On September 9th, Timothy D. Cook, Apple’s chief executive, unveiled two new Apple products — products that means Apple could become a collector of consumers’ personal health and financial information.  And that means Apple will need to protect the personal information it holds — and that’s where the privacy concerns arise.

As Brian X. Chen and Steve Lohr reported in the New York Times, these products include a health-montioring smartwatch and Apple Pay; the latter is a new payment service consumers will be able to use to buy items wirelessly on some Apple devices (www.nytimes.com; “With Apple Pay and Smartwatch, a Privacy Challenge”; online September 11th).

The new Apple smart watch will be available sometime in 2015 and it will have health-monitoring capabilities for consumers such as heart rates and other information.  Apple Pay will be available sometime in October.

What are the privacy concerns?  First, consumers using Apple Pay will be providing valuable financial information such as credit and debit card numbers.  As Mr. Chen and Mr. Lohr note, that’s the kind of information that hackers want to get.  With the Apple smart watch, the health information that consumers will enter is not covered by regulations so there are no current controls for the ways in which that information is secured and/or used.  As Mr. Chen and Mr. Lohr wrote, regulators are becoming more interested in the range of health monitoring devices out on the market and are starting to raise issues about the need to protect this type of health information and make sure it stays private.

In announcing these new products, Apple said Apple Pay will not be storing any payment information on Apple devices or servers.  It said it will only be serving as a conduit between merchants and banks.  As far as the new smart watch, Apple has updated its guidance to app developers.  The guidance now states that developers of health apps who are working with HealthKit, the new set of tools for tracking fitness and health statistics, can’t use the personal health data gather for advertising or data-mining purposes — with the exceptions of using it to help manage some individuals health and fitness or for medical research.

Those exceptions are ones that could, however, be read very broadly.  It remains to be seen if Apple really enforces these privacy protections and whether consumers can really count on Apple to provide the kind of protection needed for these types of personal and sensitive information.


Facebook users will want to know about, and use, the latest privacy control that’s just been announced and will start rolling out soon.  This is a blue dinosaur that will pop up on users’ computer screens.   The tool will help users review their current Facebook privacy settings and, if desired, make any updates or changes to those settings.  It is a helpful way for Facebook users to be even more privacy pro-active.

Graham Cluley’s done an article about this latest feature and includes screen shots of the blue dinosaur (newsletter@grahamcluley.com; “Facebook’s privacy dinosaur will check your settings for you”; September 6th).  The screen shots provide users with the option either of using the feature or not; if selected, the review show take only about one to two minutes.

Mr. Cluley urges Facebook users to select the “Let’s Do It!” option since the relatively easy process allows Facebook users to be doubly sure that they are sharing their information with the people with whom they want do.  As he notes, it will be easy for Facebook users to review both the people with whom they’re sharing information as well as any 3rd-party Facebook apps with whom the user is connected.  These reviews will allow Facebook users to confirm and/or refine these settings.

Using the new blue dinosaur is a way for Facebook users to augment their privacy.  But, as Mr. Cluley notes, Facebook users shouldn’t use the “Privacy Checkup” instead of, or as a substitute for, routinely doing their own checks and reviews of their Facebook privacy settings.

There’s been wide spread coverage over the past few days of the photos that have been hacked and posted online of actresses and other famous women.  These individuals used the cloud to store what they thought would remain private photos.  What they learned was that their presumption was sadly wrong.

They are not alone either in storing photos in the cloud or thinking that the photos would be safe there.  Many people area using the cloud for storing all sorts of personal information, much, if not all, of which they’d like to think will be kept private and protected.

As Arik Hesseldahl reports in his recent article, Apple is investigating how the iCloud accounts of these celebrities were hacked (recode.net; “Apple Says It Is “Actively Investigating” Celeb Photo Hack”; September 1).  The tip he includes comes from Darien Kindlund, Director of Threat Research at FireEye, and is one that everyone should try and use.

What’s this tip? Turn 0n and use the two-factor authentication option on iCloud accounts.  Mr. Kindlund is quoted in Mr. Hesseldahl’s articles as noting that Apple calls its version of this enhanced security “two-step verification” and that it’s not easy to learn about — Mr. Kindlund said it takes sorting through a number of support articles to learn about this Apple iCloud feature.

Two-factor authentication is usually a combination of a randomly generated numerical code coupled with the consumer’s regular password.  The numerical code, per Mr. Kindlund, is sent to the consumer’s phone or another device.  Since that code changes all the time, it makes it harder (although not impossible of course) for hackers to get into accounts even if they’ve got the consumer’s password.  The not so good news, per Mr. Kindlund, is that Apple permits someone an unlimited number of password guesses.

While nothing is foolproof, consumers who regularly store photos and other information in the cloud should enable two-factor authentication, or the Apple two-step verification, for additional protection.

I wrote last week about the stunning password and user name theft that Hold Security had unearthed (“Cautionary Note About Hold Security”; August 12).  In that blog, I mentioned Graham Cluley’s important discovery about the fee that Hold Security would charge consumers who wanted to find out if any of their passwords and user names had been breached.  Mr. Cluley mentioned several password management services about which I said I’d be writing more.

I looked at the sites for several password management services.  I’m not recommending any of them but these are services about which consumers should be aware. The password manager services allow consumers to store all of their passwords, along with other confidential information, into one secure site.  Hayley Tsukayama wrote a very helpful article about password management, including a good summary of several of the services along with the pros and cons (www.washingtonpost.com, “How to keep track of your passwords without going insane”; August 7).

She reviewed two of the three services I had mentioned, e.g., LastPass and 1 Password.  She also included Dashlane.  I also mentioned KeePass which has similar features as the others but is a completely free and open source password manager.  I mention that because, as Ms. Tsukayama wrote, the other services are free unless a consumer wants to sync his passwords across multiple devices, such as between a smart phone and a computer.

For that kind of premium service, there are different fees charged by the services:

  • LastPass charges $12.00 a year;
  • 1Password charges a one time fee of $50.00 for Mac and Windows, $18.00 for iOS and $10.00 for a full version of the app on Android; and
  • Dashlane charges $30.00 a year.

All the services operate along the same lines.  They are online storage lockers that retain all of a consumer’s passwords in encrypted databases.  The passwords are locked behind a single master password that only the consumer knows.  That’s the good news.  But as Ms. Tsukayama notes, that also means the consumer has to remember that master password because it can’t be retrieved from anywhere else.  The services can also store secure notes, credit card information as well as other information that a consumer has to fill in on various websites.  Another attractive feature of these services is their ability to generate random passwords for accounts that are strong and are remembered in their various lockers or vaults.  That way, a consumer can access these passwords while browsing the web by clicking onto a button on his browser and choosing the account for which he needs to fill in information.

Are there downsides to these services? Consumers are relying on the security of the various password manager services when using them.  KeePass notes on its website that in addition to being free and open source that its encrypted database is not stored in the cloud but strictly locally.

As I said, I’m not endorsing any particular service but I am strongly encouraging consumers to think about the ways in which they are storing their passwords.

There’s been a rush of articles suggesting what consumers can and should do to protect themselves following the news about the Russian hackers.  The fact that over a billion usernames and passwords have been stolen has meant that some consumers are overwhelmed given the magnitude of the theft.

Graham Cluley wrote an article explaining his initial hesitation about writing about Hold Security’s discovery or commenting on it when contacted by the news media (grahamcluley.com; “Security firm that revealed “billion password” breach demands $120 before it will say if you’re a victim”: August 7).  As he explained, his reservation stemmed from the paucity of information in Hold Security’s initial official statement.  So Mr. Cluley dug in more and found that Hold Security wants consumers email addresses and $120 per year for their new breach notification service.  Consumers whose email addresses are found are then asked for an encrypted version of all of their passwords so they can be compared against the Hold Security’s database.

There are obvious problems with this approach.  Instead, Mr. Cluley highlights Troy Hunt’s free service that checks breach information in its database.  I went to the site which is: haveibeenpwned.com and learned that my email address had been found in one of the breaches loaded into the system.  It was the Forbes.com breach about which I already knew.  I signed up for Mr. Hunt’s free service to get alerts if my email shows up in other breaches.

Password management is becoming more pressing and complex for consumers.  Thanks to Mr. Cluley’s investigation,  I’ll take a pass on the Hold Security fee breach notification system.

Mr. Cluley mentions LastPass, 1 Password and KeePass as several password management services that consumers should consider.  I’ll be looking at those and will write about them in future posts.


A breach of mind boggling magnitude has been unearthed by Hold Security, a Milwaukee firm that specializes in identifying major online security breaches.  Nicole Perlroth and David Gelles broke the story yesterday about Hold Security’s latest discovery (www.nytimes.com; “Russian Gang Amasses Over a Billion Internet Passwords”; August 5).   Other media are now reporting on this story citing the New York Times article.

No, you’re not mis-reading the headline of their story— over 1.2 billion unique combinations of user names and passwords were stolen by Russian hackers.  In their story, Ms. Perlroth and Mr. Gelles report that Hold Security found that the Russian gang had also stolen over 500 million email addresses.  Per their report, the New York Times hired an independent security expert to analyze the database that Hold Security had.  That expert confirmed the authenticity of the database and the magnitude of the data that has been stolen.

Which companies and websites have been victimized?  Hold Security is not disclosing the names of victims because of “non disclosure agreements” and the company’s reluctance to name companies whose websites could still be vulnerable.  Ms. Perlroth and Mr. Gelles wrote that it appears that the Russian criminals haven’t been selling many of the records online yet but, instead, appear to be sending spam out on social networks for fees paid by other groups.

So what protective steps can individuals take?  It’s hard to know exactly what to do when faced with a breach of this astounding magnitude.  Some of the most immediate steps are ones that are sound guidance regardless of the scope of a breach.  These include diligently examining financial statements for any suspicious charges or withdrawals; changing passwords as a pro-active step; and not using the same password and user name for multiple sites.

More and more employers are letting their staff members work from home.  There are numerous pluses to these types of arrangements.  However,  hackers and cyber criminals have figured out how to use these types of remote access arrangements for criminal purposes.  Nicole Perlroth reported on a study released yesterday by the Department of Homeland Security (DHS); DHS worked with the Secret Service and others and identified a significant problem companies are now facing (www.nytimes.com; “Checking In From Home Leaves Entry For Hackers”; July 31).

As Ms. Perlroth reports, the DHS study found that hackers are scanning corporate systems for remote access software.  These remote access systems allow employees and outside contractors to access their companies corporate networks via an Internet connection.  What happens then? The hackers find the software and use high-speed programs that continuously guess the login credentials  and keep doing so until bingo!  they find one and hack into the system.

In her article, Ms. Perlroth writes that DHS found that once they’ve hacked into the system, the criminals use a type of malicious software called Backoff to steal payment information, such as credit and/or debit card numbers.  They steal those numbers off of the inshore cash register systems.  This information then is immediately sent to the hackers’ computers from which they sell the credit and debit card numbers.

Let’s hope that companies read the DHS report; learn lessons from it; and then work to confront and confound these hackers as much as possible.

While we’ve heard and learned about our “online footprints,” in a July 21st article, Russell Brandom just wrote about a disturbing new phenomenon called “canvass fingerprinting” (www.theverge.com; “Companies have a tricky new way to track your movement across the web).

As Mr. Brandom wrote, the “canvass fingerprinting” was discovered  by researchers at Princeton University.  As described, this new web-tracking technology can follow users between and among websites.  As Mr. Brandom reports, it is “nearly impossible to block”  even if an individual has disabled cookies on his browser and isn’t logged into Facebook.  Per his article, the Princeton researchers discovered that “canvass fingerprinting” is being used by 5% of the top 1,000 Internet sites including Whitehouse.gov and the official website for the State of California.

How it works is also what makes it so strong even if an individual has blocked cookies on his browser.  The technology asks the browser to draw a hidden image and then uses that image to track the browser’s unique properties. Mr. Brandom reports that it appears that AddThis created “canvass fingerprinting” as part of its efforts to find alternatives to cookie tracking.  Mr. Brandom also adds that AddThis might end the “canvass fingerprinting” trials as they found, he writes, that the test results are “not uniquely identifying enough.”

Whether AddThis does or doesn’t end the trials, what is clear is the important point with which Mr. Brandom ends his article.  The key takeaway is that simply blocking cookies and using other means may not be enough to thwart being tracked.  That is very worrisome to those of us concerned about protecting our privacy online.

This is one of those “bad news” stories.  It has just been learned that back in March Chinese hackers successfully broke into very sensitive computer files maintained by the Office of Personnel Management (OPM).  As reported by Michael S. Schmidt, David E. Sander and Nicole Perlroth in the New York Times, Chinese hackers were targeting tens of thousands of files on Federal employees who have applied for top-secret security clearances (www.nytimes.com; “Chinese Hackers Pursue Key Data on U.S. Workers”; July 9).

This is frightening on many levels starting with the fact that the hackers were able to breach OPM’s e-QIP system which holds these, and other, employee files.  Second, the amount of personal and sensitive information that is contained in these top-secret security clearance applications makes it a treasure trove for hackers.  Applicants have to provide an array of sensitive information including, names of foreign contacts, financial data, and details about prior employment.

Senior officials and spokespersons for OPM and the Department of Homeland Security (DHS) have said that neither agency had “identified any loss of personally identifiable information.”   DHS has also said it has an emergency response team assessing this breach and that the team would mitigate any risks that are identified.

While that is good news, that doesn’t mean that there couldn’t be future risks that personal and financial information has been stolen.  Federal employees need to be aware of this breach and vigilantly monitor financial accounts for any unauthorized charges or changes.

Consumers are increasingly online doing all kinds of transactions.  These transactions often involve sharing personal and private information.  Yet consumers might not be fully aware of how that personal and private information is being used and/or ways in which they could better protect themselves.

So I was particularly interested to read about the just announced “Digital IQ” initiative being launched by the Better Business Bureau (BBB) and Acxiom.  Their initiative, which other businesses and organizations will be invited to join, is going to try and help consumers become more knowledgeable about the Internet (www.bbb.org; “Better Business Bureau to Launch “Digital IQ” Initiative with Acxiom”; July 1).

How will this be done?  Per the BBB announcement, the partners are going to conduct researched geared at identifying specific areas on which consumers need help in “…developing effective habits and skills for navigating the digital world.  By understanding how consumer data is collected and used, as well as the tools available to exercise choice about these processes, consumers can develop a “data comfort zone.”  Their initial products will be practical educational materials focusing on shopping and buying but the hope is that the initiative’s scope will expand over time to teaching consumers about other uses of data and analytics.

They’ve announced that their initial research will examine topics including:

  • How consumers can become smarter shoppers to get the best deals while staying in their respective data comfort zone;
  • How and when consumers should fill out marketing surveys; and
  • How advertisers use location data that’s on consumers’ devices.



Get every new post delivered to your Inbox.

Join 75 other followers