So here’s some news that might make you feel creepy if you shop in a Nordstrom store. Back in October, Nordstrom’s launched a 17 store pilot that enables it to follow shoppers around the store. I just learned about this pilot in stories reported by Erik Sherman on CBS MoneyWatch (www.cbsnews.com, “Retailers want to track your every move”, May 9th) and Angela Martin on CBS’ Dallas-Forth Worth affiliate (www.dfw.cbslocal.com, “Nordstrom Using Smart Phones to Track Customers Movements”).
Mr. Sherman cites Storefrontbacktalk.com, a retail trade website, for some of his information. Both Mr. Sherman and Ms. Martin outlined what the Nordstrom pilot is doing. Using technology from Euclid Elements, Nordstrom has installed sensors in the pilot stores. The sensors look for shoppers whose smartphones have Wi-Fi turned on.
With the Wi-Fi on, the sensors are able to provide data reflecting how much time a shopper spends in a particular department. The sensors can’t identify the aisle in which the shopper is located or any personal information tied to the smartphone owner. However, the technology does use the smartphone’s unique identifier which might make some Nordstrom customers uncomfortable — especially as customers don’t know this is happening.
When asked about the pilot, a Nordstrom spokesperson said the technology’s being tested in the pilot stores to help improve its customer service; and so that store executives can learn which departments receive the most traffic. Of course, this type of customer information, even if anonymous, is very valuable to store executives.
The 17 pilot stores weren’t identified so I can’t help there. But here’s what I can help you with — turn off the Wi-Fi on your smartphone if you don’t want to become even anonymous data to Nordstrom about your shopping habits.
As I mentioned in my May 10th blog, I was able to attend the first panel at the Federal Trade Commission’s (FTC) May 8th “Mobile Cramming” Roundtable. The panel’s 6 experts addressed the topic of “Understanding Third-Party Billing and Mobile Cramming”.
The experts were: Mike Altschul from the CTIA- The Wireless Association; John Breyault from the National Consumers League; Larry Bryenton, from the Canadian Competition Bureau; Jim Greenwell, from BilltoMobile; Jim Manis, from the Mobile Giving Foundation; and Kate Whelley McCabe, from the Office of the Vermont Attorney General. They represented differing perspectives on this issue which helped provide a more complete and nuanced understanding of the scope and complexity of mobile phone bill cramming.
The FTC found a critical consumer issue in the Wise Media case that it’s filed — and it’s an issue on which the panel agreed. Many consumers don’t expect their mobile phone bills to have charges from 3rd parties. Often the charges appear in a format that’s abbreviated, unclear or doesn’t clearly identify the company from which the charges are coming.
So what can consumers do? Here are the top 2 tips from the panel:
- Read your mobile phone bill carefully. Yes that sounds obvious but the panelists said, based on their respective experiences, that consumers either skip over the details of the bill or assume that the charges are legitimate.
- Contact your mobile phone carrier to ask about charges that look unfamiliar and/or to contest unauthorized charges.
The 2nd point is key since the panelists said consumers often contact the FTC or the Federal Communications Commission (FCC), as they think one or both of those Federal agencies can investigate and correct the charges. Consumers can and should report mobile phone scams to these agencies but their mobile phone carriers are the place to start to seek reimbursement of the unauthorized charges.
There are few things more aggravating than losing access to an online account that you use frequently. That loss becomes especially scary when you think you’ve lost control because of a potential hacking incident. While some applications are moving to 2 factor authentication, Facebook just announced on May 2nd their new security tool for helping Facebook users regain control over a “lost” Facebook account.
The new feature is called “Trusted Contacts” and I just read 2 excellent articles about it. Paul Ducklin’s article contains both useful information as well as graphics (www.nakedsecurity.sophos.com; “Facebook introduces Trusted Contacts, makes you ask, “How much do I trust my friends?”); and Jared Newman’s article has additional information as well as some cautionary notes (www.csoonline.com; “Facebook Trusted Contacts lets friends bail you out of a hack attack”).
I’ve summarized from those articles the 5 steps that you’ll need to do to start using “Trusted Contacts”:
- Login into Facebook and go to the “Gear Wheel” drop down menu;
- Choose Account Settings;
- Go to “Security” tab and click on “Trusted Contacts”;
- Choose the 3 to 5 Facebook friends whom you want to choose as your “Trusted Contacts”; and
- Give each “trusted contact” a code.
How do you then use “Trusted Contacts”? If you lose control of your Facebook account, you’ll have to enter all of the codes simultaneously to complete the recovery process and regain access to your account.
“Trusted Contacts” is different than the more frequently used processes for regaining account access. In those instances, users usually have to remember the security Q’s and A’s for the account or, sometimes, have to send in a scanned copy of our driver’s license.
Facebook users should learn more about “Trusted Contacts” to decide if it’s a security tool they want to use.
This is a “heads up” in case you’re interested in sharing your thoughts with TSA about the full-body scanners used for screening passengers at airports. We all want to be safe and secure so that’s the proverbial “no brainer”. But you might have questions or concerns that you’ve wanted to share but haven’t known how to do so. Now you have that chance thanks to a lawsuit that was filed in the U.S. Court of Appeals for the District of Columbia Circuit (Court).
The Court ruled that TSA should have held a “notice and comment” period prior to starting to use the full-body scanners. The Court hasn’t stopped TSA from continuing to use these scanners but has ordered them to take comments for 90 days. The comment period began in March and ends June 24th.
So now’s your chance to share your thoughts with the TSA about the full-body scanners. Comments are being taken online and you can do so at the following federal government website: http://www.regulations.gov. At that site, you’ll then type in the case code: TSA-2013-0004.
The Court-ordered comment period has been written about in many publications. Here are just 2 recent articles but there are many others: T.C. Sottek’s, “Now is your chance to tell the TSA what you think of ‘nude’ full-body scanners”(www.theverge.com);and Hugo Martin’s “Public gets chance to comment on TSA’s full-body scanners” (www.latimes.com).
A final caveat: no matter how many comments it gets, TSA doesn’t have to stop using the full-body scanners. But it will be better informed about concerns thanks to hearing from the public.
There were numerous reports last week about high-profile Twitter accounts being hacked (e.g., 60 Minutes, the BBC and the Associated Press). While those are the ones being reported, any Twitter user has to be concerned about whether his or her account can, or will, be hacked.
As Matt Honan reports (www.wired.com, “Twitter Now Has a Two-Step Solution”; April 24), Twitter is appropriately concerned about these hacks and is doing something about it. In his article, Mr. Honan reports that Twitter is now doing internal testing of a new two-step authentication process.
So what is this new approach? The solution being tested goes by various terms — two-factor authentication or two-step authentication or multi-factor authentication. In the security and privacy worlds these all constitute the same approach — and is an authentication approach that is stronger protection than just using only a password.
Here’s what a user will need under a two-factor authentication approach:
- Factor One: Something he or she knows (a password); and
- Factor Two: Plus something he or she has (a previously registered device).
As Mr. Honan wrote, Twitter users logging in from a new location will enter a password and a randomly generated code sent either to their device (either a text message or to a smartphone application).
When will Twitter roll out the new authentication? It’s not certain but Mr. Honan aptly notes that Twitter will want to do this in the very near future.
There are no fool proof solutions against hacking. However, a two-factor process is definitely better for protecting accounts than simply using a password.
Many of us use Siri — with greater or lesser degrees of success, frustration or both. But here’s one question that Siri will definitely not answer for you — just how long our various calls to her are being kept.
In his article, Mr. McMillan provides the following information that Trudy Muller, an Apple spokeswoman, gave him:
- Siri keeps users data for up to 2 years;
- The data is turned into 2 different types of randomly generated numerical identifiers — one for the user and another for the voice files associated with that user; and
- The data is anonymized and the voice clips are collected in order to improve Siri service.
Ms. Muller told Mr. McMillan that if Siri is turned off, then both of the numerical identifiers will be deleted immediately.
I’ll speak from personal experience. If Apple’s retaining and using voice clips for improved Siri service, then that’s not happening. Anyone at Apple listening to my supposedly anonymized voice clips will hear me telling Siri to “forget it” since she’s either garbled my request or given me completely incorrect information.
More importantly, Siri users need to know that their requests are being retained and used by Apple. Siri will have heard me, for example, asking for an array of information (e.g., people’s phone numbers; directions to places) that are certainly personal and sometimes private in nature.
So here’s a caution if you use Siri. She might not be giving you the information you need, but she will be keeping your requests. Be careful about the personal and private information included in your requests to Siri.
There are still too many stories and cases about people stealing and misusing SSNs. While those instances are always terrible, there are even worse consequences when it’s the SSN of a young child or teenager. In those instances, the young child or teenager might not know for years that his identity has been stolen using this very powerful source of personal identity.
The good news is that there could be some additional relief soon specifically involving those cases where the SSN is of a child 13 years and younger. The Social Security Administration (SSA) issued a request in February for comments on a proposed policy change to assign new SSNs specifically for children age 13 and younger (February 11, 2012, Fed. Reg., Docket No. SSA 2012-0042; “Assigning New Social Security Numbers (SSN) for Children Age 13 and Under”).
Under the proposal, SSA would assign new SSNs to children in that age category under any one of the following 3 situations:
- The child’s Social Security card has been stolen in transit;
- The child’s SSN has been incorrectly disclosed via the SSA’s publicly available “Death Master File”; and
- The child’s SSN has been misused by a 3rd party.
In its request for comments, SSA asked if the age cut-off is appropriate; if the 3 scenarios are appropriate; and if there are other scenarios or circumstances that would warrant assigning a new SSN to a child 13 years and younger.
Staff from the Federal Trade Commission (FTC) submitted comments on April 12th supporting the SSA’s policy proposal. They recommended that the age group be expanded to children 17 years old and younger. Their recommendation is based on the fact that many younger children (e.g., 13 and younger) might not know for several years that they’ve been identity theft victims. They might not learn about their victimization until they are first applying for credit or a loan or for some other transaction for which their credit status and/or SSN is needed (see, http://www.ftc.gov; “FTC Staff Comment Supports Proposed Social Security Administration Policy Change to Help Protect Children from Identity Theft”).
The FTC staff made other recommendations that would also help enhance what is already a very sound and, sadly, much needed policy proposal. The SSA is taking a needed step to help protect children who are, or have been, victims of identity theft.
Facebook and the National Association of Attorneys General (NAAG) announced this week a joint privacy public awareness campaign that will include public service announcements (PSAs) and other informational resources. The campaign is aimed at young people and teenagers using Facebook; it’s an effort to educate them more about steps they can, and should, take to stay safe on Facebook.
Zach Miners outlined several of the key components in a recent article (www.csoonline.com; “Facebook affirms its privacy commitment with national campaign”; April 15, 2013). Mr. Miners wrote that there are currently 19 Attorneys General who have signed onto this joint privacy safety program.
The privacy safety program will include the following resources:
- ”Ask the Safety Team” videos that provides answers to some of the most frequently asked questions the Facebook site’s received over the past few years;
- A tip sheet outlining the top 10 tools for controlling information on the Facebook site; and
- State-specific PSAs that will be done by the State’s respective Attorney General and Facebook Chief Operating Officer Sheryl Sandberg.
All of these resources will be found on Facebook’s Safety page; the PSAs are in the process of being finished so should be posted on the Facebook site within the next few days. I went to Facebook’s Safety page yesterday and the PSAs were not yet posted. The Safety page does list answers to important questions under the categories of “Reporting on Facebook” and “Controlling my information on Facebook”.
The questions and answers listed on the Facebook Safety page are an important resource for everyone who uses Facebook and wants to have more control over the information posted on their Facebook page. You can learn, for example, how to report possible misuses (e.g., hacking a personal Facebook account; instances of possible bullying) and how to better control personal information on Facebook (e.g., how to manage privacy settings to keep one’s family safe online).
The current and upcoming privacy safety resources are, and will be, helpful for anyone using Facebook. They are particularly important resources for young and teenagers users of Facebook. Take the time to read the Facebook Safety page and review it with any young and teenage Facebook users you know.