Congressman Gerry Connolly announced in a recent congressional hearing that he was among the millions of current and former federal employees whose personal data was stolen when the OPM systems were hacked.  Moreover, as Jack Moore reports, Congressman Connolly stated he’s learned that within the last several days thieves tried opening new credit cards in his name using his stolen personal information (; “Congressman: OPM Hack Data Being Used to Attempt Identity Theft”; October 6).

How did the Congressman learn about this attempted identity theft?  He said that he was contacted by one bank after thieves tried getting the credit card.  Mr. Moore wrote that OPM, the FBI and the intelligence community each said there hasn’t been any evidence of the OPM stolen data being fraudulently misused.

However, Congressman Connolly disagrees based on his own experience.  After hearing from the one bank, he then contacted one of the identity protection companies OPM has hired to help track misuse of the stolen data.  That company told the Congressman about the two attempts at the other banks — with the three banks being all around the country.

The Congressman’s experience is chilling news for the millions of federal employees impacted by the OPM hacks.

The FBI has posted an excellent Public Service Announcement (PSA) about the risks of cyber crime in the ever expanding world of the Internet of Things (IoT).  Their PSA is titled “Internet of Things Poses Opportunities for Cyber Crime”; it’s Alert Number 1-091015-PSA and can be found on their Internet Crime Complaint Center website (

Very briefly, their PSA provides:

  • a very good explanation of the the kinds of devices that are encompassed in the IoT;
  • a discussion of the types of IoT risks that exist;
  • examples of the kinds of IoT risks and incidents that consumers  might experience; and
  • nine separate recommendations about ways in which consumers can protect and defend themselves against such cyber crimes.

The PSA is a handy guidance sheet to have.  I recommend consumers reading it and following the practical recommendations being provided.

Here’s yet one more example of the “if it seems too good to be true, it is” type of scam.  Graham Cluley recently wrote about this scam that’s been appearing on a bogus Facebook page (; “No, British Airways isn’t giving away free flights for a year.  It’s a Facebook scam.”; September 8th).  Hopefully it will be removed soon by Facebook security staff.

This is an especially appealing scam right after Labor Day.  People are going back to work and might already be thinking about when they can next take a vacation.  This scam plays right into those feelings.  Mr. Cluley posted a screenshot of the fake Facebook page — it looks very realistic.

How to get the year of free flights? Mr. Cluley notes that the bogus website page says people can do so by sharing a photo of themselves.  As Mr. Cluley wisely advises  — don’t do it!  He cautions that doing so could result in unwanted spam messages or   “…dodgy links that could lead to a malware infection or your account being phished.”

So avoid this scam or any variations of it on Facebook or elsewhere.

I’m very pleased that the HuffingtonPost published a blog of mine today.  I wrote about the efforts being undertaken by librarians and the American Library Association to address key issues at the intersection of privacy and technology.

The blog can be found at the following site:

Feedback and comments are most welcome!

Those of you who use Spotify will want to make sure you read and understand its Privacy Policy.  As Paul Ducklin reports, Spotify has had to explain what it really was going to be doing with users’ information (; “Spotify explains its new “give us your data” policy”; August 24).

As Mr. Ducklin writes, there was understandable concern about Spotify’s original Privacy Policy.  As written, Spotify’s policy seemed to say it would  start collecting information from and about users that it hadn’t done previously.  The policy also implied Spotify would do so without having to ask users’ permission before doing so.

Spotify’s executive issued a fast “no that’s not what we will be doing” message as soon as the confusion and concerns were raised.  In their message, included in Mr. Ducklin’s article, Spotify clarifies their Privacy Policy.  Yes, they reserve the right to gather up information they hadn’t done before (e.g., photos, mobile device location) but would not do so without having asked for, and gotten, users’ express permission before accessing any of this data.

That’s a welcome clarification.  As Mr. Ducklin notes in his article, just another reminder that individuals need to be on the alert for updates and changes to a company’s Privacy Policy.

I’ve written before about Facebook’s privacy settings, new features that have been added, and the need for Facebook users to stay current with those changes.  I want to share a very helpful article by Gordon Gottsegen in Wired about this very topic.  His article is titled “Here’s How To Use Facebook’s Mystifying Privacy Settings.” (; August 11th).

In his article, Mr. Gottsegen urges users to keep current with the regularly updated Facebook data policy.  He cites the Facebook “Privacy Basics” as an excellent feature to help users understand and better use their privacy settings.  Next, he provides a great explanation of the most important privacy settings; tips for the best way to use them; and screen shots for each setting.

He groups the settings under the following 3 headings: “Decide Which Facebook Friends See What”; “Use Friend List”; and “Manage Applications and Outside Data”.  His explanations are informative and well written so his suggestions are very user-friendly.

I encourage Facebook users to read Mr. Gottsegen’s article.  He’s provided a great resource so Facebook users can adjust their privacy settings to their respective comfort levels.

I’ve written before about the Internet of Things (IoT) and some of the privacy and security issues that IoT raises.  Yes, there are some very helpful benefits from having so many of our devices inter-connected.

Yet there are security and privacy concerns that individuals need to keep in mind.  The number of devices someone chooses to have connected will depend on her comfort level.  Do you want your thermostat letting the power company know your daily routine, e.g., the daily times of your shower and your departure from home? Other issues are nicely outlined in an article by Omri Toppol that Graham Cluley has as a link on his newsletter (; “What is the Internet of Things, and Why Should We Care about Its Security”; August 3rd).

The article by Omri provides several chilling examples of the dangers inherent in the IoT.  One example in the article is the 2010 hacking in Austin, Texas of over 100 cars which were remotely disabled.  The hacker or hackers disabled the cars by hacking into an online vehicle immobilization service.

I encourage people to read this article if for no other reason to learn more about the IoT — what’s already happening, what could happen in the not too distant future and then being able to decide a personal comfort level.

The New York Times has a quick online interactive quiz so individuals can see how much, and which types, of their personal information has been hacked (“How Many Times Has Your Personal Information Been Exposed to Hackers?” by Josh Keller, K.K. Rebecca Lai and Nicole Perlroth; July 29th;

The authors clearly state certain caveats including:

  1. They’ve included many, but not all, of the most recent major hacks (e.g., OPM, Neiman Marcus, health insurers);
  2. There are likely hacking attacks that are still undiscovered; and
  3. The resulting score should be seen as a minimum, not maximum, given the above caveats.

I took the quiz and wasn’t surprised to find that my personal information has been exposed and potentially stolen.  What parts of personal identity are listed in the quiz?   There are the obvious parts such as address, birthday, credit or debit card, and SSN.  The less obvious but also included are employment history, fingerprints, password and medical information.  I’m angry about the parts of my identity that were exposed while relieved about the parts that have not yet been hacked.

The authors also provide very useful concrete information about the steps individuals can take once they discover that some of their personal information has been hacked.  Taking the quiz might seem scary but not knowing, and then not taking pro-active steps, will be even worse.

The magnitude of the OPM hacking just keeps growing — the original estimate of 4+ million records has now been upped to over 20 million records. Could this breach get even worse?  Let’s hope not but there is one potential future issue that could do so.  It’s a thorny issue that the OPM officials who contracted with CSID for its’ security services might not have even contemplated.

Here’s the issue.  It’s become fairly standard for a company’s Privacy Policy to include a statement about the sale of some or all of its assets in the case of a merger, acquisition or any type of sale to a third party.

Unfortunately for consumers, their personal information is considered an asset which the company might disclose or sell or transfer to the third party buyer in such an event. The CSID Privacy Policy contains just this type of provision in the section titled “Do We Disclose or Share Your Information?”  CSID says it won’t sell or share personal information with third parties for promotional or marketing purposes.

However, it clearly says that personal information held by CSID “…will be among the assets transferred to the buyer [.]” “… in the event of a merger, acquisition or any form of sale of some or all our assets ….” I doubt anyone at OPM thought to get this clause modified in their contract with CSID.

It would be terrible if, under some future scenario, CSID would be able to transfer the personal information of millions and millions of individuals whose information CSID is supposed to be protecting due to the OPM hacking.

I presented a privacy overview class on July 9th as part of the Lifetime Learning Institute.  The participants were very engaged and had many good suggestions of ways they’ve worked to limit the amount of personal information that is shared about them. One of the participants mentioned  I hadn’t heard of this free service so looked it up.  It was one of the three projects that won the Federal Trade Commission’s  (FTC) Robocall Challenge back in 2013. It sounds like a great way to prevent robocalls from slipping through the FTC’s “Do Not Call” registry.  How does it work?  It uses the “simultaneous ringing” feature that’s available through most phone carriers.  In a nutshell, the Nomorobo technology spots robocalls, blocks the calls and then automatically hangs up on them. There is only one necessary prerequisite for using this free service. Individuals have to have a voice over type of phone service.  Nomorobo doesn’t work on traditional analog landlines or wireless phones.  The website lists the services on which Nomorobo is offered; these include, VerizonFios; TimeWarner cable; Comcast xfinity; and Vonage among others. It’s certainly a service worth exploring so individuals can see if their phone service has the “simultaneous ringing” feature so that Nomorobo can be used.


Get every new post delivered to your Inbox.

Join 75 other followers