Monday, July 15, 2019

Why I'm Writing A Blog About Personal Data Protection

The subhead states the mission of the blog. I want to make key methods for protecting user data privacy and identify comprehensible to the majority of internet users who have little or no technical training. I have two major qualifications for this task. First, I'm a retired professor specializing in digital marketing. I'm used to explaining things. Second, I'm a mostly self-taught user. In the olden days--when I was in school--there was no such thing as digital marketing. I've had a few training courses and worked with lots of good, helpful technical people. But mostly I've ferreted out the skills and knowledge for myself, and I'd like to share it.

My friends and family are all internet users. Some are very skilled and some are not. Some have
considerable technical training; most do not. Uniformly, however, they do not seem to take sufficient measures to protect themselves from malicious internet actors. That's true now, and it's becoming even more true as our homes, cars and our very lives become more connected.

My greatest advantages are that I have the time and interest to identify current issues and to seek solutions. I try not to recommend anything that I have not used successfully myself, so it does take a lot of time. I have long been concerned about issues related to data privacy on the web. The chapter in my internet marketing textbook is necessarily oriented to business issues. This blog offers an outlet for personal issues concerning data privacy.

I'm going to try to post two or three times a week. Please follow me by email to receive those posts. I hope you'll also share relevant posts with your own social media following on Facebook, Twitter or LinkedIn. You might want to start with the second post on identity theft. I made this presentation at a local library back in the spring. I hope to present it at other locations in the fall. At that time I will make a few updates, but it contains an overview of the basics.

I hope you will find the presentation and the posts that follow helpful. I encourage comments, all of which will be monitored before being posted.

Thank you for your interest in this critical subject!

Thursday, February 21, 2019

How to Spot and Report Fake News on Social Media

I've written a number of times about fake news including this post on how to recognize fake news on social media. It's an important subject because there's so much of it.

The first rule is to be sure information comes from a trustworthy site. Well-known sites are one thing, but there are many sites today reporting interesting news that individuals may not be personally familiar with. I use a browser extension called NewsGuard. It maintains a list of trusted sites and shows a green check by search results for those sites. Users can submit other sites for consideration. The important caveat is that it evaluates the site, not the individual news item. It is helpful, but certainly not a complete answer. Users still have to be on the alert.

https://www.factcheck.org/2016/12/video-spotting-fake-news/
So here are some resources. FactCheck.org is run by the Annenberg Public Policy Center; the site owner is one of the keys to trustworthiness. It has a video as shown in the graphic. The site's post on the subject is a couple of years old, but all its points are still valid. FactCheck.org is one of the fact checkers working with Facebook to identify false news. I wish them luck, but without a lot of optimism.

It would certainly help if users themselves pointed out suspect content. Here are three sites you might want to consider using:

Facebook:  Users can check the validity of a post before they share it. How often that is helpful depends on the success of Facebook's own attempts to identify fake content. Users can ask Facebook to investigate content. Facebook says users can check the status of their request.

Google: The help page says the user can see fact checks in search results. It also says that the fact checks are conducted by publishers and it sounds as if that means a site fact-checking its own content. That doesn't seem to be the meaning. The fact-checked search results I can find have been checked by one of the established fact checking sites. That means the fact checks are credible but it also means that only s small set of politically-oriented content is included. Try some searches for statements that are frequently presented as fact and see what you find.

The Poynter Institute points out that Google is building a search engine for fact checks. It is still in beta and I doubt if anyone except a journalist is going to get access at present. If it works and is opened to the public it would be a step forward.

YouTube: The site has been adding encyclopedia links to videos that seem to promote conspiracy theories. Slate has an article that explains pros and cons and shows an example. I can't find anything recent on how that's going or whether it plans to add other topics.

That's a short and not very inspiring look at the current status of fact-checking, especially on social media sites. Much remains to be done before users should share with any degree of confidence unless they have other sources to validate social media posts.

If you have any experience using any of these tools and sites, your comments would be welcome.

Stay Safe!

Friday, February 8, 2019

What is Phishing and How To Spot It


The blog Phishing.org defines phishing as



a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.






We've all been exposed to phishing emails. It's easy to be taken in by them, although it is also possible to avoid them with a little knowledge and effort. The phishing scammers are getting more sophisticated but fortunately the basic rules for spotting these scams still work in most instances. This graphic has a lot of good advice.


https://www.knowbe4.com/what-is-social-engineering/

Notice that the graphic contains advice for business email users, not just personal ones. If you use email at work, please pay attention! This advice is related to another common fraud called spear phishing. That's an attempt to get insider information from a business--information like email addresses of top executives or access to customer data. Sometimes the data will be used directly, as in an order from the CEO to transfer money to a fraudulent account. At other times it will be used to breach the system and install malware, permitting long-term damage. In any event, this post focuses on the personal email user.

The basic advice for spotting phishing emails is:
  1. If it sounds too good to be true, it undoubtedly is.
  2. It is urgent; the recipient will miss out unless she responds immediately.
  3. It asks for personal information. Never reply to this type of email, even if (especially if) it purports to be from an institution like the IRS or your bank. Never. Period. Don't even confirm personal information sent to you in an email.
  4. The sender is unknown or looks fishy (pun intended :).
  5. There are hyperlinks that look strange--don't match the sender, for example. It's best not to even click on these links to check them out.
  6. It's poorly written with spelling and grammatical errors or awkward sentence structure.
  7. It has an attachment. Don't even bother to examine the attachment closely--if the email is in any way suspicious don't open the attachment. Malware lives there.
  8. WHEN IN DOUBT, JUST DELETE IT. 
The chances you are going to ignore a legitimate email that has any of these characteristics is pretty low. However, it you're a worrier, pick up the phone and call the supposed sender. That's safe!

All legitimate internet businesses are concerned about phishing; it makes the internet less trustworthy for all of us. Google has performed an excellent service with this exercise in spotting phishing emails. Use the link provided and give it a try!

https://phishingquiz.withgoogle.com/

Don't worry about being embarrassed by naivete. I missed a rather humiliating number of the 10-item quiz and Google was very nice about it!

Take the quiz and stay safe!

Wednesday, February 6, 2019

Excellent Short Video on Protecting Personal Data

This video has good versions of the normal advice about protecting your data. It ends with a very strong common sense section that everyone needs to follow. It is at the end of an article in Inc magazine.


I can't find an embed link or that it has been published elsewhere--not particularly good marketing practice!

Stay safe!

Saturday, January 5, 2019

Five Top Data Threats Consumers Should Watch Out For In 2019

It's not clear that security threats are coming from genuinely new directions in 2019, but it is clear that some of the existing threats are becoming more damaging. Here's a look at 5 powerful and persistent threats, not in order of presumed priority.

Cybersecurity resource site     https://www.stopthinkconnect.org/

- The IoT provides easy access to many smart homes. When did you last buy an appliance, or perhaps even something as simple as a door lock, that wasn't connected to the internet? Most are, and manufacturer security is notoriously weak. Begin by changing the manufacturer-supplied password and continue by reading the instructions to ensure that protection like automatic software updates is in place. It's likely that threats will become ever more sophisticated.

- Mobile threats multiply with emphasis on fake apps. Traditional threats like advertising that delivers malware and phishing attacks--born on the desktop and migrating to mobile--continue to affect millions of consumers. Even more worrisome, because they are so hard to detect, are fake apps. They can be found anywhere, even on the app stores. The malicious apps are removed when identified, but new ones take their places. One security firm suggests three ways to identify fake apps:
  1. Look for the developer name. If it is not the same as the brand, there's something wrong.
  2. Read the reviews and see if they appear legit.
  3. Be suspicious of unreasonable promises--or unreasonable requests like writing a review before you download the app.
It would be good to read the entire post.

- Phishing is now spear phishing. Here's one example, mortgage wire fraud:

home buyers are tricked into wiring closing fees to a rogue party by an email arriving from a trusted mortgage agent. “The hacker breaks into the mortgage lender’s (or title agent’s) computer and takes note of all the upcoming pending deals and their closing dates,” he says. “Then the day before the mortgage agent would normally send out an email telling the client where to send the closing money, the phisher uses the mortgage agent’s computer to beat them to the punch. The unsuspecting client wires the money, which is rarely recovered, and ends up losing the house (unless they can come up with another substantial closing payment, which most can’t do).” 

Spear phishing can be very close to home and very personal. At least 3 employees at Wichita State University responded to a phishing email by supplying their university ID number and lost their entire paychecks, which were diverted and never reached their banks. Individuals should never respond to this kind of request for information and employers have a huge responsibility to educate and remind their employees of the danger.

- Artificial Intelligence leading to smarter attacks on a larger scale. What AI can accomplish remains a mystery to many web users because it's highly technical in nature. Look at it this way. AI can help cybercriminals deceive users directly or to trick the technology itself.  I wrote about fake news during CyberMonth and the warnings there are relevant (1, 2 and more).

https://www.bbc.com/news/av/technology-40598465/fake-obama-created-using-ai-tool-to-make-phoney-speeches

Here an example of a totally fake Obama message that could have been aimed at web users. It was produced by researchers and they explain the basics of how they did it. It's easy enough to understand, but harder to actually do. However, the technology is readily available to web users who care enough to find it and learn to use it.

Harder to understand are techniques used to hijack web sites. Here's a brief article about the use of fake fonts to disguise landing pages created for phishing schemes. It's not necessary to understand how it is done to understand there are ways of deceiving users that are hard to identify. The article doesn't say so, but the fake pages should have URLs that are not exactly the same as that of the actual brand. Users need to beware, but they also need to be able to trust brands, and that's getting increasingly hard to do. When in doubt, especially about a followed link, close it and go directly to the brand website. And make a practice of notifying brands when you see something that appears suspicious. How the brand responds is one way of knowing whether to trust it or not.

- Following the implementation of the EU's GDPR in 2018 laws protecting privacy will continue to emerge.  The General Data Protection Regulation is a sweeping reform of European privacy laws, which were already stronger than those in the US. I explained how and why the law applies to US web users in a 2017 post. Users currently see the effects in things like cookie warnings and explicit requests to contact users when they visit a site. See if your state has recently passed a law regarding data privacy on this consumer-oriented site. There are also legal sites that cover the issue.

The focus in the US is on the states because the federal government has moved in the other direction. The repeal of the Net Neutrality law made it possible for ISPs to collect and sell data about the activities of their users. Who knows more about us? Watch for a followup post on this issue soon.

These are five broad categories that cover many types of threats. Customers need to have high expectations of the brands they use in terms of how well the brand protects their data. It really helps for brands to know that their customers are paying attention and even taking actions on the basis of how much they trust the brand.

'Paying attention' is the relevant phrase. Every individual user needs to be alert to attempts to breach their privacy and steal their identity. My new year's resolution is to do all I can to be helpful!

Stay Safe in 2019!

Friday, November 30, 2018

The Global War over Data Privacy

Data privacy issues are global because the internet itself is global. Actually, it's becoming less so as China builds its own version and the EU implements privacy laws that build a wall around its own citizens. At some time in the fairly near future, it may effectively become three separate versions of the internet. There's more in the Freedom on the Net 2018 report and it's fascinating reading. There's a section on China that is particularly interesting.

The report says straightforwardly that we are losing the battle for data privacy and presents this graphic to illustrate its point. The data breaches it pictures, many of them familiar to us, keep growing in size. Just today Marriott announced that the records of 500 million of its customers all over the world had been breached.


One that may not be familiar is a lesson in what is going on in one democratic nation. Aadhaar is the national identity card of India that contains demographic and biometric data on over 1 billion Indian citizens. It provides identification and access to financial and government services. It has a history of data breaches of various sizes and severity, and it seems that virtually all data has been accessed at one time or another. The Aadhaar system collects a significant amount of biometric data about each subject, something not universally done in the US. Could that be in our future?

If you are interested in the issues surrounding the internet in China, here is an interesting article on Google's controversial development project in China. It comes from a site called Global Voices that publishes articles by writers from many different countries. I recommend the site and their newsletter for interesting reading on many subjects.

Stay Safe!

Related Updates
Developments in Russia 

Tuesday, November 20, 2018

Toys That 'Do No Harm' - Holiday Gifts 2018

When my children were growing up we accessed a report on dangerous toys that had mechanical or usage issues that could cause unexpected harm. Now the scene has shifted. The question is, "Do the toys listen in on family conversations or otherwise invade privacy?"

It's an important question and maybe even harder to evaluate than the mechanical issues I was hopeless at. Mozilla is the non-profit developer of the open-source browser Firefox, which many of use in preference to a commercial browser. Their second annual report on connected toys that do not have serious privacy issues is a welcome addition to the 2018 holiday season.


Here's a link to the report. Note that users can include their own ratings to further increase the quality of the recommendations.

Most of us will include some connected electronics products on our gifts lists, so this should be required reading for all!

Stay Safe this holiday season!

Why I'm Writing A Blog About Personal Data Protection

The subhead states the mission of the blog. I want to make key methods for protecting user data privacy and identify comprehensible to the m...