People hope, and want to believe, that searching for health and medical information online is private and protected. That likely is a false and dangerous hope.
Pam Baker wrote an article highlighting recent research into this very issue (www.nuviun.com; “The gaping privacy hole in healthcare data is not where you think”; March 16th). Her article discusses the companies and entities that are tracking and analyzing online and mobile applications used by individuals for researching medical and health issues. She reports that this information is often mined by 3rd parties.
What is especially important is the research by Mr. Timothy Libert about which Ms. Baker wrote. Mr. Libert is a doctoral student at the University of Pennsylvania. He analyzed over 80,000 webpages on healthcare websites and found that “nine out of ten visits result in personal health information being leaked to third parties, including online advertisers and data brokers.” Mr. Libert’s research results were shared with Brian Merchant on Mr. Merchant’s Motherboard blog.
But it’s not just data miners who use this healthcare information. As reported, it’s also such reputable groups as governments, non-profits and universities.
Mr. Libert’s wrote about his research results in an article titled “Privacy Implications of Health Information Seeking on the Web”. It can be found in the March 15th issue of “Communication of the ACM.” There was a February 15th press release about Mr. Libert’s research and article. That press release is titled “Your Privacy Online: Health Information at Serious Risk of Abuse” and can be found at http://www.asc.upenn.edu.
Mr. Libert’s research underscores the dangers for individuals by leaked health information. There can be embarrassment, job and/or credit discrimination and identity theft.
His findings remind all of us to be especially careful about our online research into such a sensitive area as health.
Venmo is a mobile payments application that is especially popular with young adults. Why? Because it allows them to send cash fast and directly to a friend’s bank accounts.
However, in Venmo’s case, fast is not necessarily better — especially in light of serious security flaws. A number of articles have appeared recently detailing the flaws and unhappy consequences. Mike Isaac and John Zorabedian have particularly helpful articles. Their articles can be found, respectively at: bits.blogs.nytimes.com (“Venmo Was Ordered in July by California Regulators to Address Security Issues”; February 27); and nakedsecurity.sophos.com (“Venmo mobile payment service under fire for security carelessness”; March 3).
What are some of the problems? Both articles cover the basics which include the fact that Venmo had been using only an email and Twitter account but didn’t have a customer support line. Mr. Zorabedian recounts the story of one Venmo user who had $2,850.00 stolen from his bank account. How could this happen? In part, Mr. Zorabedian writes, because the Venmo application has no security against unauthorized account access.
In his post, Mr. Isaac reports that Venmo claims to have implemented “…companywide best practices and programs and user privacy, security, customer service and fraud loss management.” However, Mr. Isaac reports that Venmo is still under ongoing supervision by the California regulators.
Have these important improvements been made? Maybe but Venmo should be used very cautiously until there’s concrete proof that strong security and privacy features have been added.
The Federal Trade Commission’s (FTC) Division of Consumer & Business Education (Division) pro-actively helps consumers learn about and, hopefully avoid, a variety of scam artists. Carol Kando-Pineda, Counsel to the Division, has just published a list describing the “top 10 imposter scams” that consumers have reported to the FTC. While many appear obvious, it is always useful to be refreshed about the scams since they often vary with each version. The March 2nd article by Ms. Kando-Pineda is titled “The Grate Pretenders” and can be found at: http://www.consumer.ftc.gov.
What are some of the top imposter scams? The number 1 position is held by scammers impersonating IRS agents. They call or email consumers, frighten them by saying the consumer owes back taxes or that there’s a problem with the consumer’s tax return. The goal? Getting the consumer to provide personal and financial information allegedly to pay the owed taxes or correct the return.
Other “top 10″imposter cons include:
- “You’ve won the prize”: the scammer claims to be from Publishers Clearinghouse. What’s the scam? The winner only has to pay a processing fee in order to collect the prize;
- “I’m an official with ….” fill in the government agency. It could be, for example, a scammer claiming to be from one of the agencies handling health issues. The scammer says he works for Medicare or in an office administering the Affordable Health Care Act. The caller threatens the consumer with lost medical benefits unless the consumer provides personal information or fees.
These are just a few of the FTC’s “top 10 imposter scams”. Ms. Kando-Pineda’s article is well worth taking the time to be reminded about the variety of “imposter scams” that are out there.
The Better Business Bureau (BBB) issued an alert on February 21st about a reoccurring scam. As BBB notes in its alert, this type of customer survey scam comes back often, with slight variations each time. And each time, the scammers count on consumers being too busy to stop and realize the only “reward” is the personal and financial information the scammers will get.
This scam comes via an email announcing either “Your Reward Points are Expiring. Claim Now!” or”Your eBalance Points are Expiring Soon!” (firstname.lastname@example.org; “It’s Back! Survey Scam Strikes Again”). As BBB explains, consumers will be tricked into believing this is a legitimate email as the scammers use the name of a well-known store; the BBB alert notes that stores as well-known as Macy’s, Walgreens and others have been used in these types of scams.
The consumer getting this email may, in fact, shop at the store named by the scammers. There’s a link in the email asking the consumer to take the attached survey and tell the store about his recent shopping experience there. The reward for doing so? A promise of $100.00 or more in “bonus-points” for just completing the survey.
Don’t open the link because doing so can result in many outcomes but none are good. While the survey might be real, the consumer gets ads for products once the survey is done. Or else, the survey is really a phishing scam that asks the consumer for banking and credit card information. Or once opened, the survey link downloads malware to the consumer’s computer.
The BBB alert contains 4 tips for spotting a survey scam:
- Email has consumer’s personal information: while the scam email looks as if it’s personalized, the consumer has never signed up for emails from this particular company;
- Act ASAP: the scam email tells the consumer to act immediately or else something terrible will happen;
- Bad grammar, typos: the BBB alert contains a warning I’ve previously noted –that being, that scammers are getting better all the time at copying a company’s logo, name and email format. But incorrect wording, bad grammar, typos and awkward phrasing are among the tip-offs that the email is a scam; and
- Hover over the URLs: As BBB notes, while the hyperlinked text will say one thing, the link itself will point the consumer somewhere else. A consumer who hovers over the links can see if they lead to the business or company’s official website or some variation of the domain name.
The best tip? When in doubt, don’t open the link!
Car manufacturers are creating more sophisticated electronic systems for their models every year. Consumers benefit from advances such as GPS. Yet these advances are also raising new concerns about whether some of the systems could be hacked or create privacy risks. Jeffrey Roman wrote an excellent article about these emerging issues, the potential risks and the steps by the industry to address these risks; he notes that the auto industry has established a center “… to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics ….” (www.databreachtoday.com; “Ramping Up Automobile Cybersecurity”; February 17).
What would be a possible privacy and security risk? Mr. Roman reports on research results from Chris Valasek, the Director of vehicle security research at IOActive, a computer security services firm. Mr. Valasek found, for example, that it might be possible for a criminal to access a car’s systems and get the consumer’s GPS coordinates or even the consumer’s username and password for the in-car applications.
Mr. Roman notes that Senator Edward Markey and Senator Richard Blumenthal are going to be introducing legislation requiring the Federal Highway Traffic Safety Administration and the Federal Trade Commission to develop federal standards that would to improve the security of cars as well as protecting drivers’ privacy. Their legislative goal is making drivers’ information safe in this rapidly emerging technology.
Consumers will benefit from having pro-active industry and legislative attention focused on these types of potential issues — to help get ahead of the risks becoming actual problems.
On January 20th, I wrote about the efforts by Julia Angwin and Mike Tigas at ProPublica to publicize the hidden tracking cookie that Turn was using thanks to Verizon. In their article, Ms. Angwin and Mr. Tigas reported that AT&T had already announced it would stop inserting this hidden undeletable number in its user’s web traffic. At that time, Verizon didn’t say that it would follow suit.
Ms. Angwin now reports that 2 days after their article, Verizon reversed its practice and will soon be allowing its customers a way to opt-out of this hidden tracking code (www.propublica.org; “Verizon Will Now Let Users Kill Previously Indestructible Tracking Code”; January 30th). The opt-out will give Verizon customers a way to stop having their smartphone and tablet browsing tracked via this hidden code. Per Ms. Angwin, Verizon has revised its FAQs on its website about this code.
I confirmed that by going to the Verizon website (www.verizonwireless.com). The FAQ about “privacy” has been revised. Verizon customers should read these FAQs; the hidden code is called the UIDH for “Unique Identifier Header.”
Is this change of policy by Verizon good? Sure but it would be so much better for customers if Verizon gave them the option of opting in for this as part of Verizon’s mobile ad-targeting program rather than having to opt out.
There have been several news reports over the last 10 days about HealthCare.gov. It was reported that the website was releasing consumer personal data to 3rd-party commercial sites. In her January 26th article, Marianne Kolbasuk McGee reports on the changes that have been made following the outcry from privacy advocates about this situation (www.healthcareinfosecurity.com; “HealthCare.gov Makes Privacy Fixes”).
A spokesman for the Department of Health and Human Services (HHS) announced that HHS was adding a layer of encryption to HealthCare.gov in order to reduce the amount of personal information that was being made available to the 3rd-party commercial sites. It was reported that this personal information was being released to at least 14 3rd-party commercial sites. And this was happening even for consumers who had enabled “Do Not Track” on their computers.
Consumers using HealthCare.gov should be aware that some of their personal information might already have been released. They should be on the alert for unwanted ads, solicitations and even scams.
On January 15th, I wrote about the tax identity theft week that the Federal Trade Commission (FTC) is hosting with the Veteran’s Administration, the Treasury Inspector General for Tax Administration and others. That joint program starts today and continues through the 30th.
Consumers need to try and attend one of the FTC webinars or, at the least, go to the FTC and IRS websites to learn what to do to try and prevent being an identity theft victim.
What’s the latest scam? Scammers calling consumers, telling them they’re IRS agents, that the consumers owe back taxes to the IRS and that they could be arrested and/or jailed if they don’t pay. The scammers, of course, have an easy way for the consumer to repay these taxes by either wiring it or loading the alleged amount onto a pre-paid debit card —with either payment form going to an address scammers provide.
The FTC just issued an alert about this scam which is very deceptive in so many ways.
- One: the IRS does not call consumers about taxes they might owe and will not threaten them with arrest or jail.
- Two: the calls may appear to be coming from Washington, D.C. or even the Treasury Department.
- Three: the scammers might even know all or part of the consumer’s Social Security Number.
Points two and three make the call look legitimate so consumers need to be even more vigilant. The FTC’s alert has an excellent diagram depiction of the scam. (www.ftc.gov; “Tax ID Theft Tops FTC Complaints in 2014: IRS Imposter Complaints Up More Than 2,300 Percent;” January 26th). The FTC urges consumers who get one of these calls to contact the FTC either online or by phone at 1-877-FTC-HELP as well as the IRS at 1-800-908-4490.