Top Three Cyber Security Tips

Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced on Thursday to 18 months in prison for his role in leaking private nude photos of celebrities he found by illegally accessing their Google and Apple accounts.

He is one of three men who has been convicted of leaking private celebrity photos, and is personally responsible for illegally accessing more than 100 accounts, prosecutors said. In total, the nude photo leak investigation included over 600 victims.

Cyber Security

Between November 2012 and September 2014, Collins pulled off a carefully targeted cyber security attack known as spear phishing. He sent targeted emails to his victims purporting to be from Apple and Google that seemed legitimate and tricked his high-profile targets into handing over their usernames and passwords, according to the U.S. Attorney for the Central District of California.

Once Collins had his target’s username and password, he was able to access their private accounts, steal their photos and in some instances, according to prosecutors, download full backups from the iCloud.

Sometimes, even for celebrities, it is hard to tell if an email is legitimate or not.

Here are some key cyber security tips:

  1. If you receive a suspicious email from a place where you have an account, never click on any links inside of it. Instead, go to the specific service provider’s website and log in from there. You can also make a quick phone call. In any case, most companies will not ask for your username or password through an email.
  2. Once you get to the website, use different passwords for different accounts, and switch passwords often – for banks every three months at least. If you have different passwords and one account gets hacked, the other accounts should be OK.
  3. If you feel confident about opening a link in a non-business-related email – even if it appears to be from a friend – always hover over the link first to see where the link is going before clicking on it. Your friend’s email account may have been hacked.

You could fork out $14,000 or so for a military-grade-secure smartphone to help thwart hackers — but a little cyber security know-how will certainly cost a lot less. There are many, many more hackers just like Mr. Collins who haven’t been caught. Let’s do everything we can to keep them away from our personal, private information.

 

Special thanks to NBC News for their article on the subject.

What is PII?

PIIWith so much emphasis on the security of our personal data lately, with Pokemon Go being the latest culprit (see article here), Personally identifiable information (PII) is something we all should understand.

PII is any data that could potentially distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.  To be sure, this article isn’t talking about the pie you eat or the one associated with mathematical equations.

NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII (see Section 3.3.3 Under “Identifiability” for more detail) Also see federal judge ruling in the District of New Jersey dismissed on the pleadings a VPPA claim against Viacom on the grounds that device identifiers, cookie IDs, and IP addresses, when linked to video titles are not personally identifiable information.

The concept of PII has become prevalent as information technology and the internet have made it easier to collect PII through breaches of online and network security and web browser security leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. In hacker slang, the practice of finding and releasing such information is called “doxing”.  It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the “doxed” individual may panic and disappear. To protect your site from hackers, we suggest that you monitor the security of your site with industry leader Trust Guard. As a response to these threats, many website privacy policies specifically address the gathering of PII and lawmakers have enacted a series of legislations to limit the distribution and accessibility of PII.

However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributes have been referred to as quasi-identifiers or pseudo-identifiers.

The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology.

PII

 

 

  • Full name (if not common)
  • Home address
  • Email address (if private from an association/club membership, etc.)
  • National identification number
  • Passport number
  • IP address (when linked, but not PII by itself in US)
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle

The following are less often used to distinguish individual identity because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.

  • First or last name, if common
  • Country, state, zip code or city of residence
  • Age, especially if non-specific
  • Gender
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record
  • Web cookie

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as “a 34-year-old white male who works at Target”. Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.PII-chart_FINAL

FTC Report Says App Developers Need Privacy Policies

App Developers need Privacy PoliciesTake a look at some interesting data on the need for app developers to provide their app users with privacy policies from the Federal Trade Commission:

A June 2012 study of 150 of the most popular app developers across three leading platforms – Apple’s iTunes app store, Google’s Play app store, and Amazon’s Kindle Fire app store – reveals how much more work needs to take place. See Future of Privacy Forum, FPF Mobile Apps Study (June 2012). For example, the study found that only 28% of paid apps and 48% of free apps available in Apple’s iTunes app store included a privacy policy or link to a privacy policy on the app promotion page.

The top apps in Google’s Play store fared even worse. There, only 12% of paid apps and 20% of free apps examined provided access to a privacy policy through the app store. The Commission staff’s kids app reports reached similar conclusions, noting the paucity of information provided to parents before they or their children downloaded popular children’s apps. See FTC Staff, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, supra note 28, at 1; FTC Staff, Mobile Apps for Kids: Disclosures Still Not Making the Grade, supra note 33, at 4-6. Oddly enough, free privacy policies are available online that comply with all the rules from the FTC, Google Play, Apple and others. main-logo

To address this problem, the California Attorney General recently sent warning letters to 100 app developers notifying them that they are not in compliance with California law, which requires the posting of a privacy policy. The developers were given thirty days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. See Press Release, Office of the Attorney General of California, Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (Oct. 30, 2012). In addition, the California AG has sued Delta Airlines, one of the recipients of the warning letter.

So if you want to start causing problems with California, the FTC, Google Play, Apple and your potential and current customers, don’t worry about providing a privacy policy. For the rest of you app developers who want to stay in business for a while, contact freeprivacypolicy.com for a free, zero-obligation privacy policy. 

Most of this information from this article is found in the Federal Trade Commission’s 2013 Report on Privacy Policies that you can read here.

Mobile App Developers Need Privacy Policies Too

app developersFor most app developers, privacy policies are usually an afterthought in the mobile app development process.

App developers usually end up creating it after the app’s design and development are done. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business.

They usually end up creating it after the app’s design and development are done. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business. Privacy Policies are not all alike, and there are numerous ways that a missing clause or a mismatch between your legal documents and your app itself can cause catastrophic problems. Quite a few ubiquitous and successful mobile apps have run into massive legal headaches and astronomical fines due to flaws in their privacy policy and a failure to integrate and unify their legal protection with the “private parts” of their app architecture.

In 2013, social app Path was fined nearly 1 million dollars by the FTC (Federal Trade Commission) for privacy violations. The $800,000 penalty stemmed from two lethal mistakes made by the app:

  1. Storing third-party names and numbers from their users’ address books without proper disclosure;
  2. Failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children.

This means that if you extract phone contacts from your users, not only must you notify them, you must also explain within the app’s privacy policy how any why the information is used. If you collect users’ birth dates, you can likely figure out if children are using your app and do something about it. You essentially have two legal avenues: comply with COPPA or make sure users represent that they’re over 13 years old.

But there’s more. The FTC published a long document with recommendations for app developers and even platform-specific advisement for big platforms like Android and iOS. The FTC wants app developers to use a (relatively) new approach called Privacy by Design.  Companies should build in privacy at every stage in developing their products. This means a number of things:app developers

  • Before building an app or a feature, think of the privacy implications;
  • If you collect information, protect it. Follow the security recommendations of the FTC (with special attention to the third-party software you used) and be careful not to over-promise or make generic reassuring statements;
  • Keep your policy updated! Every time you roll out a new update to the app store, stop for a second and think if you added something that has an impact on your privacy statements. Added a new analytic script? It should go in there. Added “find friends via Facebook”? Go and edit your privacy policy.

There are known best practices—some of them coming from the California Attorney General—to give you some legal protection and prevent problems, privacy breaches, and lawsuits. But this is what the FTC actually says that developers should do.

You must have a privacy policy and it must be accessible from the app store.

The simple way to accomplish this is to simply link the policy when you submit the app. But, this means the privacy policy should live on your website. And although what I have to say now is another article all together, you must keep the site that’s hosting your privacy policy free from hackers. PCI Compliant Vulnerability Scanning can help you with that. You could also provide the full text of the policy within the app, or a short statement describing the app’s privacy practices. Need a privacy policy from scratch? There are many online options including Professional Privacy Policy.com.app developers

You should provide “just-in-time” disclosures and obtain affirmative express consent when collecting sensitive information from outside the platform’s API. You already know that iOS pops up a notification that a certain app is requesting access to the user’s location or other private data. In this case, the disclosure and the consent are taken care by Apple. But, your app might as well collect other important stuff, and a pop-up notification is the best way to make sure the users know. FTC names financial, health, or children’s data, but also a generic “sharing sensitive data with third parties” as sensitive private information, so it’s best to err on the side of caution.

Know the legal implications of the code you’re using.

It’s normal for app developers to use third-party packages, but you should make sure this code is secure and fully understand exactly what information it pulls, because you’re ultimately legally responsible for it. There’s a long list of questions to ask yourself, including:

  • Does this library or SDK have known security vulnerabilities?
  • Has it been tested in real-world settings?
  • Have other developers reported problems?

While PATH’s $800K fine was in connection with COPPA violations, it’s the start of broader policing of privacy practices, even against non-American developers. If you cater to the American mobile market, you can still be fined by U.S. Authorities. It’s time for app developers to get a properly-written, constantly-curated privacy policy. The FTC is encouraging the adoption of public standards and suggests tightened integration among app developers, trade associations, ad networks, and mobile platforms, so this is definitely a topic to keep under the radar. You wouldn’t want a legal problem to cripple your app right as it’s starting to soar.

Special Thanks to Veronica Picciafuoco and her article on SitePoint.com.

Need Customers? Get a Privacy Safe Seal!

Need More Customers? Consider getting a Privacy Safe Trust Seal!

If you have done an adequate job of getting people to visit your website, you’ve kept it safe and away from hackers, now it’s time to get those visitors to do what you want them to do! Whether you are selling frisbees, fans, forklifts, fabric, felines, Ferrari’s or fax machines, you are probably in business to make money. And the more people you can get to buy what you’re selling, the more money you will make.

It might not be safeabout traffic anymore; it might be more about conversions.  And why do people leave your check-out page and go somewhere else to do their shopping? Because they don’t know you and they are afraid that you might do something with their personal information that you are requesting from them. They’re afraid you’ll sell it or lose it or that a hacker will come along and steal their identity.

Having a trust seal like Trust Guard’s Privacy Safe seal will put your online visitors at ease. It will resolve their concerns about what might happen to their confidential information. When people feel comfortable with you – when they trust you – more of them will buy from you. With a privacy safe seal you’ll get more customers and make more money. That’s true for foreigners and farmers and everyone in between. So don’t be a fool, give privacy seals a try!

Need More Customers? Give Your Visitors Peace of Mind!

customersFace it. Online consumers (your potential customers) are afraid to buy from sites they don’t know.

If potential customers think your business might be a scam, preying on their need to get quality products at reasonable prices, they will leave as quickly as they arrived. And just as important as seeing that your website is secure is seeing that you will protect their privacy.

That’s where Free Privacy Policy comes in. Smart business owners show their visitors as quickly as possible that they are a business that cares about their visitors’ security and privacy. The website FreePrivacyPolicy.com allows business owners with the opportunity to fill out a form that automatically creates a privacy policy for free! All users of this service need to do is copy and paste the personalized privacy policy onto their website.

Once your privacy policy is loaded, the next item of business is telling your visitors that you care about their privacy. This you can do by putting a link to your privacy policy in the header and/or footer of your website. You can also write a blog, press release or share links socially that take people straight to your policy. Writing content above the fold or at least on the front page or sidebar that says “We care about your privacy” with a link to your policy could also help increase your conversion rate and length of time visitors stay on your site.

The best way to show off your concern to keep your visitors’ information secure and confidential is through a privacy safe seal like the ones provided by Trust Guard. These images can be placed at strategic locations – like on your check-out page, right below the “Order Now” button – for visitors to see right before they make their final decision to buy or not to buy from you. They are extremely effective, very inexpensive, and usually come with a no-questions-asked 100% guarantee. Tons of tests have proven time-and-time-again that conversion rates raise significantly when security and privacy seals like this are used appropriately. It just makes sense, when people see that you care, more of them will buy from you!

So go get your free privacy policy, then display your Privacy Safe Seal on your website, get more customers, and start increasing your online sales today.