I’m very pleased that the HuffingtonPost published a blog of mine today.  I wrote about the efforts being undertaken by librarians and the American Library Association to address key issues at the intersection of privacy and technology.

The blog can be found at the following site: http://www.huffingtonpost.com/debra-n-diener/privacy-protectors-crucia_b_8065270.html.

Feedback and comments are most welcome!

Those of you who use Spotify will want to make sure you read and understand its Privacy Policy.  As Paul Ducklin reports, Spotify has had to explain what it really was going to be doing with users’ information (nakedsecurity.sophos.com; “Spotify explains its new “give us your data” policy”; August 24).

As Mr. Ducklin writes, there was understandable concern about Spotify’s original Privacy Policy.  As written, Spotify’s policy seemed to say it would  start collecting information from and about users that it hadn’t done previously.  The policy also implied Spotify would do so without having to ask users’ permission before doing so.

Spotify’s executive issued a fast “no that’s not what we will be doing” message as soon as the confusion and concerns were raised.  In their message, included in Mr. Ducklin’s article, Spotify clarifies their Privacy Policy.  Yes, they reserve the right to gather up information they hadn’t done before (e.g., photos, mobile device location) but would not do so without having asked for, and gotten, users’ express permission before accessing any of this data.

That’s a welcome clarification.  As Mr. Ducklin notes in his article, just another reminder that individuals need to be on the alert for updates and changes to a company’s Privacy Policy.

I’ve written before about Facebook’s privacy settings, new features that have been added, and the need for Facebook users to stay current with those changes.  I want to share a very helpful article by Gordon Gottsegen in Wired about this very topic.  His article is titled “Here’s How To Use Facebook’s Mystifying Privacy Settings.” (www.wired.com; August 11th).

In his article, Mr. Gottsegen urges users to keep current with the regularly updated Facebook data policy.  He cites the Facebook “Privacy Basics” as an excellent feature to help users understand and better use their privacy settings.  Next, he provides a great explanation of the most important privacy settings; tips for the best way to use them; and screen shots for each setting.

He groups the settings under the following 3 headings: “Decide Which Facebook Friends See What”; “Use Friend List”; and “Manage Applications and Outside Data”.  His explanations are informative and well written so his suggestions are very user-friendly.

I encourage Facebook users to read Mr. Gottsegen’s article.  He’s provided a great resource so Facebook users can adjust their privacy settings to their respective comfort levels.

I’ve written before about the Internet of Things (IoT) and some of the privacy and security issues that IoT raises.  Yes, there are some very helpful benefits from having so many of our devices inter-connected.

Yet there are security and privacy concerns that individuals need to keep in mind.  The number of devices someone chooses to have connected will depend on her comfort level.  Do you want your thermostat letting the power company know your daily routine, e.g., the daily times of your shower and your departure from home? Other issues are nicely outlined in an article by Omri Toppol that Graham Cluley has as a link on his newsletter (newsletter@grahamcluley.com; “What is the Internet of Things, and Why Should We Care about Its Security”; August 3rd).

The article by Omri provides several chilling examples of the dangers inherent in the IoT.  One example in the article is the 2010 hacking in Austin, Texas of over 100 cars which were remotely disabled.  The hacker or hackers disabled the cars by hacking into an online vehicle immobilization service.

I encourage people to read this article if for no other reason to learn more about the IoT — what’s already happening, what could happen in the not too distant future and then being able to decide a personal comfort level.

The New York Times has a quick online interactive quiz so individuals can see how much, and which types, of their personal information has been hacked (“How Many Times Has Your Personal Information Been Exposed to Hackers?” by Josh Keller, K.K. Rebecca Lai and Nicole Perlroth; July 29th; http://nyti.ms/1LX2WaB).

The authors clearly state certain caveats including:

  1. They’ve included many, but not all, of the most recent major hacks (e.g., OPM, Neiman Marcus, health insurers);
  2. There are likely hacking attacks that are still undiscovered; and
  3. The resulting score should be seen as a minimum, not maximum, given the above caveats.

I took the quiz and wasn’t surprised to find that my personal information has been exposed and potentially stolen.  What parts of personal identity are listed in the quiz?   There are the obvious parts such as address, birthday, credit or debit card, and SSN.  The less obvious but also included are employment history, fingerprints, password and medical information.  I’m angry about the parts of my identity that were exposed while relieved about the parts that have not yet been hacked.

The authors also provide very useful concrete information about the steps individuals can take once they discover that some of their personal information has been hacked.  Taking the quiz might seem scary but not knowing, and then not taking pro-active steps, will be even worse.

The magnitude of the OPM hacking just keeps growing — the original estimate of 4+ million records has now been upped to over 20 million records. Could this breach get even worse?  Let’s hope not but there is one potential future issue that could do so.  It’s a thorny issue that the OPM officials who contracted with CSID for its’ security services might not have even contemplated.

Here’s the issue.  It’s become fairly standard for a company’s Privacy Policy to include a statement about the sale of some or all of its assets in the case of a merger, acquisition or any type of sale to a third party.

Unfortunately for consumers, their personal information is considered an asset which the company might disclose or sell or transfer to the third party buyer in such an event. The CSID Privacy Policy contains just this type of provision in the section titled “Do We Disclose or Share Your Information?”  CSID says it won’t sell or share personal information with third parties for promotional or marketing purposes.

However, it clearly says that personal information held by CSID “…will be among the assets transferred to the buyer [.]” “… in the event of a merger, acquisition or any form of sale of some or all our assets ….” I doubt anyone at OPM thought to get this clause modified in their contract with CSID.

It would be terrible if, under some future scenario, CSID would be able to transfer the personal information of millions and millions of individuals whose information CSID is supposed to be protecting due to the OPM hacking.

I presented a privacy overview class on July 9th as part of the Lifetime Learning Institute.  The participants were very engaged and had many good suggestions of ways they’ve worked to limit the amount of personal information that is shared about them. One of the participants mentioned Nomorobo.com.  I hadn’t heard of this free service so looked it up.  It was one of the three projects that won the Federal Trade Commission’s  (FTC) Robocall Challenge back in 2013. It sounds like a great way to prevent robocalls from slipping through the FTC’s “Do Not Call” registry.  How does it work?  It uses the “simultaneous ringing” feature that’s available through most phone carriers.  In a nutshell, the Nomorobo technology spots robocalls, blocks the calls and then automatically hangs up on them. There is only one necessary prerequisite for using this free service. Individuals have to have a voice over type of phone service.  Nomorobo doesn’t work on traditional analog landlines or wireless phones.  The website lists the services on which Nomorobo is offered; these include, VerizonFios; TimeWarner cable; Comcast xfinity; and Vonage among others. It’s certainly a service worth exploring so individuals can see if their phone service has the “simultaneous ringing” feature so that Nomorobo can be used.

The 4+ million current and former federal employees whose OPM personal data has been hacked are just the latest group to be worrying about identity theft.  So a recent article by Brian Krebs could not be more timely.  Mr. Krebs has written a terrific piece on the various options that individuals can take to try and prevent themselves from becoming identity theft victims.  While there are no guarantees about any option being foolproof, his recommendations are ones to learn about and then decide whether to use (www.krebsonsecurity.com; “How I Learned to Stop Worrying and Embrace the Security Freeze”; June 8th).

One of his key points is the difference between putting a “fraud alert” or a “security freeze” on credit reports.  A “security freeze” is the stronger tool since “freezing” a credit report means it can’t be viewed or pulled by potential creditors without the individual giving specific consent.  Is it free to do so?  That depends on 2 key factors: has the individual been an identity theft victim? and what are the requirements for the State in which the individual lives.  Some States require a $10.00 or more fee if the individual hasn’t been an identity theft victim.

A  link to a list of the States with their respective requirements can be found in Mr. Krebs’ article.  Additionally, that requirement will pop up when filling out a “freeze” form online with Equifax, Experian and TransUnion.  Once an individual does so, the fee amount for the State in which the individual resides will come up.  These requests can also be done in writing and those details can be found on the website for the 3 credit agencies just mentioned.

It would be great if these “freezes” could be done for free before becoming an identity theft victim.  Is it worth the money to do so before that reality?  My answer is “yes” but everyone has to decide for himself.

Over the last few days, there have been numerous media sources reporting the major security flaw and security risks in Samsung mobile devices.  I urge anyone who has a Samsung mobile device to keep posted on this matter.   I read the NowSecure blog on this issue and they have a list as of June 16th of impacted devices by carrier with the status of their security patch status ((www.nowsecure.com;  go to the “How to Detect It” subheading in the blog titled”Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted”). In a nutshell: NowSecure, a security research firm, has found a security flaw in the Samsung keyboard that could impact over 600 million Samsung mobile devices.  One report, by Graham Cluley, describes the flaw as including Samsung’s latest device, the GalaxyS6 iPhone (www.hotforsecurity.com; “Samsung Galaxy phones at risk from massive security flaw”; June 17).  As Mr. Cluley and others have warned, the flaw could allow hackers to gain access remotely to a Samsung device and allow the hackers to spy through the camera or the microphone, to track the Samsung user’s physical location via GPS, to install malicious applications, to steal information or even to listen in on the user’s messages and voice calls — all without the user’s knowledge. Samsung is reporting that it believes it has a possible patch for the problem and that the patch has been deployed to carriers.  However, per Mr. Cluley, it is difficult for mobile device users to know whether their carrier has patched the problem.  Again, another reason to check the NowSecure website for updates.

LastPass is a cloud-based password security site so reports that it was breached are particularly troubling.  The breach happened on Friday, June 12th but LastPass only sent alerts to account users on Monday, June 15th.  And from what Steven J. Vaughan-Nichols reported, not all LastPass account owners have received email notifications (zdnet.online.com; “Password site LastPass warns of data breach”; June 15).

In his article, Mr. Vaughan-Nichols quotes from the June 15th blog post by Joe Siegrist, the CEO of LastPass.  I read Mr. Siegrist’s blog post and urge all LastPass account users to read it (blog.lastpass.com June 15).  Mr. Vaughan-Nichols quotes from Mr. Siegrist’s blog in which he asserts that LastPass has no evidence that “encrypted user vault data was taken, nor that LastPass user accounts were accessed.”  LastPass is, per Mr. Siegrist’s blog, requiring all account users to update their master password.  They are not requiring or telling users to charge their site passwords because encrypted data wasn’t taken.

However, as Mr. Vaughan-Nichols reported, the LastPass servers are overloaded by account users trying to make the needed changes.

Let’s hope that the “good news” reported by Mr. Siegrist holds true.


Get every new post delivered to your Inbox.

Join 75 other followers