Search The Web's Nooks And Crannies To Find Connected Devices

Most people believe that when they use one of the popular search engines (e.g., Bing, Google, Yahoo, DuckDuckGo), that they have effectively searched the entire Internet. That belief is erroneous for a couple reasons.

CNN Money has a good report about the Shodan search engine, which was developed specifically to search what I call the nooks and crannies of the Internet. Shodan users can find devices connected to the Internet that other search engines don't necessarily focus upon:

"... servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet... traffic lights, security cameras, home automation devices and heating systems... control systems for a water park, a gas station, a hotel wine cooler and a crematorium... command and control systems for nuclear power plants and a particle-accelerating cyclotron..."

If it isn't obvious to you, these search results have huge privacy and identity theft implications for a variety of reasons. Many users connect devices to the Internet which they shouldn't connect. Or don't properly secure their Internet-connected devices with firewall software. You can bet that since the good guys already know about and use Shodan, then the bad guys will, too, and hack into unprotected devices, steal identity information, and/or cause havoc.

The second reason: many consumers are trapped in the search Filter Bubble, and don't know it.

Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

ACLU Files FTC Complaint Against Mobile Carriers About Smartphone Security Failures

The American Civil Liberties Union (ACLU) has filed a complaint via the U.S. Federal Trade Commission (FTC) against several mobile carriers for:

"... failing to warn their customers about unpatched security flaws in the software running on their phones... running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."

The mobile carriers named in the complaint include AT&T Inc., Verizon Wireless, Sprint Nextel Corp., and T-Mobile USA. In its announcement, the ACLU also said:

"Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path... Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners."

Download the ACLU complaint (Adobe PDF, 438k bytes).

9 Things Consumers Should Do About A Lost Or Stolen Tablet

Forbes recently published a fairly good article listing nine things consumers should do before and while travel to avoid having their tablet computer lost or stolen. Perhaps, you've already lost a tablet while rush during business travel. Maybe you left it in a taxi-cab or on an airplane.

hile the article was written with a focus for information technology professionals, the list of items includes good good security habits for consumers (or employees) who use a company-provided tablet or who use their personal tablet for business:

1. Password lock your tablet, especially when traveling
2. Use identification tags or stickers to make it easy for people, who find and want to return the tablet, to contact you (or your company)
3. When traveling, don't pack all of your gadgets iin one bag

Follow the link above to read the entire list. These tips help ensure that after a table loss or theft, a person can't use the tablet and access any sensitive information on it.

I consider the article "fairly good" because it unnecessarily focused on a single brand of tablet computers, when it easily could have been written more broadly to be relevant to all tablet users. The list of tips are not specific to any specific tablet brand.

5 Ways Retail Stores Spy On Their Shoppers

If you haven't read it, there is a good article at Consumer Reports which lists the ways retail stores spy on consumers while shopping. Not the online stores but the physical, brick-and-mortar store locations. Some of the ways stores spy on shoppers:

1. Spy cameras: armed with facial recognition software, these cameras record and track both your movements in the store, the items you look at, and for how long. Some stores use mannequins that contain spy cameras, to distribute cameras thought store areas. Stores often merge these recordings with data from your purchases: amount, payment method (e.g., cash, credit, debit), store sections (e.g., clothing, shoes, housewares, etc.), and items browsed (e.g., pants, dresses, cookware, etc.). Outside cameras record your auto data (e.g., license number, make, model) which is also merged with interior recordings.
2. Smart phone tracking: retailers record the geo-location data from your phone to map/track which departments you visit, in what order, and how long you stay in each department.
3. Interactive digital ads: many contain tiny cameras to record the shoppers that view the ads.
4. RFID technology: merchandise with radio frequency identification tags (RFID) can trigger nearby interactive digital ads, to then serve up targeted, personal ads based on the specific merchandise you are carrying
5. Product returns: many stores demand photo identification to process product returns. Stores claim that the reasons for this are to prevent fraud, but the data collection includes shoppers who do not commit fraud.

What is worse is that the stores do no disclose any warning to shoppers or parents, except that most states require stores to post product return policies visibly in stores.

What's your opinion of the tracking/spying?

Facebook Becomes More Annoying

This morning, I decided to clean out my personal Facebook email folder. I use Facebook.com for two reasons: 1) connect with friends, family, and former co-workers; and 2) a business page for this blog to connect with readers. The Facebook mail I deleted was for #1.

If you use Facebook.com, it is important to manage your email inbox, since you probably have received Facebook email from both people you are connected to and business pages you have "liked." I found the process to delete old Facebook emails both time-consuming and difficult. Unlike traditional email software, the Facebook email interface forces members to delete one conversation at a time:

So, what should have taken at most 2 minutes, took almost 20 minutes. After deleting old conversations in my Facebook inbox, then I had to switch to the Facebook archive folder and repeat the deletion process:

I find this user interface unnecessarily difficult and time consuming. (Deleting Facebook email is even more tedious and time consuming if you delete items one message at a time. Who would choose that form of self torture?) Perhaps, making it difficult for you to delete your information is a key part of Facebook's "Big Data" strategy to retain as much of its members' content for as long as possible. Facebook frequently hides tasks in unlabeled drop-down menus, and/or in multiple locations you wouldn't expect.

Combine this with the new ads that appear directly in your Facebook News Feed (e.g., Facebook calls them "Suggested Pages," but an ad is an ad by any name -- and some users report this as spam!), and the service has become much more annoying. And, it seems that Facebook plans to deliver more ads in members' News Feeds in the future.

Of course, the folks at Facebook would love for you to use only Facebook email, and stop using traditional email. Last year, without asking Facebook switched the default email addresses in its members' profiles from your traditional email address to your new Facebook email address. Check your Facebook profile. I'll be you didn't notice that.

I switched back the default email address in my Facebook profile, since I still use traditional email. It is important to me to not use any single company's service for all of my online activities. To do that would be for me to give up my power as a consumer. No walled gardens for me. That's why I also use DuckDuckGo -- to escape from being trapped in the search engine filter bubble.

If you use Facebook email, what are your opinions of it? Share below.

The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

	Payment Method
Company Type	Cash	Credit Card	Debit Card	Retailer's Prepaid Card (1)	Bank Prepaid Card (2)	Prepaid Card: FSA (3)	Smart Phone
Brick-&-mortar retail store	No	Yes	Yes	Yes	Yes	Yes	Yes
Online retail website	n/a	Yes	Yes	Yes	Yes	Yes	n/a
Retailer's partners &/or affiliates (4)	n/a	Yes	Yes	Yes	Yes	Yes	Yes
Your bank	n/a	Yes	Yes	n/a	Yes	Yes	Yes
Retailer's bank	n/a	Yes	Yes	Yes	Yes	Yes	Yes
Payments Processor (5)	No	Yes	Yes	Yes	Yes (6)	Yes	Yes
Your Employer	n/a	n/a	n/a	n/a	Yes	Yes	Yes
Healthcare Vendor (7)	n/a	n/a	n/a	n/a	No	Yes	n/a
Wireless Provider	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile Device Manufacturer	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile Device Operating System Developer (8)	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile App Developer (8)	n/a	n/a	n/a	n/a	n/a	n/a	Yes
App Store	n/a	n/a	n/a	n/a	n/a	n/a	Yes

Footnotes:

1. Includes gift cards offered by retailers that are good only at that retailer's stores.
2. Includes general-purpose prepaid cards usually offered by banks
3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
5. The bank and/or company that processes the debit/credit card transactions
6. Applies to employers that pay employees via a payroll debit cards
7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
8. The company that develops and maintains this software mobile devices

What do you think about the above chart?

The Mugshot Industry. Accurate Information That Is Beneficial For Consumers?

Thursday night, ABC Nightline reported about problems consumers encountered with the mugshot industry -- websites that publish online photos of citizens arrested by law enforcement. While there have been very public, high-profile cases of celebrities' mugshots, the reality is that many consumers have been affected.

You've never heard of the mugshot industry? Neither had I until this Nightline report:

"Here's how it works, the sites legally download the latest mug shots from police web sites [that] published the faces of alleged lawbreakers on the Internet. And then often charge the accused of -- sometimes hundreds of dollars to pull all the photos..."

That's right. The sites charge consumers a fee, sometimes called a "take-down fee," to remove their mugshot photos. There are several problems with this. First, after paying one website to remove their mugshot photo, many consumers find that their mugshot photos re-appear on another website. Second, many sites don't consistently remove mugshot photos of consumers wrongfully arrested or found innocent by a court:

"... Sofia on Roddy says that was not her experience dealing with other companies she says she explained over and over again how she was the victim. And how the photos were preventing her from obtaining employment. And she provided these court document showing that prosecutors cleared her case. This was a wrongful arrests. And the case was dismissed by the state attorney's office. But her picture remains published..."

That does not sound good at all. According to ABC Nightline, there are 60 such mugshot websites. I searched online and easily found several within five minutes:

• Tampa Bay Mugshots (Florida)
• Busted! Mugshots
• Sarasota Mugshots (Florida)
• Springfield Mugshots (Missouri)
• Just Mugshots
• Shasta Mugshots (California)
• Gwinnett County Mugshots (Georgia)
• Mugshots Ocala (Florida)
• Mugshots Atlanta (Georgia)
• Go Upstate Mugshots (South Carolina)
• Cincy Mugshots (Ohio)
• Mugshots Gainsville (Florida)
• Who's Arrested

Some sites focus on a specific city or country, while others include several states and/or geographic areas. I am sure that some sites operate responsibly. Some are operated by newspapers. Why is this industry growing quickly? The ABC Nightline report interviewed one mugshot website operator, who admitted:

"Think of how many people have been arrested. Now put a small service fee on data -- of people and you can see why the industry is sort of taken off..."

Some consumers are fighting back. First, there is at least one blog about the mugshot industry. Increasing awareness among consumers is always good.

Second, in Florida legislators introduced a new bill (HB 677) to require mugshot website operators to automatically take down photos when consumers are found not guilty, or the charges were later dropped. That seems to be a very appropriate common-sense law.

Third, there is a class-action lawsuit in Ohio against several mugshot websites. According to Findlaw, the lawsuit claims:

"... these mugshot websites violate a person's right to publicity... to control how their own names and likenesses are used in the public domain, similar to how someone would own a copyright or patent... these mugshot websites may not publish such photos for the sole purpose of profiting off them, the lawsuit claims. The suit asserts that the websites' primary purpose for publishing these mugshot photos is so that those charged with a crime will pay money to remove their pictures."

The credit reporting industry is catching some most-deserved criticism about high error rates in credit reports. Plus, a couple federal laws govern and dictate a consistent process for consumers to report and challenge errors in credit reports. Accuracy seems important for the mugshot industry. HB 677 is a good start, but that is only one state. Issues with the mugshot industry are likely to continue until consumers pressure their elected officials for improved laws that better balance the privacy rights of consumers with the publishing rights of mugshot websites.

Watch the ABC News/Nightline report. And, learn more about the class-action lawsuit in Ohio.

What do you think of the mugshot industry? If you have been affected by, or paid a take-down fee to a mugshot website, what was your experience?

Asurion Expands Service Offering With Malware Protection For Smart Phones

Asurion, a provider of mobile device insurance services, announced yesterday that it will provide Walmart MobileCarePlus customers with free Asurion Mobile Security software. The Asurion security software is available in the respective app stores for Android and Blackberry smart phone users. According to the announcement:

"The Asurion Mobile Security solution regularly scans messages, pictures, installed applications and files on a customer's phone to identify and eliminate the latest viruses and malware, many of which can access private information and harm the mobile device itself. Safe browsing alerts users before visiting web sites which may compromise their phone's security and in the event a protected phone is misplaced, locate features can trigger an audible alarm, making recovery much easier... During the last two years, 48 percent of high school and college age students required a replacement device due to loss or damage."

For lost or stolen smart phones, the security service also includes a remote wipe feature to prevent thieves from accessing sensitive data and contacts on your smart phone.

This blog has warned mobile device users to add anti-malware software to their devices. Security software is available from a variety of vendors. If you are considering insurance for your mobile device, then read this first to help decide what's best for you.

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Google Shares Personal Data Of App Purchasers With App Developers

Over at his Internet Hughbox blog, Dan Nolan raised a startling and huge privacy issue for Google Play users. After developing an Android app, Nolan found that Google had shared with him the sensitive personal information of purchasers of his app:

"I jumped over to the ‘merchant account’ section to see the orders and realised one absolutely insane thing. If you bought the app on Google Play (even if you cancelled the order) I have your email address, your suburb, and in many instances your full name. Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical."

While the personal data shared includes a flag whether or not the consumers wants to receive marketing offers via email, Nolan wonders how many app developers will comply with that. The implications of this detailed data sharing:

"... I could track down and harass users who left negative reviews or refunded the app purchase... This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it..."

Google Play is a cloud-based service offering. According to the MediaPost blog:

"... the data-sharing was intentional. Google designed its platform so that people who purchase apps do so from the developer. That model differs from the iTunes platform, where people purchase apps from Apple."

And, the Chicago Tribune reported:

"... Joel Reidenberg, Director of the Center on Law and Information Policy at Fordham University School of Law, said Google and other online and mobile services needed to be more transparent about what personal information was being shared with third-party firms."

Well said Mr. Nolan. Users should always be in control, with programs asking users to opt-in. Too many websites do the opposite: automatically include users and force users to opt-out.

Some app developers may use this personal information responsibly to provide product support and service, while others may not. Already, there are problems with consumers getting harassed about negative reviews posted online. Some physicians already try to stifle online discussion by forcing their patients to sign a "Mutual Agreement To Maintain Privacy" contract, which prohibits patients from posting negative comments on social networking websites.

Positive and negative reviews are part of a healthy, functioning marketplace, that helps users make informed choices. A 2011 survey found that 89% of consumers said they found online reviews trustworthy.

For Consumers Who Believe Their Apple Products Are Immune From Malware

Finally, somebody has said it loud and clear. As part of its 2013 predictions about identity theft and fraud, the ProtectMyID blog stated:

"As Apple products have become a growing part of the electronic market, cybercriminals have taken aim at the brand. They have developed malware specific to Apple Products and have taken advantage of the fact that everyone believes their Apple product is immune. In 2013, we suspect these attacks will continue to grow and soon the Apple App Store will be as seedy as that of its competitors."

Want to learn about more threats to your privacy? Read:

• Trouble In Smart Phone Land
• Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent
• Publishers Consider Ways To Further Use Data Collected By E-Readers

Most Trusted Companies For Privacy Study

Recently, the Ponemon Institute released the results of its annual study of the companies consumers trust the most to maintain their privacy. The study asked consumers to name and rate the companies they trust the most to protect their personal information. Key findings from the study:

"New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20). Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy."

The only government organization in the top 20 is the U.S. Postal Service (#5). Some noteworthy findings about consumers' habits:

"78% of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation... 63% of respondents admit to sharing their sensitive personal information with an organization they did not know or trust... 59% percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. 55% say their privacy has been diminished by virtue of perceived government intrusions."

These findings should be a wake-up call to companies operating within the Internet industries, namely app developers and social networking website operators. About data breaches:

"49% of respondents recall receiving one or more data breach notifications in the past 24 months. 70% of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident."

About consumers' expectations of data security (bold emphasis added):

"73% of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59%), the ability to be forgotten (56%) and the option to revoke consent (55%)."

Companies and their lobbyists would be wise to comply with these findings about important privacy features. Some troubling findings from the Ponemon study:

"Only 35% of respondents believe they have control over their personal information and this result has steadily trended downward over seven years. Less than one-third (32%) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese."

Study respondents said that the most significant threats to their privacy were:

• 61% - Identity theft
• 56% - government surveillance
• 42% - notice of data breaches
• 40% - violations of civil liberties
• 36% - annoying background chatter
• 32% - spam
• 30% - employer intrusions
• 28% - stalking
• 23% - annoying advertising
• 19% - children abuses

Ponemon has conducted this study for the past seven years, and noted that the importance of privacy by respondents has increased during this time. The study, conducted during October through December 2012, included responses from 6,704 adults in the United States. About 217 companies were named by respondents from 25 industries. 47% of respondents were male. The average age of all respondents was 34.6 years, with an average income of $55,900. The study defined "personal information" as:

"Information about yourself and your family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, purchases, website preferences, health information, account activity and many other pieces of data about you and your household."

Maybe the next study will include photographs, video, and other items posted on social networking websites.

The top 20 most trusted companies from the 2012 study:

1. American Express
2. Hewlett Packard
3. Amazon
4. IBM
5. US Postal Service
6. Procter & Gamble
7. USAA
8. Nationwide
9. eBay
10. Intuit
11. Verizon
12. (Tie) Johnson & Johnson and FedEx
13. 13. WebMD
14. Weight Watchers
15. U.S. Bank
16. Disney
17. Microsoft
18. (Tie) United Healthcare and VISA
19. AT&T
20. Mozilla

I was surprised that respondents ranked the banking industry so favorably. Companies I noticed that did not make the top 20 list: Apple and Google. I suspect that the perception of "children abuses" as a privacy threat will increase in the future.

Download the Ponemon report, "2012 Most Trusted Companies For Privacy" (Adobe PDF).

17 Privacy Groups Tell US To Stop Lobbying The European Union As It Considers Stronger Privacy Protections For Consumers

Yesterday, about 18 privacy advocacy groups sent a letter to U.S. Government officials which asked for a meeting and requested assurances that the U.S. not hinder new consumer privacy protections being considered by the Europe Union. The group believes that both the U.S. and Europe need to update and modernize their privacy protections for consumers.

The letter, addressed to the U.S. Attorney General, the Secretary of State, the Acting Secretary of Commerce, and two ambassadors who oversee trade with Europe, was signed by the ACLU, the Center For Digital Democracy, the Electronic Privacy Information Center (EPIC), the Patient Privacy Rights Foundation (PPR), the Privacy Rights Clearinghouse, and a dozen other advocacy organizations. The letter (Adobe PDF, 67k bytes) stated:

"Users around the world are experiencing increases in identity theft, security breaches, government surveillance, and secretive, discriminatory profiling. Users find that personal information given for one purpose is often used for another purpose, often without their knowledge or consent. Our personal data -­‐ our privacy -­‐ is being abused by both the commercial sector and governments... Europeans are working together to update and modernize their framework for privacy protection... There are many important, innovative proposals, as well as the recognition that the process of data protection can be simplified to the benefit of all. Europe is considering both an overarching Data Protection Regulation and a Directive on Law Enforcement..."

After a meeting in Brussels with several of the privacy groups, European Parliament members expressed concerns:

"... that both the US Government and US industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide... They were concerned about the absence of safeguards for personal data stored in the Cloud..."

The Telegraph reported in February 2012 about the intensive lobbyingby U.S. companies. Reportedly, U.S. lobbyists represent several tech companies including Google, Facebook, and Apple. Earlier this month, a leading privacy expert warned citizens in Europe not to use U.S.-based cloud services due to privacy and spying concerns with the FISA Amendments Act of 2008.

As I see it, the privacy letter accurately described the threats to consumers' information and privacy. This blog has reported about numerous instances of corporate data breaches, mobile apps that collected consumers' sensitive data without notice nor consent, developers that fail to provide privacy policies with their mobile apps, app developers that failed to provide privacy notices for parents about apps for their children, secret tracking of online users, software foisted on users without notice during maintenance updates, and a variety of technologies (e.g., Zombie HTTP cookies, Flash cookies, Zombie E-tags, behavioral exchanges, deep packet inspection, e-readers) used by a variety of companies to snoop and track users' online habits often without notice and consent.

More recently, a company has allegedly collected, stored, shared, and manipulated the metadata associated with photos and videos shared at social networking websites. Data privacy laws clearly have not kept pace with Internet and digital technologies.

The group's letter stated several principles in the proposed EU laws that should guide privacy efforts in both the U.S. and Europe:

"... (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability... These principles reflect many of the same goals contained in the European privacy initiative. But the key is that these principles must be given legal force..."

A copy of the letter is also available here (Adobe PDF, 67k bytes). Visit the CPDP website to learn more about the meeting held in Brussels last month.

What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).

DuckDuckGo: A Search Engine For Privacy

Last week, a reader suggested the DuckDuckGo.com search engine. Like most people, through the years I used a variety of search engines: first Yahoo, then Alta Vista, Google, and most recently Bing. DuckDuckGo has a very simple, easy-to-read privacy policy:

"DuckDuckGo does not collect or share personal information. That is our privacy policy in a nutshell..."

The DuckDuckGo privacy policy also explains why you should care about what other search engines do:

"... when you search for something private, you are sharing that private search not only with your search engine, but also with all the sites that you clicked on (for that search). In addition, when you visit any site, your computer automatically sends information about it to that site..."

Other search engines collect your search terms. And, the list of information your computer sends to them includes its operating system brand and version, screen size and resolution, your ISP, and your IP address. And that information may also be shared with affiliates or partner companies. DuckDuckGo.com doesn't do any of this.

ConsumerSearch lists the advantages and disadvantages of DuckDuckGo. In March 2012, PCWorld said:

"...[DuckDuckGo]t also doesn't track users: no personal information is collected, shared, or used to customize individual users' search results. So, anyone searching on a particular term in DuckDuckGo will get the same results... DuckDuckGo also offers benefits including the capability to use shortcuts to directly search many websites..."

And, there are DuckDuckGo mobile apps.

I ran several searches to see what DuckDuckGo retrieves. Its search results don't seem to missing any pages other search engines deliver. Besides the privacy benefits, I like the cleanness and lack of clutter at DuckDuckGo. A long time ago, the Google search engine used to be this way.

To learn more about DuckDuckGo.com, read about how it does not track your online usage. And, read this page about the Filter Bubble. Then, decide for yourself.

If you use DuckDuckGo, what's your opinion or experience with it?

Publishers Consider Ways To Further Use Data Collected By E-Readers

While listening to National Public Radio (NPR) in my car on Monday, I heard a very interesting report about how publishers are considering how to further use the data collected by e-readers (e.g., Amazon Kindle, Barnes & Noble Nook). Specifically, publishers are considering ways to use the data collected to give more detailed feedback to authors.

First some background for those who don't use e-readers, or who use them and haven't read the associated privacy policies. E-readers and e-books are increasing in popularity. Pew Research found:

"One-fifth of American adults (21%) report that they have read an e-book in the past year... 88% of those who read e-books in the past 12 months also read printed books... The average reader of e-books says she has read 24 books (the mean number) in the past 12 months, compared with an average of 15 books by a non-e-book consumer... 30% of those who read e-content say they now spend more time reading, and owners of tablets and e-book readers particularly stand out as reading more ... 72% of American adults had read a printed book and 11% listened to an audiobook in the previous year, compared with the 17% of adults who had read an e-book... E-book reading happens across an array of devices, including smartphones...."

About e-books and public libraries, Pew Research found:

"Some 12% of Americans ages 16 and older who read e-books say they have borrowed an e-book from a library in the past year... E-book borrowers say they read an average of 29 books in the past year, compared with 23 books for readers who do not borrow e-books from a library... more than three-quarters of the nation’s public libraries lend e-books... 58% of all library card holders say they do not know if their library provides e-book lending services... 46% of those who do not currently borrow e-books from libraries say they would be “very” or “somewhat” likely to borrow an e-reading device that came loaded with a book they wanted to read... 58% of Americans have a library card..."

Both surveys include plenty more results, but it is clear that consumers would read more e-books if they knew that their public library provided them. The benefits of e-readers are clear:

• Convenient: can carry with you several books without the heavy weight,
• Books don't take up shelf space in your home, and
• E-reader providers can learn your reading habits and recommend similar books.

In 2012, the EFF compared the privacy policies of various e-readers. The disadvantages:

• Loss of privacy: e-readers collect data about your reading habits and the online searches you performed to find e-books you want to read,
• Some e-readers collect and track the annotations consumers may make on an e-book text,
• The privacy policies of some e-readers are vague about exactly what data they collect (e.g., e-book purchases from other sources),
• Selection may be limited if your e-reader requires a certain format (e.g., AZW, ePub, PDF, RTF, etc.),
• Many books are not available in e-book format,
• Most e-readers share your readhing habits with other companies, while some offer opt-out capabilities.

The obvious data collected by e-readers includes the types (e.g., genre) of books downloaded onto your e-reader, when you downloaded e-books, the books read, and your reading patterns (e.g., the types/genres of books read). Other data collected, that you may not be aware of, includes how fast you read a book, which portions of the book you actually read, what e-book you immediately purchased next after completing a specific book (e.g., this probably applies to books in a series), and any annotations you made on the e-book text.

Some consumers may abandon an e-book after reading the first few chapters or a few pages. Some consumers may skip the introduction. Other consumers may read the last chapter first. For a given book, many consumers may skip a common chapter. For example, the Wall Street Journal reported that an average consumer read the third book in the "Hunger Games" series in about 7 hours, or 57 pages per hour.

Now, publishers and authors can know all of this. Publishers consider this data collected an opportunity to provide more feedback to authors. Thankfully, many authors will ignore this feedback and keep the creative process first (e.g., write what they intended regardless). But the data collection continues.

The e-readers with WiFi capabilities (e.g., Kindles, mobile devices, tablets) can combine geolocation data with your reading habits to determine where you read certain books. Whether or not this data collection bothers you is probably a personal choice.

If your reading habits include books about a certain medical condition, then you might be concerned about the loss of privacy. If your reading habits include topics to research a new business venture you have to keep secret until launch, then you might be concerned about the loss of privacy.

One way to think about e-readers: reading a book was historically something you did alone and in private. Not anymore. What's your opinion of e-readers and e-books?

Want to learn more? Try some of these:

• The Digital Reader
• EFF E-Reader Privacy Charts
• The Slippery Slope of eReader Privacy
• Your E-Book Is Reading You
• American Library Association Magazine: Digital Content

Microsoft Survey For Data Privacy Day 2013. What Internet Users Do To Protect Their Privacy

Today is Data Privacy Day, with celebrations in North America and Europe. To support this event, Microsoft released last week the results of a survey of Internet users about what consumers do to protect their privacy. I found some very interesting results:

• 45% of respondents said they have little or no control over the personal information companies collect about them while browsing the Web.
• 54% of respondents said they sometimes consider a company's privacy reputation, track record or policies when selecting which websites to visit.
• 32% of respondents said they always consider a company’s privacy reputation, track record and policies when selecting which websites to visit
• 24% of respondents said that they had little or not control over the personal information they share online
• Regarding website privacy, 39% said they consult a family member or friend about a website, 39% check a company's website privacy policy, 29% check the company's privacy policy, 21% check an industry or consumer organization, and 15% do nothing. More men do nothing (17%) than women (12%).
• The sources of privacy information respondents trust most are friends and family (33%), industry or consumers organizations (25%, a website's privacy statement (22%), a company's privacy statement (20%), government agencies (15%), and news media (10%). Younger adults are more likely to trust government agencies, while older adults are least likely (5%) to trust news sites.

In a blog post, Brendon Lynch, Microsoft's Chief Privacy Officer, said:

"... customers want and expect strong privacy protections to be built into our products, devices and services, and for companies to be responsible stewards of consumers’ data... People also need more information about their privacy options and help controlling their personal information online."

I agree with that. Consumers want and need more control over their sensitive personal information.

The survey included interviews of 1,015 adults aged 18 or older. The survey was conducted during November 2012 by Microsoft and Ipsos MediaCT. Some descriptive facts about the survey respondents:

• 51% were female
• Ages: 18 to 34 (31%), 35 to 54 (37%), and 55 or older (32%)
• Household income: below $50K (42%), and $50K or higher (58%)
• Education: high school or less (32%), some college (35%), college graduate (20%), and post graduate (13%)
• Employment: full-time (39%), part-time (11%), retired (17%), unemployed (11%), homemaker (9%), student (6%), and other (10%)

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?