Social media has come a long way in a short space of time. In a little over a decade, it’s grown from being the preserve of a relatively small group of online enthusiasts to one of the defining trends of 21st century life. As the undisputed global leader in this field, Facebook now boasts nearly 1.7 billion daily active users.
Not only do we share personal and global news, photos and videos with each other every day on the site, we also log-in to our favorite third-party websites and apps via Facebook to shop, chat, play games and much more. In short, social media makes life more fun, more social, and more connected.
But at the same time, our digital lives have become more complicated. Sometimes we share without realizing the significance of the data we’re showing others — including strangers, trolls and maybe even fraudsters. Sometimes we sign-up for third-party apps/services that take advantage of small print agreements to sell our data on to others — possibly for uses we did not want. And often, the websites we visit independently of Facebook send data on our browsing behavior back to the social network without our knowledge.
Some of us view this kind of tracking as the price we pay for free internet services, and welcome the improved personalization it enables. But others may feel creeped out that their family’s every click and swipe is being silently monitored, logged, and shared.
Time for action
The good news is that Facebook has been listening (to some extent!) to regulators and consumers, and has started the new year by offering users more tools to shine a light on where and how their data is being used, and how they can protect their privacy. But we’re talking here about a platform that has been growing non-stop for the past 15 years. Complexity is everywhere, and it’s not always easy to find the tools you need to enhance your privacy on the site.
That’s why we’ve put together this short guide. It’ll teach you where your privacy is most at risk on Facebook, and what you can do to manage these risks, including an assist by Trend Micro’s own Privacy Scanner tool.
Why should I be worried?
Although social media offers much to enrich and improve our lives, there are multiple levels of privacy risk involved in using it. For many of us, the stakes have risen almost silently in the background over the past few years. We can split these into three basic areas:
Oversharing: At a very basic level Facebook allows you to share news, pictures, stories and more with the world. But would you want your boss, prospective employer, law enforcement, credit agencies and other users to see every little thing about you? Yes, they increasingly use Facebook as a source of intelligence gathering, so you may want to limit who can view your information to just those in your friendship network.
Among the most prodigious collectors and monetizers of our private data are cyber-criminals. A Facebook account is a trove of sensitive personal information: everything from email addresses and phone numbers to partners and political preferences. It could all be leveraged to commit identity fraud or craft convincing phishing emails which trick you into giving away even more details. Something as innocuous as a photo of a family pet could provide hackers with some useful intel for guessing your online passwords. Or what about a real-time update from the beach? It might be all an opportunistic burglar needs to raid your home.
Third-party apps and websites: One of the most controversial aspects of data collection and use on Facebook relates to partner sites and services. Often, users sign-up for these apps without being fully aware of how their data will be used, or even what profile data the app may be gaining permission to harvest. It was data on 87 million Facebook users and their friends collected by a popular third-party personality test app that ended up being sold to Cambridge Analytica. It was then controversially used to target US voters ahead of the last Presidential election.
Following a huge FTC fine, Facebook is now more rigorous in ensuring third-party developers comply with its privacy and data use policies. But some users may still balk at their private data being sold on to third parties.
Other Off-Facebook activity: Apps and websites that you log into with your Facebook ID technically count as “off-Facebook activity”: that is, stuff that happens outside of the social site. But there’s more. Did you know, for example, that Facebook collects data from a huge number of additional sites and apps that aren’t obviously connected to the platform?
It uses code embedded on these sites to track what you do there, in order to make advertising on Facebook more targeted and personalized. So accurate and covert is this technology that it has given rise to a conspiracy theory that Facebook is somehow listening in to its users’ phone calls. It’s not. Users simply don’t know that, when they visit many sites and apps on the web, those same sites are secretly sending data back to Facebook, which then serves up relevant ads. Just bought Season One of your favorite show on a streaming app? You may get an ad for Season Two when you next visit your Facebook account.
Some people may be fine with this trade-off: privacy for a more tailored user experience. But many others may not. It’s one thing monitoring what you bought off an e-commerce site, quite another to track who you swiped left on when you were last on a dating site.
How can I manage my privacy better?
Fortunately, Facebook provides tools to help you to manage your privacy. Let’s go through some of them, from the newest to the oldest.
Facebook has just released a way of checking which sites/apps track and send data on your web usage back to the social network, clearing your data sharing history with them, and disconnecting for the future.
There are some caveats. Disconnecting in this way will log you out of any apps/sites you used Facebook to log into. In addition, it will not stop Facebook serving you advertising — you’ll get the same number of ads, except these won’t be as personalized as before. Facebook will also continue to receive information about your interactions on various sites, but this will be anonymized.
Particular apps, games and websites
You can also directly edit the privacy and settings of particular apps, games and websites you’ve logged into with your Facebook account.
Basic privacy settings
Facebook has also overhauled its most basic privacy settings. Its Privacy Checkup tool features four distinct sections.
How Trend Micro can help
An easier option for managing your basic privacy on Facebook is the Trend Micro Privacy Scanner, which is available within Trend Micro Security on Windows and Mac, and within Mobile Security on Android and iOS. It automates the process of finding and fixing any potentially risky settings to keep your personal data safe from prying eyes.
It’s turned on by default in Trend Micro Internet and Maximum Security, as well as in Mobile Security.
Facebook is getting better at privacy, but its controls can be hard to find, and functionality is constantly being updated. That’s why we recommend a privacy audit every few months. Check in with your Facebook Privacy settings directly or via the Privacy Scanner to make sure you’re not leaking personal data. Privacy is subjective, but we’re all getting more critical about how big corporations use our data — and that’s not a bad thing.
The post How to Manage Your Privacy On and Off Facebook appeared first on .
A San Diego-based provider of affordable preschool disclosed that a data privacy incident might have affected some customers’ personal information. In a notice of data breach published on February 5, Educational Enrichment Systems, Inc. (EES) announced that it had suffered a security incident involving an employee’s email account: On August 30, 2019, EES became aware […]… Read More
The post Data Privacy Event Disclosed by Affordable Preschool Provider appeared first on The State of Security.
Businesses should be worried that Canadians increasingly don’t trust them to handle their personal data and information generated through online buying, according to a senior federal privacy official.
In an interview to mark the 14th annual International Data Privacy Day, deputy privacy commissioner Gregory Smolynec noted that surveys show 90 per cent of Canadian respondents say they are very concerned about their inability to protect their privacy.
“Very high numbers of Canadians believe businesses do not respect their privacy right,” he added. “This should raise concerns.”
The few countries that began observing January 28 as Data Privacy Day to raise awareness of businesses, governments and consumers about data protection best practices have grown to 50. Yet judging by the regular reports of data breaches there hasn’t been much progress.
In November the Office of the Privacy Commissioner estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory federal data breach reporting.
In his annual report issued a month later, Privacy Commissioner Daniel Therrien repeated his plea for Ottawa to recognize privacy as a fundamental right in law.
The current law (the Personal Information Protection and Electronic Documents Act, also known as PIPEDA) and the Liberal government’s seeming unwillingness to consider giving his office much stronger enforcement power, “create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws,” said Therrien.
A recent Novipro-Leger survey of 496 IT and other officials from Canadian companies released this week found that not quite half the companies (48 per cent) had reviewed their data practices in 2019. Fewer than half of respondents believed their organizations were very well protected against data loss (46 per cent), data breaches (44 per cent), and viruses (45 per cent).
“Canadian businesses have been slow to tighten up their practices and are struggling to respond to the growing threat,” concluded the report. (Registration required)
On the other side, a recent survey released by data management provider Tealium showed half of U.S. consumer respondents don’t feel well informed about how businesses are using their data.
Asked if businesses don’t take privacy seriously, Smolynec noted new communications technologies are having an impact on privacy and expose businesses to vulnerabilities.
“There are some businesses that are not compliant (with PIPEDA), there are other businesses that have to develop robust privacy programs and cybersecurity measures to protect themselves.”
To show Canadians they are tough about privacy businesses need to make sure they follow PIPEDA and get “meaningful consent” to the personally identifiable data they collect, he said. That includes explaining what personal information is being collected, the purpose of the collection, who it is being shared with, how it may be used and any potential risks. The OPC website has advice for businesses on consent here.
The OPC today also issued a package the public can use to spark discussion about privacy.
“It’s very critical for businesses to pay close attention to their processes related to [data] security and they have to make sure they have invested and structured themselves to address the risks of breaches,” said Smolynec. “That will help improve trust.”
Research firm Gartner also believes organizations need to pay more attention to the link between privacy and trust. Privacy is becoming a reason for consumers to purchase a product, in the same way that “organic,” “free trade” and “cruelty-free” labels have driven product sales, it said in a note earlier this month.
“Privacy-first products are likely to follow this trend,” said Bart Willemsen, a Gartner vice-president. “To increase customer trust, executive leaders need to build a holistic and adaptive privacy program across the organization, and be proactive instead of responding to each jurisdictional challenge.”
More than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws, following the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018.
“People are actively demanding privacy protection — and legislators are reacting,” said Willemsen. “If your organization operates globally, focus on standardizing operations in accordance with the GDPR, and then adjust as required for local requirements.”
He suggests using technology solutions that automate portions of a privacy management program. He also urged organizations to appoint a data privacy officer who reports to the board.
Dave Masson, Ottawa-based director of enterprise cybersecurity for Darktrace, said in an interview that Data Privacy Day should mean to an organization that — if it isn’t already doing so — it has to start protecting the personally identifiable information of customer and employees. The consequences of data theft could be “disastrous,” he said, including lawsuits and severe damage to the organization’s reputation.
“Organizations still struggle with visibility of what they have on their network,” he said, emphasizing the complexities introduced by cloud architectures. “That’s one of the problems — they can’t see what they’ve got.
“If I was an organization and confident in my security approach, I would be very proud to point out [on Data Privacy Day] out what’s in place … as a way of assuring people you’re taking this seriously.”
Organizations need to take “trust-worthiness” more seriously, Eve Maler, interim CTO of digital identify provider ForgeRock, said in an interview.
Data regulations have been around for years, she argued, but they have focused on basic data protection. Newer regulations demand data transparency — telling consumers what the firm knows about them — and allowing customers more control over their data. So successful organizations need to go beyond compliance to establish trust.
Organizations have to think more carefully about the privacy implications of their products, she said. For example, one company has had to withdraw what it hoped was a promising child bedroom monitor after complaints it wasn’t secure.
“That’s an awfully expensive way to go to market,” Maler said.
To impress customers, firms should also look at the personal data they collect as a joint asset, she added.
In the run-up to Data Privacy Day, a number of firms in the security space released statements warning of the need to act.
“We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach,” said Darrell Long, vice-president of product management at One Identity. “Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs.”
Data Privacy Day “is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data,” said Ray Overby, CTO and co-founder of Key Resources.
One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to corporate information.
“The more people with access to information, the more likely your data will be compromised,” he said. “These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.”
Another tip for organizations to improve data privacy practices, he said, is to accurately inventory, classify, and define data ownership.
Companies have to remember that consumers entrust them with their personal data, said Anis Uzzaman, CEO and General Partner of Pegasus Tech Ventures.
“On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before,” indicated Uzzaman. “Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make.”
When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting a thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms, said Steele Arbeeny, CTO of SNP Group.
This will be the first year Data Privacy Day will be celebrated with the new tough California Consumer Privacy Act (CCPA), which came into effect at the beginning of January.
Avast has never made its data collection practices a secret, but a joint report by Vice’s Motherboard and PCMag has revealed that the supposedly anonymized data can still be traced back to specific individuals.
After sifting through leaked user data and company documents, the report published today gave an unobstructed view of the type of data Avast–specifically its subsidiary Jumpshot–collected and sold. Unsurprisingly, some are deeply personal.
The data type Avast hoarded wasn’t the issue, but rather their nuance. In one example, Avast was able to precisely pinpoint a user’s Amazon purchase down to the minute. PCMag argued that Amazon could easily use this information to pinpoint a specific user. Once it’s got a match, the company could then link the user profile to the device ID, which is a constant identifier assigned by Avast for activities generated from the same device.
Free Anti-Virus Software pic.twitter.com/RYuRDTnS5d
— System32Comics (@System32Comics) November 2, 2019
People took to social media quickly after the news broke to share their thoughts.
Avast allegedly avoided selling information with the device ID attached for that reason, but in 2018, that’s exactly what it sold to marketing provider Omnicom Media Group. The package also contained the users’ age, gender, and clicking timestamps down to the millisecond.
In December 2019, Google Chrome and Mozilla Firefox banned the Avast browser extension over its data collection practices. Following the ban, Avast issued a statement maintaining that it scrubbed all collected data free of personal information. It then continued to collect data through its antivirus software installed in the Windows operating system. These bits of data range from Google and YouTube searches to location and porn habits.
On its website, Avast stated that it has more than 400 million users distributed across 59 countries.
Jumpshot listed IBM, Microsoft, and Google as companies that it has previously worked with. In addition, PCMag also listed Nestle, Purina, Intuit and others as clients.
IT World Canada has reached out to Google, Microsoft, and IBM for comment, but none were immediately available for comment.
Keeping up with rapidly changing regulatory requirements has become one of the biggest challenge’s organizations face today. Just as companies finished preparing for the General Data Protection Regulation (GDPR), California’s privacy regulation—California Consumer Privacy Act (CCPA)—went into effect on January 1, 2020. And in August 2020, Brazil’s own GDPR-like regulation, Lei Geral de Proteção de Dados (LGPD), will start to be enforced.
To help you take a proactive role in getting ahead of privacy compliance, we’re announcing new privacy-focused assessments available in the public preview of Microsoft Compliance Score. These new assessments help you assess your compliance posture and provide guidance to implement more effective controls for CCPA, LGPD, ISO/IEC 27701:2019, and SOC 1 Type 2 and SOC 2 Type 2.
To learn more, read Microsoft Compliance Score helps address the ever-changing data privacy landscape.
The post New privacy assessments now included in Microsoft Compliance Score appeared first on Microsoft Security.
As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide. Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.
Insights from the Cisco Data Privacy Research Program
The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide. We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.
The 2020 Data Privacy Benchmark Study and the ROI of Privacy
Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:
- For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
- 70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
- Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
- Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.
What does this mean for organizations?
The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:
- Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
- Work to obtain external privacy certifications; these have become an important factor in the buying process.
- Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.
In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.
Follow Robert on Twitter @RobertWaitman
WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.
Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?
Driver of WAF adoption
In a research study by Computing, 62% of IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.
With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.
Other notable drivers of WAF adoption in the study found that:
- 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
- 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications.
- 18% stated that there was simply no other cost-effective way of securing legacy applications.
Role of WAF in data protection laws
In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100. In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly.
WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.
One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.
However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.
Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches.
Why compliance and protecting customer data matter
Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners.
By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.
Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.
Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation.
Take a look below at some of the laws around the world aimed at protecting user data.
|Europe||North America||Latin America|
|EU: GDPR (General Data Protection Regulation)||Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)||Brazil: Lei Geral de Proteção de Dados (LGPD)|
|UK: Data Protection Act 2018||US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA)||Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)|
|Sweden: Data Protection Act (DPA)||Argentina: Personal Data Protection Act 2000 (Law No. 25,326)|
|France: French Data Protection Act 2 (FDPA)|
|Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)|
|Israel: Privacy Protection Law (5741-1981)||South Africa: Protection of Personal Information Act 2013 (POPIA)||Singapore: The Personal Data Protection Act 2012|
|Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)|
|Australia: Privacy Act of 1988 and Telecommunications Act 1997|
|Malaysia: Personal Data Protection Act (PDPA)|
Is there a famous data privacy law we missed? Drop us a line!
The post Data Protection Laws & Compliance As Drivers of WAF Adoption appeared first on Cloudbric.
Federal governments and major technology firms are arguing for or against encryption, respectively. But why?
Due to recent political turmoil and devastating events overseas, the topic of end-to-end encryption has reentered public discussion. At the center of the debate, you have federal governments and major technology firms, each arguing for or against encryption.