that could be provided on such a site, and the fact the site shares data from the site (including this meta data) with potentially may unknown others, this creates a significant concern.

Another troubling aspect of their privacy policy is this statement: "Subject to any mandatory obligations to delete data, we may choose to retain information in our server logs, our databases and our records indefinitely." So, it doesn't look like there's any way you can remove your data; tough cookies!

Here is an article discussing other privacy concerns with nextdoor.com:

"Nextdoor Social Network For Neighborhoods Has One Problem"

While I really like the concept of nextdoor.com, and the potential to help build safer neighborhoods, I don't like what appears to be insufficient privacy practices and the site's sharing of personal data with unknown others

It's too bad they didn't address privacy issues right from the start by implementing Privacy by Design.

(If anyone from nextdoor.com is reading this, certainly get in touch. I'd love the opportunity to help beef up your privacy!)

You are right to be suspicious of any online site that promises to collect and share your information, even if it claims to be secure. Like I always say, anything you put on the Internet becomes immediately vulnerable. Think twice before you post.

Got a question? Feel free to send it, and I may answer it in next month's Privacy Tips!

You Have My Permission to Share

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.

Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.com, [email protected].

Summer's in full swing, and we are loving it. Please be safe this year as you celebrate the Fourth of July and other holidays and special moments. But don't forget to have a "blast!"

Talk with you in August!

Rebecca

To view previous months' tips, click here.

Rebecca Herold, CISSP, CIPM, CIPP/US/IT, CISM, CISA, FLMI

The Privacy Professor�
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564, Business: 515.996.2199

Email me

Follow me on Twitter
Check out my blog

Compliance Helper solutions

Visit my website