As Uber grows in popularity, it is also coming under scrutiny both nationally and internationally.  Senator Al Franken is now looking into Uber’s use of its customers data. He isn’t too pleased with the response he’s gotten so far as Tim Hornyak reports (www.itnews.com; “US Senator Al Franken unhappy with Uber answers on user data”).

Mr. Hornyak writes that the Senator sent Uber a list of questions about the ways in which customer data is collected, retained and protected, including geolocation data.  He asked Uber to explain how it’s handling customer data under the “legitimate business purposes” included in the Uber Privacy Policy.

Uber’s General Counsel, Katherine Tassi, responded, in part, that Uber keeps most of the information collected from customers in their accounts and retains that information until an account’s settled after a customer cancels.

It will be interesting to see whether Senator Franken will be able to elicit more specifics from Uber.  Until he does, Uber customers should read or re-read the Uber Privacy Policy to make sure they understand, and are comfortable with, the ways in which their data is being retained and used.

The Pew Research Center has an ongoing Internet Project that looks at an array of technology, privacy and Internet issues from the public perspective.  Pew Research Center recently issued a report as well as a quick WebIQ quiz — both of these caught my eye.

Their report is titled “What Internet Users Know About Technology and the Web.”  In issuing that report (based on a nation-wide survey), the Pew Research Center also posted a short, 12 question “Web IQ Quiz ” that allows Internet users to assess their own knowledge about technology and the Web.

On their website, the Pew Research Center suggests readers first take the “Web IQ Quiz” before reading the full report.  So, with some trepidation, I did just that.  The 12 questions are straightforward and do assess a user’s knowledge about past and current Web and technology issues.  It was very interesting taking the quiz and then seeing where my results placed me among others who had also done so.  How did I do?  I’m happy to say I correctly answered on 10 out of the 12 questions.

I encourage people to find the time to take the WebIQ Quiz and then read, or skim, the full report.  Links to the WebIQ Quiz and the full report can be found at: http://www.pewinternet.org.

Scams happen year round but become particularly prevalent during the holiday season.  Scammers know that consumers are rushed and likely don’t have the time to be as careful as they would like to be.  These thieves also know that consumers are doing more and more shopping online.

All those reasons make a recent alert from the FBI even more timely.  At its website, the FBI’s Internet Crime Complaint Center (ic3) has just posted an alert about which consumers need to be aware.  The alert reports that from June 2009 to June 2014, the FBI’s ic3 got over 6800 complaints from consumers who thought they were buying “big ticket” items from reputable sellers.  The items included cars, recreational vehicles, boats and other outdoor equipment.  Some of these items were listed at serious discounts.

What was the scam?  As the alert outlines, the ads were listed using fake information about payment methods; sometimes consumers were instructed to use a fake Ebay account. Consumers were given the name, address and account number for the scammers bank to which consumers could wire their payments.

What really happened?  No goods, lost money and no recourse.  The FBI’s alert reports that consumers lost over $20 million to these scams in the five year period.

The FBI’s alert is worth reading.  It provides more details about this particular scam as well as the FBI’s tips for avoiding these types of scams.  The alert can be found at: http://www.ic3.gov; the alert number is I-111414-PSA; dated November 14th and  titled: “Criminals Post Fraudulent Online Advertisements for Automobiles, Recreational Vehicles, Boats, and Other Outdoor Equipment Leading to Financial Losses in Excess of $20 Million”.

 

Consumers are seeing more and more ads popping up on their computers and mobile devices.  Sometimes they’ve requested this kind of information but other times they don’t know how or why they’re getting these unsolicited ads.

One way these ads happen is because of unique identifiers in web traffic sent by phones and other mobile devices.  This information can be misused by ad networks to track consumers online activities.  The really bad news is that consumers can’t turn off these types of unique identifiers.  What does this mean? It means ad networks can be tracking consumers regardless of whether consumers have tried to protect their privacy via their privacy browsing settings or being on “Do Not Track” lists.

The good news is that AT&T had been experimenting with these types of unique identifiers but has discontinued doing so. Robert McMillan recently reported that news (www.wired.com, “AT&T Stops Using Invasive ‘Perma-Cookies,’ But It May Turn Them Back On”; November 14).

The bad news is that Mr. McMillan reports that Verizon is still using these unique identifiers.  It would be welcome news if Verizon decided to stop using unique identifiers but consumers should be optimistic about that happening.

Consumers have become accustomed to seeing different icons and seals on company websites.  One of the most reassuring for years has been the TRUSTe seal.  Why?  Because companies displaying that seal did so after having their privacy practices verified according to the TRUSTe requirements about transparency and other requirements.  The latter include the company’s assertions about the options consumers will have about how their personal information will be collected and used.

Now consumers are learning that TRUSTe’s assertions about its own practices have been lacking for years.  TRUSTe has just entered into a settlement with the Federal Trade Commission (FTC).  The FTC had filed a complaint against TRUSTe because of two of its practices that were alleged to be false, misleading and, therefore, deceptive to consumers.

What were these practices? As Lesley Fair wrote in an FTC blog, TRUSTe claimed that companies wanting to display its “Certified Privacy Seal” underwent recertification reviews to reconfirm their privacy practices.  Plus, TRUSTe claimed that it was an independent non-profit, thus making its certifications even more objective (www.business.ftc.gov; “The FTCs TRUSTe case: when seals help seal the deal”; November 17th).

Neither was true.  As Ms. Fair writes, the FTC found that TRUSTe hadn’t done recertifications of over 1,000 incidences between 2006 and 2013.  Moreover, TRUSTe became a for profit company in 2008 yet continued carrying the misrepresentation that it was a non-profit entity on recertified websites.

This is sobering news for consumers who often don’t have the time and/or means to undertake their own verifications of a website’s privacy practices.  So can consumers continue trusting the TRUSTe seal and/or other similar seals?  Maybe, but with much more caution and with less absolute trust.

 

It was bad enough learning in September that 56 million credit cards were impacted by hackers who got into Home Depot’s payment systems.  Now we’re learning that there were also 53 million addresses that were also stolen during that hack.  Lee Munson reports that troubling news in a recent article (“53 million email addresses stolen in Home Depot breach”; nakedsecurity.com; November 7th).

That same article reports the only good news about this breach, i.e. that Home Depot’s investigation found that no passwords, personal information or additional payment card information had been stolen and/or compromised by the hackers.  That’s small comfort but hardly reassuring given this latest discovery.

Home Depot is also warning customers to be alert for any phishing scams that could happen using the stolen email addresses.

I previously wrote that Home Depot, among other retailers, is now going to be installing the chip-and-PIN technology in all of its stores.

These privacy and security improvements cannot happen fast enough for Home Depot customers.

 

The Federal Government is making an important enhancement to protect the credit cards used by thousands of Federal employees. On October 18th, President Obama signed an Executive Order that requires that microchips and PIN numbers be added to the Federal Government’s credit and debit cards.  These security measures be will added beginning in January 2015.

In his Executive Order, the President also announced that several major companies are also taking steps to enhance the security of their systems and provide more customer protections.  The companies doing so include Home Depot, Walgreens, Wal-Mart and Target.  These companies will begin using chip and PIN-compatible card terminals in their stores — many of them by January 2015.

The “chip and PIN” protections are already used widely for credit cards used in Europe.  While nothing is completely 100% “hacker proof” these types of protections add important levels of security to credit and debit cards.  Let’s hope that more companies start installing chip and PIN-comptabile card terminals and that these security protections begin to be used more widely in the United States.

 

Just last week I wrote about medical information being more sought by hackers than even credit card information.  Now there’s even more information supporting the need for consumers to be even more vigilant in using wearable fitness applications.

Why? Because it turns out that some wearable fitness apps do not have the kind of privacy and security features needed to protect the wearer’s personal information.  Mathew J. Schwartz reported on a recent study by Candid Wueest, a Symantec security researcher (www.healthcareinfosecurity.com; “Do Wearable Devices Spill Secrets? Sizing up the Privacy Risks of Fitness-Tracking Apps”; October 17, 2014).

Mr. Wueest studied the top 100 most popular fitness-tracking applications on both the Apple Store and Google Play.  He found that the information transmitted by the applications often included the wearer’s name, email address, password, date of birth and target weight as well as their Facebook and Google access tokens.

What else did Mr. Wueest unearth? As Mr. Schwartz wrote that Mr. Wuuest’s research and analysis found that:

  • 52% of the applications offered no privacy policy;
  • Each application shares personal data with — on average — 5 sits including application-related analytics sites, advertising networks, social media sites and marketing networks;
  • 20% of the applications Mr. Wueest studied were transmitting login credentials in clear text; this means that the information could be intercepted by anyone connected to the same public WiFi hotspot, for example, as one of the devices or if someone planted a Bluetooth “sniffer” within range of one of the devices;
  • Some of the applications encrypted the credentials, but failed to encrypt the personal data being transmitted; and
  • That many of the application makers and device manufacturers failed to secure the personal information being stored on their sites.

Again, I’m not suggesting that consumers abandon fitness regimes and fitness-tracking devices.  What I am emphasizing is the critical need to try and learn as much about the data security and privacy practices of the manufacturers of wearable devices as possible.

 

More and more medical and health information is being collected electronically.  People are using fitness apps, for example, to watch their calorie intake and gauge their level of physical activity.  Those are certainly good and admirable goals.

But what many people don’t realize is the serious security issues about using these kinds of medical and health apps.  Health data is increasingly held by technology companies, not by health and medical professionals and entities such as doctors and hospitals as Brian Fung noted in a recent Washington Post article.  He gave the example of Apple’s Healthkit that collects and centralizes health information across apps (www.washingtonpost.com; “Facebook may be eyeing your health data. Should you trust it?”; October 3rd).  Moreover, these apps don’t have the same privacy and security requirements that apply under the Health Insurance Portability and Accountability Act‘s to medical and health professionals, hospitals and associated records do not cover these types of fitness and health apps.

What is particularly powerful are two statistics in Mr. Fung’s article.  First, he writes that ‘[t]here’s also a lot of money floating around the healthcare industry —an estimated $3 trillion worth ….”.  Second, he noted that “[h]ealth records are so valuable, security experts say, that hackers will pay up to 20 times more for a person’s medical record on the black market than for a stolen credit card number.”

Those are staggering numbers and only underscore that individuals need to protect their health and medical information.  Moreover, individuals need to think carefully before using a fitness or medical or health app.  I’m not suggesting that individuals shouldn’t use them.  But individuals need to dig in and learn how the information that’s being collected will be stored; how it will be protected; and whether the company whose product they’re using is going to sell or share any of the collected data with a third party.

Individuals need to be pro-active so they don’t unwittingly help hackers make money off of some of their most sensitive personal information.

National Cybersecurity Awareness Month kicks off today.  Consumers will be able to read numerous articles and announcements providing helpful guidance and information.

I want to start with “tip #1″ that is practical and useful throughout the year.  Protecting one’s privacy starts with the basics and that means using a strong password.  It often seems more complicated than it needs to be.  I’ve found an article today by Paul Ducklin with an accompanying video that helps explain what a proper and strong password is; the steps for creating one; and reminders about why doing so is very important.

You can find Mr. Ducklin’s article and the video at: nakedsecuritysophos.com.  His article is titled “How to pick a proper password [VIDEO]” and is well worth the time.

October is the month during which cybersecurity is highlighted but these practices are ones consumers need to follow year round.

 

 

Follow

Get every new post delivered to your Inbox.

Join 74 other followers