June Tips: Privacy Through Life Stages

Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.

A Season of Transformation

It’s graduation time! Whether coming out of preschool or into a new job, students of all ages are moving on to exciting new phases of life.

As the rest of us celebrate their achievements (and maybe even our own), scammers and other bad actors are enjoying the revelry, as well. Crooks love times of transition, as they can leverage all forms of “newness” to take advantage of unsuspecting victims.

Keep on celebrating, but don’t drop that guard. And, as you sign those grad checks and greeting cards, share your privacy tips and tricks with your community, too. Need some more for your collection? Read on!

Rebecca

We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

June Tips of the Month

Alzheimer’s & Brain Awareness Month
Privacy & Security Questions and Tips
Data Security & Privacy Beacons
Privacy and Security News
Where to Find the Privacy Professor

Alzheimer’s & Brain Awareness Month

June is Alzheimer’s & Brain Awareness Month, which is deeply personal to me. I lost my mother to early-onset Alzheimer’s in 1996.

Although I didn’t realize it until many years later, she started showing signs of the illness during the end of my senior year in high school.

There are many ways in which Alzheimer’s patients must be kept safe, both physically and from a cybersecurity and privacy standpoint. Here are some things you can try if you are caring for someone going through the many pains of Alzheimer’s and other types of dementia.

Remove sensitive personal data from online profiles. This includes phone numbers, mailing addresses, email addresses, birth dates, health information and other information specific to the individual.

Assemble a list of names and photos of people you trust to communicate with your loved one. Place it next to the computer. Advise them, verbally and in written words, not to connect with anyone not on this list. This means do not accept invitations, email, live chats or any other type of outreach online. People with dementia are common phishing targets.

Disallow, using the social media control settings, people who are not trusted family members or friends from being able to post on your loved one’s social pages.

Regularly review your loved one’s social media page and delete inappropriate comments.

Limit computer usage to times of the day when the dementia victim is most aware. And sit with them when they are online.

Install browser add-ons that block unsecure and unsafe websites. (This will be covered within an upcoming edition of Cybersecurity for Grandparents and Everyone Else!)

Run anti-malware continuously and employ the use of spam and pop-up blockers.

Speak about online fraud and cyber security often. You will probably need to speak about the same things repeatedly. Please do not get frustrated and stop talking about these important issues! I know from long experience that repeating important information is necessary, and shows you love your family member or friend. Keep in mind that compared to the terrible disease they are going through, repeating the same information multiple times is really not a problem for you, but a benefit to them.

Check for spoofing at least weekly. Folks over 50 are targeted often for online identity theft. Cybercrooks use look-alike accounts for phishing and other malicious activities. My own aunt’s account has been spoofed more than 20 times on Facebook. You can watch out for them with a simple Google search of their name once per week. I also recommend you search the major social media networks weekly; at a minimum Facebook, which is running rampant with spoofed accounts.

Ensure in-home caregivers respect privacy. Caregivers have been known to ask dementia patients to do things that put their privacy at risk, such as to allow them to be recorded doing things the insensitive caregiver thinks is entertaining. Consider installing in-home security cameras to monitor actions happening in the home.

Ask residential facilities about their privacy and cybersecurity policies and procedures. Understand how privacy and personal data are protected. Most of these facilities are covered entities under HIPAA, so they must comply with specific privacy and security requirements.

Make sure apps for Alzheimer’s patients have strong security and privacy controls. These should be built into the app. Don’t use apps or allow your loved one to use apps that do not have clearly stated, and strong, privacy policies.

There are many more actions you can take, but this hits some of the major ones. Do you have additional actions to suggest? Let us know!

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming!

Q: We saw the local police department rummaging through the trash bins in our neighborhood. Is this legal?

A: Police generally can search trash if a person does not have a reasonable expectation that it is private.

The Fourth Amendment to the US Constitution protects individuals from unreasonable searches and seizures. However, the police generally cannot search the following types of trash unless they have a warrant or probable cause:

Trash inside a home
Trash outside of a home on the person's property
Trash in a person's pockets or bags
Trash in the back of a car

What’s more, in some jurisdictions, courts have found that when garbage is placed in a location that is accessible to the public, such as a street curb, law enforcement is legally permitted to search that garbage. Check your city ordinances (most are posted online) to see what the laws are for your location.

If you have different laws where you live, let us know!

Q: My family’s US doctors have told me conflicting information about the health records that family members can access under HIPAA. What does HIPAA allow my doctor to share with my family members? How about friends?

A: The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation that applies to healthcare providers, insurers and clearinghouses in the US. Collectively, as defined by HIPAA, these are called covered entities (CEs), and businesses they hire to support activities involving the health records are aptly called business associates (BAs). HIPAA does not require a CE to share health information with a patient’s or insured’s family or friends, unless they are the patient’s or insured’s legally designated personal representatives.

But, it is very important to understand that a CE can share a patient’s or insured’s health data with the patient’s/insured’s family or friends under certain circumstances, including when:

They are involved in the patient’s or insured’s health care or payment for health care.
The patient or insured gives the CE permission to share.
The patient or insured does not object to the CE sharing the information.
If, using its professional judgment, the CE believes that the patient or insured does not object.

Q: We are planning an extended road trip. Do you have security and privacy tips for us?

A: This is a popular question this time of year. And yes, there are several actions steps you can take before, during and after your trip:

Before traveling

Ensure any sites you use to book reservations, tickets and other trip-related experiences are legitimate. There are many bogus sites out there posing as legitimate businesses.

Watch out for sites that promise too-good-to-be-true deals.

Hold your mail and package deliveries until you return.

Ask a trusted person to check your doors and mailbox while you’re away for packages you can’t stop. Ask them to keep the fact that you are out of town confidential.

Make sure your phones and other computing devices (laptops, tablets) are all updated with the latest software patches.

While traveling

Take portable USB charging devices with you and keep them charged. This way if you are out hiking in the wilderness (as I was recently) and your phone runs out of power, you will be able to use these handy little devices to help you stay in touch with the rest of the world. Even if you cannot get internet access, that GPS ping will help to locate you if necessary.

Use a juice-jack blocker for charging in publicly available USB ports, which can contain USB skimmers. Most people do not have the technical tools necessary to determine if USB skimmers are loaded in the USB ports, so using these inexpensive blockers is a cybersecurity and privacy must for traveling.

Add privacy screens to your devices to keep those nearby from seeing personal or sensitive information on your screens.

Don’t leave your printed boarding passes behind. Shred them when you get home. A simple barcode reader app can scan them for access to your personal information, such as frequent-flyer numbers.

Use your own mobile hot-spot wi-fi router instead of public wi-fi. This prevents an unlimited number of people sharing the network, getting into your device or intercepting data you are transmitting and receiving.

Lock your computing and digital storage devices in the hotel safe, or some other location that only you can access, or that only another person or position can access who can be held accountable for any unauthorized access.

Watch out for credit and debit card skimmers at ATMs and payment terminals. See our article about skimmers in this past Privacy Tips message. These longtime methods are still often being used.

Ensure you have a secure door on your hotel room. Consider taking a portable door lock with you.

If you are using a home-sharing service, ask if surveillance is in use within the property. Do a sweep of the rooms to make sure there are no cameras installed. If you find one, contact the rental service.

Use a money belt, fanny pack or cross-body bag to with RFID-blocking to carry credit cards, money and other valuables.

After traveling

Log into all credit card and bank accounts to review your account profile and activity to ensure all information is valid.

Do an online search, including social media, to look for any of your personal information from your trip is posted.

Image source: Andrew Grossman, Scop.Io

Q: I just graduated college and will be moving many states away to start my career. My new employer is reimbursing me for my moving costs. What should I be thinking about when hiring a moving company?

A: Although most moving companies are trustworthy, it’s common for scammers to target people who are moving.

A 30-year veteran of fraud and cybersecurity investigation estimated he believes as many as 10% of employees in the moving industry have used their position at least once to steal documents, computing devices and other valuables.

There has also been a dramatic increase in so-called “hostage loads.” Movers insist customers pay more than the quoted amount to get their deliveries. Even after paying the “ransom,” many people never receive their property.

Here are some tips for a security and privacy safe move:

Transport personal information and other irreplaceable valuables in your own vehicle. If you have a lot, consider renting a truck or van. Or ask a friend to help. Your employer is likely to cover this along with your moving company expenses.

Check out the site MovingScam.com.

Contract with a trustworthy moving service. 10 red flags to watch for…

Complaints about the service on sites like the Better Business Bureau.
Requirements for cash, direct deposit or gift card payments.
Demands for full payment up front
Mandates for a large deposit of 50% or more during the off-season.
Not being registered with the Federal Motor Carrier Safety Administration (FMCSA).
Instant quotes vs a quote following an onsite inspection. These can include huge price increases for a wide range of situations.
An exorbitant amount of fine print in the contract (or no contract at all).
No copy of “Your Rights and Responsibilities When You Move” is provided. Movers are required by US federal law to give this booklet to consumers. Other countries may also have such requirements; if you are in another country, please let us know!
Too many unresolved customer complaints or no reviews at all.
Requirements to sign blank contracts or paperwork before the move.

Q: My family uses an Amazon Fire Stick. I was recently alarmed to learn that it is recording our conversations! How can I remove what it has recorded?

A: Indeed, Fire Sticks have been found to be recording everything in their vicinity. In these circumstances, the device had design flaws that created privacy glitches, and disastrous ones at that. Sadly, these types of glitches can happen with any “smart” device engineered to listen and record, often when they are not thoroughly tested before being sold to the public, or when updates are made and not thoroughly tested.

As with most Internet of Things (IoT) devices, recording of private conversations depends on several factors:

The capabilities the manufacturer or its contracted engineers built into the device.

The device’s default privacy and security settings.

How well the seller communicates instructions for changing those settings.

Whether the manufacturer and/or seller additionally provided some type of training (e.g., videos explaining the capabilities) for how to securely use the devices.

And, when such instructions and training are provided, whether users then follow those instructions and take the training.

The Amazon Fire Stick was designed to always be listening so it can pick up the trigger word. To complicate matters, there are many different Fire Stick models. Each has slightly differing capabilities. That said, Amazon does enable Fire Stick owners to remove all data that has been knowingly or unknowingly collected.

Q: I received an offer from Amazon Prime to preview the first three episodes of a brand new show. Is this a scam?

A: I received the same offer (see screenshot above and below). While it is not a scam, it is a seriously privacy-invasive activity. Here’s why:

Participants must share a copy of their driver’s license to verify their identity. Amazon already has a huge amount of its users' personal data they could certainly use to authenticate identity.

There is no reason for people to provide sensitive, government-issued identification to an online store, particularly in return for the preview of a show and a $15 credit. Not worth it.

Amazon Studios’ communication says they “must” ask participants to provide their driver’s licenses. That is not true; there are no laws that require this. Worse, the company is working with a third-party contracted entity, Veriff, to collect this sensitive data. What might that contractor do with the data? How are they keeping it safe? Are they sharing it with other third parties? If you read Veriff’s privacy policy, you can assume they are. Here is just one excerpt, “…Personal Data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organizations intermediating or providing (electronic) mail, compliance or payment services and the like…”

Data Security & Privacy Beacons*

People and places making a difference

National Online Safety created a new, free resource containing great advice: Online Safety for Under 5s: Ten Top Tips for Parents and Caregivers.

CyberGhost is providing another good collection of content in “A Parent’s Guide to Internet Safety for Kids.”

AtSign innovated new way to protect personal data… by “flipping the internet” to give individuals control over their own personal data. We are going to keep our eye on how this concept progress.

Consumer Reports is sharing a new online guide, “How to Use Facebook Privacy Settings.”

Code42 designed a terrific infographic, “6 Unusual Data Behaviors That Indicate Insider Threat.”

The University of Queensland is hosting events for Privacy Awareness Week 2022: “Privacy: The Foundation of Trust.”

The Washington Post published two very insightful and useful resources, “How to spot a fake video,” and “The Fact Checker’s Guide to manipulated video.”

The National Conference of State Legislatures (NCSL) is providing a list we love. It’s a continuously updated collection of US state laws related to privacy.

Google has made it possible for users to remove some personal data from its search results. Google may also consider the removal of professional contact info “in the context of doxxing.” If you use this, let us know how it worked.

Amazon Prime is sending awareness messages about scammers to its customers (see screenshot below). In light of the last Q&A above on Amazon Studios, you can see why we include our disclosure statement below. A company can do great things in the name of privacy while also falling down on privacy protections elsewhere.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page. Thank you!

The PSB News page contains news grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.

Brand New Training Courses

Clearing up common confusion around HIPAA

We are excited and proud to announce our new online class!

Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”

The course includes coverage of both temporary HIPAA requirements that are still in effect, as well as proposed permanent HIPAA rules. It also covers common BA misconceptions and HIPAA compliance errors. Ask us about our deeply discounted beta testing user pricing.

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news! We have added several new items since the January Tips were published.

Rebecca's Radio Show

If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of

real-world topics within the data security and privacy realm.

Latest Episode

First aired on Saturday, May 7, 2022

Adam Dodge

How Stalkers & Assaulters Track & Find Victims with IoT Tech

Assaulters and stalkers are increasingly using IoT tech to target, surveil, and attack their victims. What types of popular, tiny, inexpensive IoT devices are increasingly used by assaulters and stalkers for surveilling and then tracking down victims to abuse and assault? In what ways do IoT devices provide a sense of false security, that then actually makes weaponizing them to commit crimes easier? What can people do to keep from being victims of assaults through the IoT devices they use? Tune in to hear Adam Dodge, founder of Ending Technology-Enabled Abuse (EndTAB), provide answers to these and many more questions.

Next Episode

First airing on Saturday, June 4, 2022

Dr. Clifford Stoll

Catching KGB Hackers with 75¢ and a 2400 Baud Modem

Dr. Clifford Stoll wrote the book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989 which provides his first-person account of his Russian KGB hackers-catching odyssey. In this episode we cover additional facts about the hack, that include more discussion of the technical and security perspectives, still applicable, and some of the specific work that Dr. Stoll did during his tracking of the wily hackers, that actually seem to have inspired some of the tools commonly used by cybersecurity pros today…that they probably don’t even realize were first established by Clifford Stoll!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. June 2022 Privacy Professor Tips. www.privacysecuritybrainiacs.com

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Info

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com;

2) making a request directly to Rebecca Herold; or

3) connecting with Rebecca Herold on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the SafeUnsubscribe link below.