Category Archives: social media

The Journey to Data Integrity

In 2017, ‘Fake News’ was crowned word of the year thanks in part to a deteriorating relationship between politicians and the media. Claims and counterclaims could be challenged without the

The post The Journey to Data Integrity appeared first on The Cyber Security Place.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Should you delete yourself from social media?

You’re feeling like you’ve had enough. All the recent news—from Facebook’s Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media?

Social networking does have its positive aspects. You can stay in touch with distant (or not) relatives, be included in the planning of social events within your circle of friends, get real-time updates on regional and national news, and promote your company, content, or other personal ventures. Plus, you get to experience all the cool memes a full two weeks after they’ve been posted on Reddit.

Then again, there are quite a few reasons—spanning security, privacy, and overall shady business practices—for leaving. In 2018 alone, Facebook experienced a security breach that impacted 50 million accounts, was responsible for a genocide incited using its platform, kept user data it said it deleted, and was caught abusing Apple development apps to test on children. Twitter, meanwhile, has not only been at the butt end of password bugs, hacks, and data breaches, but some could say these days is a general dumpster fire of bot accounts.

Instagram and Snapchat are not without their flaws, either. Hackers are targeting influencer accounts on Insta, while Snapchat has been the recipient of phishing attacks and security breaches.

Unfortunately, we can’t make the decision to quit social media for you. Instead, we recommend you make a list of pros and cons. Consider what data might be lost. Consider what time and peace of mind might be gained. Weigh the rewards against the risks. If you come away feeling ready to take a step back, but not quite quit cold turkey, we can help you with ways to tighten security and privacy settings. And if that’s not enough, we’ll show you how to delete your accounts.

Let’s start slowly

If you’re not quite ready to cut the chord, a good option for cooling down on social media is to adjust the privacy settings on all of your accounts. This is a sensible thing to do, even if you aren’t considering leaving. It also has the bonus side effect of increasing awareness of just how much you share on social media.

In a previous blog, we discussed how to secure your social media profiles in great detail. We recommend users who aren’t deleting themselves read this first to understand the intricacies. Next, here’s a quick and dirty list of links to follow in order to adjust privacy settings across the top four social networking platforms:

After adjusting the settings, it’s a good idea to monitor and track your social media usage moving forward, either for the purpose of time management, focus, or beating social media addiction. As more and more of our media consumption moves to smart phones, you can leverage several apps that will help you achieve these goals. These include:

Goodbye, top four!

Let’s say you sat down, had a good think, and decided that it’s time to move on from social media. You can begin by collecting the appropriate links. Below, we’ve included links to download your data from the most popular platforms. You should download your personal information from these social networking sites prior to the nuclear option, should you experience remorse. Plus, it’s a real eye opener to find out exactly how much data you generate and share on social networking platforms.


Time to permanent deletion: Once 14 days have passed, your deletion request will be started. This can take upwards of 90 days to complete.


Time to permanent deletion: It takes up to 30 days for Twitter to completely delete your account.


Time to permanent deletion: Immediately!


Time to permanent deletion: 30 days


Ha ha ha, ho ho ho, he he he he. This one is mostly for the giggles. Google will abandon this particular endeavor on April 2, 2019. But if you feel the need to delete yourself before then, here’s what to do:

The right time

Security researchers love social media platforms. They’re a vast source of open-source intelligence (OSINT) and help us make attribution possible (provided your adversary has poor OPSEC). However, the reasons we enjoy social media may also be the reasons why regular consumers should take a beat and consider the benefits.

When you’re ready to make a decision, we’ve given you all the necessary links to back up and delete these accounts, as well as some material that may help you decide which ones to keep, and how to properly secure them.

If social media is causing anxiety, stress, or depression; if you’re tired of your data being mined and shared with third parties; if it’s starting to feel more like work to maintain instead of pleasure, then it may be time to shore up defenses and take a break, or even step away for good. And if that time comes, we’re here for you.

The post Should you delete yourself from social media? appeared first on Malwarebytes Labs.

Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You?

A classic meet-cute – the moment where two people, destined to be together, meet for the first time. This rom-com cornerstone is turned on its head by Netflix’s latest bingeable series “You.” For those who have watched, we have learned two things. One, never trust someone who is overly protective of their basement. And two, in the era of social media and dating apps, it’s incredibly easy to take advantage of the amount of personal data consumers readily, and somewhat naively, share online and with the cloud every day.

We first meet Joe Goldberg and Guinevere Beck – the show’s lead characters – in a bookstore, she’s looking for a book, he’s a book clerk. They flirt, she buys a book, he learns her name. For all intents and purposes, this is where their story should end – but it doesn’t. With a simple search of her name, Joe discovers the world of Guinevere Beck’s social media channels, all conveniently set to public. And before we know it, Joe has made himself a figurative rear-window into Beck’s life, which brings to light the dangers of social media and highlights how a lack of digital privacy could put users in situations of unnecessary risk. With this information on Beck, Joe soon becomes both a physical and digital stalker, even managing to steal her phone while trailing her one day, which as luck would have it, is not password protected. From there, Joe follows her every text, plan and move thanks to the cloud.

Now, while Joe and Beck’s situation is unique (and a tad dramatized), the amount of data exposed via their interactions could potentially occur through another romantic avenue – online dating. Many millennial couples meet on dating sites where users are invited to share personal anecdotes, answer questions, and post photos of themselves. The nature of these apps is to get to know a stranger better, but the amount of personal information we choose to share can create security risks. We have to be careful as the line between creepy and cute quickly blurs when users can access someone’s every status update, tweet, and geotagged photo.

While “You” is an extreme case of social media gone wrong, dating app, social media, and cloud usage are all very predominant in 2019. Therefore, if you’re a digital user, be sure to consider these precautions:

  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public, so turn your profiles to private in order to have control over who can follow you. Take it a step further and go into your app settings to control which apps you want to share your location with and which ones you don’t.
  • Use a screen name for social media accounts. If you don’t want a simple search of your name on Google to lead to all your social media accounts, consider using a different variation of your real name.
  • Watch what you post. Before tagging your friends or location on Instagram and posting your location on Facebook, think about what this private information reveals about you publicly and how it could be used by a third-party.
  • Use strong passwords. In the chance your data does become exposed, or your device is stolen, a strong, unique password can help prevent your accounts from being hacked.
  • Leverage two-factor authentication. Remember to always implement two-factor authentication to add an extra layer of security to your device. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.
  • Use the cloud with caution. If you plan to store your data in the cloud, be sure to set up an additional layer of access security (one way of doing this is through two-factor authentication) so that no one can access the wealth of information your cloud holds. If your smartphone is lost or stolen, you can access your password protected cloud account to lock third-parties out of your device, and more importantly your personal data.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You? appeared first on McAfee Blogs.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

How Online Gamers Can Play It Safe

Online gaming has grown exponentially in recent years, and scammers have taken note. With the industry raking in over $100 billion dollars in 2017 alone[1], the opportunity to funnel some money off through fraud or theft has proven irresistible to the bad guys, leaving gamers at greater risk.

From malware and phishing scams, to phony game hacks, identity theft, and more, gamers of all stripes now face a minefield of obstacles online and in real life. So, if you’re going to play games, it’s best to play it safe.

Here’s what to look out for:

Dodgy Downloads

Gamers who play on their computer or mobile device need to watch out for dangerous links or malicious apps disguised as popular or “free” games. Hackers often use innocent-looking downloads to deliver viruses and spyware, or even sign you up for paid services, without your consent. In one prominent case, more than 2.6 million Android users downloaded fake Minecraft apps that allowed hackers to take control of their devices.

Researchers have even discovered a ransomware threat that targets gamers. TeslaCrypt was designed to encrypt game-play data until a ransom is paid. Originally distributed through a malicious website, it has since been circulating via spam.

And while it’s true that game consoles like PlayStation and Xbox aren’t as vulnerable to viruses, since they are closed systems, that doesn’t mean that their users don’t face other risks.

Social Scams

Players on any platform could wind up with malware, sent directly from other players via chat messages. Some scammers use social engineering tricks, like inviting other players to download “helpful” tools that turn out to be malware instead. When you consider that 62% of kids play games where they speak to others, the odds of a risky interaction with a stranger seems quite real.

Players of the Origin and Steam services, for instance, were targeted by hackers posing as other players, inviting them to play on their teams. Over chat message, they suggested the players download an “audio tool” that turned out to be a keystroke logger, aimed at stealing their access credentials for the game.

Other social scams include malicious YouTube videos or websites, offering game bonuses and currency, for free.

Another widespread social threat is account takeover, or ATO for short. This is when a scammer hacks a real account in order to post spammy links, and scam messages that appear to come from a trusted contact. Some accounts, for games like League of Legends, have even been stolen and sold online for money because they boasted a high level, or rare skins.


Finally, be on the lookout for phishing websites, offering free games or bonuses, or phishy emails prompting you to login to your account, with a link leading to a copycat gaming site. Often, these are designed to steal your login credentials or distribute fake games that contain malware.

Players of the wildly popular Fortnite, for example, have been particularly targeted. The latest phishing scam is aimed at stealing the third-party sign-in tokens that allow cybercriminals to access a user’s account, and the payment details associated with it.

So now that you know about a little more about gaming threats, here’s how to win at playing it safe:

  1. Do Your Research—Before downloading any games from the Internet or app stores, make sure to read other users’ reviews first to see that they are safe. This also goes for sites that sell game hacks, credits, patches, or virtual assets typically used to gain rank within a game. Avoid illegal file-sharing sites and “free” downloads, since these are often peppered with malware. It’s always best to go for a safer, paid option from a reputable source.
  2. Play Undercover— Be very careful about sharing personal information, in both your profile information, and your chat messages. Private information, such as your full name, address, pet’s name, school, or work details, could be used to guess your account password clues, or even impersonate you. Consider playing under an alias.
  3. Be Suspicious—Since scammers use the social aspect of games to fool people, you need to keep your guard up when you receive messages from strangers, or even read reviews.
    Some YouTube and social media reviews are placed there to trick users into thinking that the game or asset is legitimate. Dig deep, and avoid looking for free hacks. Ask gamers you know in real life for recommendations that worked for them.
  4. Protect Yourself—Avoid using older versions of games, and make sure that games you do play are updated with patches and fixes. And if you think a gaming account may already have been compromised, change your passwords immediately to something unique and complex.Safeguard your computers and devices from known and emerging threats by investing in comprehensive security software, and keep yourself up-to-date on the latest scams.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

[1]According to The 2017 Year In Review Report by SuperData

The post How Online Gamers Can Play It Safe appeared first on McAfee Blogs.

New York Attorney General Rules Selling Fake Likes and Follows is illegal

A year ago, the New York Times reported that an obscure company called Devumi were obtaining millions of dollars by

New York Attorney General Rules Selling Fake Likes and Follows is illegal on Latest Hacking News.

Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety

Integration: it seems to be all the rage. As technology becomes more sophisticated, we sprint to incorporate these new innovations into our everyday lives. But as we celebrate Safer Internet Day, one can’t help but wonder, is all integration good when it comes to information shared online? Major privacy concerns have been raised surrounding Facebook’s recent plans to merge Messenger, WhatsApp, and Instagram. This integration will allow cross-messaging between the three platforms (which will all still operate as standalone apps), so users could talk to their Messenger-only friends without leaving WhatsApp.

While Facebook’s plans to merge the messaging platforms are not yet finalized, the company is in the process of rebuilding the underlying infrastructure so that users who might utilize only one of the apps will be able to communicate with others within the company’s ecosystem. Facebook plans to include end-to-end encryption for the apps, ensuring that only the participants of a conversation can view the messages being sent. By allowing each app to speak to one another across platforms, Facebook hopes users become more engaged and use this as their primary messaging service.

But Facebook’s messaging changes have greater implications for online safety as consumers become more protective of their data. For example, WhatsApp only requires a phone number to sign up for the app while Facebook asks users to verify their identities. Will this force more data to be shared with WhatsApp, or will its encryption become less secure? While nothing has been finalized, it’s important for users to think about how the information they share online could be affected by this merge.

Although the internet has paved the way for advancements in social media and technology in general, users need to make sure they’re aware of the potential risks involved. And while this merge hasn’t happened yet, Safer Internet Day helps remind us to make good choices when it comes to browsing online. Following these tips can help keep you and your data safe and secure:

  • Get selective about what you share. Although social media is a great way to keep your friends and family in the loop on your daily life, be conservative about the information you put on the internet. Additionally, be cautious of what you send through messaging platforms, especially when it comes to your personally identifiable information.
  • Update your privacy settings. To make sure that you’re sharing your status with just your intended audience, check your privacy settings. Choose which apps you wish to share your location with and turn your profiles to private if you don’t want all users to have access to your information.
  • Keep your apps up-to-date. Keeping your social media apps updated can prevent exposure to threats brought on by software bugs. Turn on automatic updates so you always have the latest security patches, and make sure that your security software is set to run regular scans.
  • Click with caution. Cybercriminals can leverage social media messaging to spread phishing links. Don’t interact with users or messages that seem suspicious and keep your guard up by blocking unfamiliar users who try to send you sketchy content.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help block malware and phishing sites if you accidentally click on a malicious link. This can help protect you from potential threats when you access your social channels from a desktop or laptop.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety appeared first on McAfee Blogs.

A week in security (January 28 – February 3)

Last week, we ran another in our interview with a malware hunter series, explained a FaceTime vulnerability, and took a deep dive into a new stealer. We also threw some light  on a Houzz data breach, and what exactly happened between Apple and Facebook.

Other cybersecurity news

  • Kwik Fit hit by malware: Car service specialist runs into trouble when systems go offline. (Source: BBC)
  • Mozilla publishes tracking policy: Mozilla fleshes out out their vision of what is and isn’t acceptable in tracking land. (Source: Mozilla)
  • Distracting smart speakers: How you can effectively drown out your smart speaker with a bit of distraction. (Source: The Register)
  • Privacy attack aimed at 3/4/5G users: Theoretical fake mobile towers are back in business, with an investment in monitoring device owner activities. (Source: Help Net Security)
  • How my Instagram was hacked: A good warning about the perils of password reuse. (Source: Naked Security)
  • Social media identity thieves: Scammers will stop at nothing to pull some heartstrings and make a little money in the bargain. (Source: ABC news)
  • Another smart home hacked: A family recounts their horror at seeing portions of their home cut open for someone’s amusement. (Source: Komando)
  • Facebook mashup: Plans to combine Whatsapp, Instagram, and Facebook Messenger are revealed with security questions raised. (Source: New York Times)
  • Phishing attacks continue to rise: Worrying stats via security experts polled who agree in large numbers that phishing is at the same level or higher than it was previously. (Source: Mashable)
  • Researchers discover malware-friendly hosting service: After a spike in infections, researchers track things back to a host that looked like a “hornet’s nest of malware.” (Source: TechCrunch)

Stay safe, everyone!

The post A week in security (January 28 – February 3) appeared first on Malwarebytes Labs.

Twitter Scammers Pose As Large Companies to Scam Unsuspecting Users

Social media has made it easier for customers to complain to large companies. Many companies now have dedicated social media accounts

Twitter Scammers Pose As Large Companies to Scam Unsuspecting Users on Latest Hacking News.

What does ‘consent to tracking’ really mean?

Thanks to Jerome Boursier for contributions.

Post GDPR, many social media platforms will ask end users to consent to some form of tracking as a condition of using the service. It’s easy to make assumptions as to what that means, especially when the actual terms of service or data policy for the service in question is tough to find, full of legal jargon, or just long and boring. Part of the shock of Facebook stories was in discovering just how expansive their consent to tracking really was. Let’s take a look at what can happen after you hit OK on a new site’s Terms of Service.

What we think they’re doing

Most commonly, users think that social media sites limit their tracking to actual interactions with the site while logged in. This includes likes, follows, favorites, and general use of the site as intended. Those interactions are then analyzed to determine a user’s rough interests, and serve them corresponding ads.

We asked some non-technical Malwarebytes staffers what they thought popular companies collected on them and got the following responses:

“Hmm I would assume just my name, birthday, trends in the hashtags I use, and locations I’m at. Nothing else.”

“As far as IG goes, I’m guessing they collect data on the hashtags I follow and what I look at because all the ads are home improvement ads.”

While these are common use cases for tracking, innovations in user surveillance have allowed companies to take much more invasive actions.

What they’re actually doing

The Cambridge Analytica reports were quite shocking, but in theory their data practices were actually a violation of the agreement they had with Facebook. Somewhat more concerning are actions that Facebook and other social media companies take overtly with third parties, or as part of their explicit terms of service.

In June 2018, a New York Times report revealed partnerships between Facebook and mobile device manufacturers allowed data collection on your Facebook friends, irrespective of whether those friends had allowed data sharing with third parties. This data collection varied by device manufacturer, and most were relatively benign. Blackberry, however, seemed to go beyond what most of us expect to be collected when we log in:

Facebook has been known for years to have somewhat creepy partnerships like this. But what about other platforms? Instagram has an interesting paragraph in its terms and conditions:

Does communications include direct messages? How long is this information stored, where, and under what conditions? It could be perfectly secure and anonymized, but it’s difficult to tell because Instagram is a little vague on these points. Companies tell us what they collect consistently but they don’t always tell us why or disclose retention conditions, which makes it difficult for a user to make a proper risk assessment for allowing tracking.

Outside of the Facebook family of products, Pinterest does some data sharing that you might not expect:

Kudos to Pinterest for providing clear opt-out instructions.

A reasonable user might not expect that when consent to tracking connected with a Pinterest account, they would also agree to offsite tracking. Pinterest does stand out, however, by presenting well organized and clear information followed by simple opt-out instructions after each section.

What they might be doing

Most platforms that engage in user tracking do so in ways that raise concern, but are not overtly alarming. Abuses we’ve heard about tend to center on the tracking company sharing information with third parties. So what might happen if the wrong third party gains access to this data?

In 2016, a Pro Publica investigation was able to use Facebook ad targeting to create a housing ad that excluded minorities from seeing it. (This probably violates the US Fair Housing Act.) Using user data to discriminate in plausibly deniable ways predates the Internet, but the unprecedented volume of data collected makes schemes by bad actors much more efficient and easy to launch.

A more speculative harm is the use of tracking tags on sensitive websites. In France, a government website providing accurate information on reproductive health services was using a Facebook tracker. A “trusted partner” receiving user metadata, as well as which sections of the site that user clicks on, has the potential to be profoundly invasive. From a risk mitigation perspective, a user with a Facebook account might not have anticipated this sort of tracking when they initially consented to Facebook’s terms of service.

A common counter to complaints regarding user tracking is, “Well, you agreed to their terms, so you should have expected this.” This is arguably applicable to basic metadata collection and targeted ads, but is it reasonable to expect a Facebook user to understand that their off-platform browsing is subject to surveillance as well? User tracking has progressed so far in sophistication that an average user most likely does not have the background necessary to imagine every possible use case for data collection prior to accepting a user agreement.

What you can do about it

If any of the above examples make you uncomfortable, check out how to secure some common social media platforms using internal settings. If you want to implement additional technical solutions, browser extensions like Ghostery and the EFF’s Privacy Badger can prevent trackers from sucking up data you would prefer not to hand over.

Messenger services are a bit harder to transition away from, but not impossible. Signal is a well-regarded messenger app with end-to-end encryption, and a history of respecting user privacy. Alternatively, Wire can provide a more business-oriented alternative, with screen sharing, file sharing, and access role management.

Most important is to stay suspicious when accessing a new platform. No one can mishandle data that you never agree to hand over to begin with. Stay vigilant, stay safe, and enjoy your social media platforms knowing exactly how your data is being used.

The post What does ‘consent to tracking’ really mean? appeared first on Malwarebytes Labs.

Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy

It’s 2019 and technology is becoming more sophisticated and prevalent than ever. With more technology comes greater connectivity. In fact, by 2020, there will be more than 20 billion internet-connected devices around the world. This equates to more than four devices per person. As we adopt new technology into our everyday lives, it’s important to consider how this emerging technology could lead to greater privacy risks if we don’t take steps to protect our data. That’s why the National Cyber Security Alliance (NCSA) started Data Privacy Day to help create awareness surrounding the importance of recognizing our digital footprints and safeguarding our data. To further investigate the impact of these footprints, let’s take a look at how we perceive the way data is shared and whose responsibility it is to keep our information safe.

The Impact of Social Media

Most of us interact with multiple social media platforms every day. And while social media is a great way to update your friends and family on your daily life, we often forget that these platforms also allow people we don’t really know to glimpse into our personal lives. For example, 82% of online stalkers use social media to find out information about potential victims, such as where they live or where they go to school. In other words, social media could expose your personal information to users beyond your intended audience.

Certain social media trends also bring up issues of privacy in the world of evolving technology. Take Facebook’s 10-year challenge, a recent viral trend encouraging users to post a side-by-side image of their profile pictures from 2009 and 2019. As WIRED reporter Katie O’Neill points out, the images offered in this trending challenge could potentially be used to train facial recognition software for age progression and age recognition. While the potential of this technology is mostly mundane, there is still a risk that this information could be used inequitably.

How to Approach Requests for Personal Data

Whether we’re using social media or other online resources, we all need to be aware of what personal data we’re offering out and consider the consequences of providing the information. While there are some instances where we can’t avoid sharing our personal data, such as for a government document or legal form, there are other areas where we can stand to be a little more conservative with the data that we divulge. For example, many of us have more than just our close family and friends on our social networks. So, if you’re sharing your location on your latest post, every single person who follows you has access to this information. The same goes for those online personality quizzes. While they may be entertaining, they put an unnecessary amount of your personal information out in the open. This is why it’s crucial to be thoughtful of how your data is collected and stored.

So, what steps can you take to better protect your online privacy? Check out the following tips to help safeguard your data:

  • Think before you post. Before tagging your friends on Instagram, sharing your location on Facebook, or enabling facial recognition, consider what this information reveals and how it could be used by a third-party.
  • Set privacy and security settings. If you don’t want the entire World Wide Web to be able to access your social media, turn your profiles to private. You can also go to your device settings and choose which apps or browsers you want to share your location with and which ones you don’t.
  • Enable two-factor authentication. In the chance your data does become exposed, a strong, unique password can help prevent your accounts from being hacked. Furthermore, you can implement two-factor authentication to stay secure. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy appeared first on McAfee Blogs.

Facebook: A timeline of security failings

Facebook is the world’s most popular social network, boasting 2.27 billion active users every month. That’s 2.27 billion people who trust all kinds of personal information to Facebook for safe-keeping.

Unfortunately, Facebook doesn’t have a great track record of protecting it’s users. This timeline shows some of the biggest privacy breaches since 2005.

December 2005

To help demonstrate threats to privacy caused by “over sharing” on social networks, a team of researchers publish a script that allows them to download user data from Facebook. The team manage to acquire personal data from 70,000 profiles, arguing that businesses are carrying out similar activities, stealing data without the permission of the affected users.

December 2007

Facebook releases a new product called “Beacon”, designed to help advertisers better understand their audience by tracking their movements on other websites. Beacon extends the user’s Facebook profile based on this behaviour, recording videos hired from Blockbuster Video for instance. This feature breaks the American Video Privacy Protection Act, and Facebook is forced to settle a $9.5 million class action lawsuit brought by affected users.

December 2009

Facebook publicly publish information marked private on users’ pages. A Federal Trade Commission investigation forces Facebook to apologise, and to promise improved management and protection of personal data.

June 2013

Facebook announces discovery of a bug that allows users to download contact information belonging to friends of friends – without asking permission. Official estimates suggest that as many as 6 million people have their personal information taken in this way.

February 2014

A new data-driven start-up called Cambridge Analytica asks volunteers to install a new Facebook app called thisisyourdigitallife. The app then downloads information from the user’s profile, including lists of friends, likes and some private messages.The app breaks Facebook’s terms of service, but remains in place until December 2015. By then 87 million profiles have been harvested by Cambridge Analytica, ready for use in targeting fake news stories and other marketing-related activities.

Facebook has already been fined £500,000 by the UK’s Information Commissioner for its part in the Cambridge Analytica scandal. The issue remains under investigation in the US and elsewhere.

April 2018

Facebook is forced to announce that ‘malicious actors’ have used the built-in search function to harvest the public profile data of almost their entire user base. Almost all 2 billion users have had their data collected by third parties without their permission.

June 2018

Journalists uncover “secret” agreements between Facebook and several smartphone manufacturers. In return for improving the Facebook experience on their devices, Samsung, Microsoft, Apple, Huawei, Lenovo and others have been given access to personal data belonging to the phone’s owner and their friends. Even if those friends have chosen not to share their data with third parties.

July 2018

A new bug overrides users’ block lists. For 8 days, blocked users are able to see personal information against the wishes of account holders.

August 2018

The popular data-saving app Onavo) is removed from the App Store after complaints that web activity is being collected by Facebook (Onavo’s owner), violating Apple’s privacy rules.

September 2018

A new bug in the “view as” feature allows hackers to forge authentication tokens and take control of up to 50 million user accounts.

Be careful who you trust with your data

Over the past 13 years Facebook has become a victim of its own success. With access to the personal data belonging to more than 2 billion people, the social network is a natural target for hackers and cyber criminals – but a relaxed attitude to security and privacy has only made it easier for malicious activity to thrive.

All Facebook users should regularly check their privacy and security settings to ensure they are using the tools provided to protect themselves. In the long term however, questions need to be asked whether the benefits of Facebook outweigh the obvious risks to their online safety.

The post Facebook: A timeline of security failings appeared first on Panda Security Mediacenter.

#PrivacyAware: Will You Champion Your Family’s Online Privacy?

online privacyThe perky cashier stopped my transaction midway to ask for my email and phone number.

Not now. Not ever. No more. I’ve had enough. I thought to myself.

“I’d rather not, thank you,” I replied.

The cashier finished my transaction and moved on to the next customer without a second thought.

And, my email and phone number lived in one less place that day.

This seemingly insignificant exchange happened over a year ago, but it represents the day I decided to get serious and champion my (and my family’s) privacy.

I just said no. And I’ve been doing it a lot more ever since.

A few changes I’ve made:

  • Pay attention to privacy policies (especially of banks and health care providers).
  • Read the terms and conditions of apps before downloading.
  • Block cookies from websites.
  • Use a VPN instead of public wi-fi.
  • Refuse to purchase from companies that (appear to) take privacy lightly.
  • Max my privacy settings on social networks.
  • Change my passwords regularly and keep them strong!
  • Delete apps I no longer use.
  • Stay on top of software updates on all devices and add extra protection.
  • Have become hyper-aware before giving out my email, address, phone number, or birth date.
  • Limit the number of photos and details shared on social media.


The amount of personal information we share every day online — and off — is staggering. There’s information we post directly online such as our birth date, our location, our likes, and dislikes. Then there’s the data that’s given off unknowingly via web cookies, Metadata, downloads, and apps.

While some data breaches are out of our control, at the end of the day, we — along with our family members — are one giant data leak.

Studies show that on average by the age of 13, parents have posted 1,300 photos and videos of their child to social media. By the time kids get devices of their own, they are posting to social media 26 times per day on average — a total of nearly 70,000 posts by age 18.

The Risksonline privacy

When we overshare personal data a few things can happen. Digital fallout includes data misuse by companies, identity theft, credit card fraud, medical fraud, home break-ins, reputation damage, location and purchasing tracking, ransomware, and other risks.

The Mind Shift

The first step toward boosting your family’s privacy is to start thinking differently about privacy. Treat your data like gold (after all, that’s the way hackers see it). Guiding your family in this mind-shift will require genuine, consistent effort.

Talk to your family about privacy. Elevate its worth and the consequences when it’s undervalued or shared carelessly.

Teach your kids to treat their personal information — their browsing habits, clicks, address, personal routine, school name, passwords, and connected devices — with great care. Consider implementing this 11 Step Privacy Take Back Plan.

This mind and attitude shift will take time but, hopefully, your kids will learn to pause and think before handing over personal information to an app, a social network, a retail store, or even to friends.

Data Protection Tips*

  1. Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.
  2. Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share privacy
  3. Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through websites and apps.
  4. Lock down your login. Your usernames and passwords are not enough to protect critical accounts like email, banking, and social media. Strengthen online accounts and use strong authentication tools like a unique, one-time code through an app on your mobile device.

* Provided by the National Cyber Security Alliance (NCSA).

January 28 National Data Privacy Day. The day highlights one of the most critical issues facing families today — protecting personal information in a hyper-connected world. It’s a great opportunity to commit to taking real steps to protect your online privacy. For more information on National Data Privacy Day or to get involved, go to Stay Safe Online.

The post #PrivacyAware: Will You Champion Your Family’s Online Privacy? appeared first on McAfee Blogs.

Debunking conventional wisdom to get out of the security and privacy rut

Given the unprecedented rate of technological change, the dizzying news cycle, and an always-on social media mentality, it may be surprising to learn that when it comes to security and

The post Debunking conventional wisdom to get out of the security and privacy rut appeared first on The Cyber Security Place.

Twitter bug exposed private tweets of Android users to public for years

By Carolina

A security bug in Twitter exposed private tweets of users to the public. The flaw only affected Android users of the Twitter app while iPhone users were not affected. According to Twitter, private tweets of users from November 3, 2014, to January 14, 2019, were exposed. Although the company did not say how many people were affected […]

This is a post from Read the original post: Twitter bug exposed private tweets of Android users to public for years

The 10 year challenge is taking the Internet by storm

The first few days of the new 2019 started with a new social media craze that is making its way to the timelines of hundreds of millions of people across all major social media networks – the 10 year challenge. Unless you are one of the few people who does not use social media, you most likely have already noticed the new viral trend that consists of side-by-side memes of people from ten years ago and today. Millions of people have already participated, and a whole list of celebrities have shared their before-and-after memes with their followers. The challenge is about to blow out of proportion as more and more people are entering it by the second.

What exactly is the 10 year challenge?

The challenge consists of people posting then-and-now images of themselves. The old photos go as far as 2008 and are usually compared to recent photos uploaded to social media. The viral social media trend come in many forms. Some of the popular hashtags that reflect the hottest social media challenge are #10YearChallenge, #GlowUpChallenge, #2009vs2019, #HowHardDidAgingHitYou, and #agechallenge. The challenge is currently making its way through all major social media platforms including Facebook, Twitter, Instagram, etc.

Who is behind the challenge?

Currently, it is unknown if someone started the challenge intentionally. Multiple reporters have been speculating that this might be Facebook’s way to collect data that could be mined to train facial recognition algorithms on age progression and age recognition. Nicholas Thompson, the editor of Wired, succeeded in muddying the waters by tweeting “Let’s say you wanted to train a facial recognition algorithm on aging. What would do? Maybe start a meme like #10yearchallenge”. While this is a question that certainly gives you food for thought, it is still unknown if the challenge was ignited intentionally by a private company and if yes, what might have been its motives to do it.

Why did the 10 year challenge start now?

When Facebook was founded in 2004, the platform’s initial purpose was to be used as a networking tool for students in Ivy League universities. However, a few years after its launch, Facebook become open for everyone. Roughly 10 years ago, in 2009, Facebook started adding hundreds of millions of new users every day. Some say that the 10 year challenge is getting viral right now because of Facebook’s memories tool that brings images from the past to users’ timelines. Social media users are so fascinated by the difference between the 10 year old “memory” they see, and their current profile picture, that they decide to share it with friends and family.

Which celebrities have participated in the 10 year challenge?

The viral trend got popularized by some high profile celebrities such as Reese Witherspoon, Ellen DeGeneres, Nicki Minaj, Trevor Noah, Caitlyn Jenner, and Tyra Banks. Most of them jumped on the bandwagon to simply show how well they still look and how they haven’t aged at all.

How to enter the 10 year challenge?

If you want to enter the viral challenge all you have to do is dig out a 10 year old photo of yourself and splice it with a current one. The result should be a side-by-side photograph of yourself ten years apart similar to the before-after diet advertisements that we all see all the time on social media. If you want your side-by-side photo to get noticed, you can post it on any social media channels with the following hashtags #10YearChallenge, #GlowUpChallenge, #2009vs2019, #2008vs2018, #HowHardDidAgingHitYou, and #agechallenge.

Download Panda FREE VPN

The post The 10 year challenge is taking the Internet by storm appeared first on Panda Security Mediacenter.

How to Stay Secure from the Latest Volkswagen Giveaway Scam

You’re scrolling through Facebook and receive a message notification. You open it and see it’s from Volkswagen, claiming that the company will be giving away 20 free vehicles before the end of the year. If you think you’re about to win a new car, think again. This is likely a fake Volkswagen phishing scam, which has been circulating social media channels like WhatsApp and Facebook, enticing hopeful users looking to acquire a new ride.

This fake Volkswagen campaign works differently than your typical phishing scam. The targeted user receives the message via WhatsApp or Facebook and is prompted to click on the link to participate in the contest. But instead of attempting to collect personal or financial information, the link simply redirects the victim to what appears to be a standard campaign site in Portuguese. When the victim clicks the buttons on the website, they are redirected to a third-party advertising site asking them to share the contest link with 20 of their friends. The scam authors, under the guise of being associated with Volkswagen, promise to contact the victims via Facebook once this task is completed.

As of now, we haven’t seen indicators that participants have been infected by malicious software or had any personal information stolen as a result of this scam. But because the campaign link redirects users to ad servers, the scam authors are able to maximize revenue for the advertising network. This encourages malicious third-party advertisers to continue these schemes in order to make a profit.

The holidays in particular are a convenient time for cybercriminals to create more scams like this one, as users look to social media for online shopping inspiration. Because schemes such as this could potentially be profitable for cybercriminals, it is unlikely that phishing scams spread via social media will let up. Luckily, we’ve outlined the following tips to help dodge fake online giveaways:

  • Avoid interacting with suspicious messages. If you receive a message from a company asking you to enter a contest or share a certain link, it is safe to assume that the sender is not from the actual company. Err on the side of caution and don’t respond to the message. If you want to see if a company is actually having a sale, it is best to just go directly to their official site to get more information.
  • Be careful what you click on. If you receive a message in an unfamiliar language, one that contains typos, or one that makes claims that seem too good to be true, avoid clicking on any attached links.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help safeguard you from malware and warn you of phishing attempts so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Stay Secure from the Latest Volkswagen Giveaway Scam appeared first on McAfee Blogs.

Helping Kids Deal with the Digital Rejection of ‘Ghosting’

digital rejection of ghosting

digital rejection of ghostingRejection is the unspoken risk that is present when we enter into any relationship be it a friendship or a love relationship. It’s a painful, inescapable part of life that most of us go to great lengths to avoid. That said, there’s a social media phenomenon called “ghosting” that can take the pain of rejection to surprising depths — especially among teens.

Ghosting is when a person (or friend group) you’ve been talking to online suddenly stops all communication without any explanation.

Digital Dismissal

If you’re on the receiving end of the ghosting, consider yourself ghosted. Text conversations abruptly stop. You get blocked on all social media accounts. The ghost untags him or herself in all past photos on your profiles and deletes all past comments; theirs and yours. Direct messages (if not blocked) are marked as “seen” but never get a response.

Ghosting makes it feel as if a relationship never existed, which can leave anyone — child, teen, or adult — feeling hurt, frustrated, betrayed and even traumatized.

A teen named Jess* shared her ghosting experience and described feeling “helpless, confused, and worthless,” when a person she considered a boyfriend suddenly disappeared from her life after five months and started talking to another girl online. “One minute we were close and sharing all kinds of deep stuff and then, ‘poof’! He blocked me from his social media, stopped answering my texts, and started ignoring me at school. It’s as if I never existed to him.”

Rejection = Pain

In one study, MRI images showed that the same areas of the brain become activated when we experience a social rejection as when we experience physical pain, which is why rejection can hurt so much. According to Dr. Guy Winch, rejection destabilizes our need to belong and causes us to question our self-worth. “We often respond to romantic rejections by finding fault in ourselves, bemoaning all our inadequacies, kicking ourselves when we’re already down, and smacking our self-esteem into a pulp.” Rather, he clarifies, rejection is often just a matter of being mismatched in several areas such as chemistry, goals, and commitment level.

Micro-rejection 24/7

Thanks to social media, ghosting is not only a term but a common (albeit cruel) way to end an online relationship. Because it’s digital it’s easier for some people to view others as avatars; and easier to block rather than confront. It doesn’t help that the online culture fosters micro-rejections at every turn especially for tweens and teens. With every photo that is uploaded, so too, is a young person’s bid for approval. It’s not uncommon that a child’s happiness (or lack of) is influenced by the number of likes and comments a photo racks up.

While it may be impossible to protect our kids from painful digital rejections, we can equip them to handle it when and if it comes their way. Here are a few ideas that may help ease the pain of being ghosted.

Acknowledge the hurt

digital rejection of ghostingNo doubt, being ghosted hurts and can be embarrassing for your child (or anyone for that matter) to even talk about so tread lightly if you suspect it. Listen more than you speak and empathize more than advise if you learn this is a situation your child is experiencing. Acknowledge the real pain of being cut off, dismissed, blocked, and ignored. Ghosting can happen between two people or even with a friend group. If you have a similar situation and can relate, share that experience with your child.

Help frame the situation

Tweens and teens often do not have the tools they need in their emotional toolbox to deal with confrontation. Nor are they pros at communicating. So, rather than exit a relationship properly, some kids will find it easier to disappear with a simple click or two. Help your child understand the bigger picture that not all people will act with integrity or kindness. And, not all people are meant to be your friend or romantic match, and that’s okay. There are plenty of people who will value, love, and treat them with respect.

Help set healthy standards

Being ghosted, while painful, is also an opportunity to help your son or daughter define or re-define his or her standards. Ask: What qualities and characteristics you value in a friend or love interest? What values do you need to share with another person before trusting them? What warning signs should you look for next time that a person isn’t friend material? Advise: Don’t always be the person initiating every conversation, pay attention to the quality of interactions, don’t pursue people who are unresponsive or constantly “busy.”

Discourage retribution

digital rejection of ghostingWhile some ghosting situations are mild and dismissed quickly, others can cause the person ghosted to feel humiliated, angry, and vengeful. Lashing out at or trolling a ghost online as payback isn’t the answer and will only prolong the pain of being ghosted. Encourage your child that discovering the person’s character now is a gift and that moving on with wisdom and integrity (minus conflict) is the fastest way to heal.

Help them move on

One huge pain point for people who have been ghosted is that he or she did not get any closure or insight as to why the relationship ended. To help with this, you might suggest your son or daughter write a letter to get all the feelings out — but never mail it. Need the satisfaction of posting that letter online (minus names)? There’s a site for that (warning: language).

Beware of haunting

Haunting is when a ghost tries to reconnect in small ways over time. He or she may resurface to leave a comment or periodic likes to test the re-entry climate. Some may even send a direct message trying to explain the poor behavior. While every situation is different, warn your kids against reconnecting with anyone who would ghost a relationship. Encourage your child to invest time in friends who value friendships and honor the feelings of others.

*Name changed

The post Helping Kids Deal with the Digital Rejection of ‘Ghosting’ appeared first on McAfee Blogs.

What To Do When Your Social Media Account Gets Hacked

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account has been hacked. What do you do?

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22%of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. And, earlier this year Facebook itself got hacked, exposing the identity information of 50 million users.

Your first move—and a crucial one—is to change your password right away, and notify your connections that your account has been hacked. This way your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other, hidden threats to having your social media account hacked.

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts?

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs.

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites.

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts.

You may have already seen the scam for “discount Ray-Ban” sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account.

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page.

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account.

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place.

How To Keep Your Social Accounts Secure

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know.
  • Flag any scam posts or messages you encounter on social media to the website, so they can help stop the threat from spreading.
  • Use unique, complicated passwords for all your accounts.
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available.
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions.
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen.
  • Always use comprehensive security software that can keep you protected from the latest threats.
  • Keep up-to-date on the latest scams and malware threats

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What To Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control

smartphone screen timeYou aren’t going to like this post. However, you will, hopefully, find yourself nodding and perhaps, even making some changes because of it. Here it friends: That love-hate relationship you have with your smartphone may need some serious attention — not tomorrow or next week — but now.

I’m lecturing myself first by the way. Thanks to the June iOS update that tracks and breaks down phone usage, I’m ready — eager in fact — to make some concrete changes to my digital habits. Why? Because the relationship with my phone – which by the way has become more like a third child — is costing me in time (75 days a year to be exact), stress, and personal goals.

I say this with much conviction because the numbers don’t lie. It’s official: I’m spending more time on my phone than I am with my kids. Likewise, the attention I give and the stress caused by my phone is equivalent to parenting another human. Sad, but true. Here’s the breakdown.

Screen time stats for the past seven days:

  • 5 hours per day on my device
  • 19 hours on social networks
  • 2 hours on productivity
  • 1 hour on creativity
  • 18 phone pickups a day; 2 pickups per hour

Do the math:

  • 35 hours a week on my device
  • 1,820 hours a year on my device
  • 75 days a year on my device

Those numbers are both accurate and disturbing. I’m not proud. Something’s gotta give and, as Michael Jackson once said, change needs to start with the man (woman) in the mirror.

A 2015 study by Pew Research Center found that 24% of Americans can’t stop checking their feeds constantly. No surprise, a handful of other studies confirm excessive phone use is linked to anxiety, depression, and a social phenomenon called FOMO, or Fear Of Missing Out.

Efficiency vs. Anxiety

There’s no argument around the benefits of technology. As parents, we can keep track of our kids’ whereabouts, filter their content, live in smart houses that are efficient and secure, and advance our skills and knowledge at lightning speeds.

That’s a lot of conveniences wrapped in even more pings, alerts, and notifications that can cause anxiety, sleeplessness, and stress.  In our hyper-connected culture, it’s not surprising to see this behavior in yourself or the people in your social circles.

  • Nervousness or anxiety when you are not able to check your notifications.
  • An overwhelming need to share things — photos, personal thoughts, stresses — with others on social media.
  • Withdrawal symptoms when you are not able to access social media.
  • Interrupting conversations to check social media accounts.
  • Lying (downplaying) to others about how much time you spend on social media sites.

We often promote balance in technology use, but this post will go one step further. This post will get uncomfortably specific in suggesting things to do to put a dent in your screentime. (Again, these suggested changes are aimed at this mom first.)

Get Intentional

  • Look at your stats. A lot of people don’t go to the doctor or dentist because they claim “not knowing” about an ailment is less stressful than smartphone screen timeknowing. Don’t take that approach to your screen time. Make today the day you take a hard look at reality. Both iOS and Android now have screen time tracking.
  • Get reinforcements.  There are a lot of apps out there like Your Hour, AppBlock, Stay Focused, Flipd, and App Off Timer designed to help curb your smartphone usage. Check out the one/s that fits your needs and best helps you control your screen time.
  • Plan your week. If you have activities planned ahead of time for the week — like a hike, reading, a movie, or spending time with friends — you are less likely to fritter away hours on your phone.
  • Leave your phone at home. Just a decade ago we spent full days away from home running errands, visiting friends, and exploring the outdoors — all without our phones. The world kept turning. Nothing fell to pieces. So start small. Go to the grocery store without your phone. Next, have dinner with friends. Then, go on a full day excursion. Wean yourself off your device and reclaim your days and strengthen your relationships.
  • Establish/enforce free family zones. Modeling control in your phone use helps your kids to do the same. Establish phone free zones such as homework time, the dinner table, family activities, and bedtime. The key here is that once you establish the phone free zones, be sure to enforce them. A lot of parents (me included) get lax after a while in this area. Research products that allow you to set rules and time limits for apps and websites. McAfee Safe Family helps you establish limits with pre-defined age-based rules that you can be customized based on your family’s needs.
  • Delete unused apps. Give this a try: Delete one social app at a time, for just a day or a week, to see if you need it. If you end up keeping even one time-wasting app off your phone, the change will be well worth it.
  • Engage with people over your phone. If you are in the line at the grocery store, waiting for a show to begin, or hanging out at your child’s school/ sports events, seek to connect with people rather than pull out your phone. Do this intentionally for a week, and it may become a habit!
  • Do one thing at a time. A lot of wasted device time happens because we are multi-tasking — and that time adds up. So if you are watching a movie, reading, or even doing housework put your phone in another room — in a drawer. Try training yourself to focus on doing one thing at a time.smartphone screen time
  • Give yourself a phone curfew. We’ve talked about phone curfews for kids to help them get enough sleep but how about one for parents? Pick a time that works for you and stick to it. (I’m choosing to put my phone away at 8 p.m. every night.)
  • Use voice recorder, notes app, or text. Spending too much time uploading random content? Curb your urge to check or post on social media by using your voice recorder app to speak your thoughts into. Likewise, pin that article or post that photo to your notes to catalog it in a meaningful way or text/share it with a small group of people. These few changes could result in big hours saved on social sites.
  • Turn off notifications. You can’t help but look at those notifications so change your habitual response by turning off all notifications.
  • Limit, don’t quit. Moderation is key to making changes stick. Try limiting your social media time to 10 minutes a day. Choose a time that works and set a timer if you need to. There’s no need to sever all ties with social media just keep it in its proper place.

Slow but Specific Changes

Lastly, go at change slowly (but specifically) and give yourself some grace. Change isn’t easy. You didn’t rack up those screen time stats overnight. You’ve come to rely on your phone for a lot of tasks as well as entertainment. So, there’s no need to approach this as a life overhaul, a digital detox, or take an everything or nothing approach. Nor is there a need to trumpet your social departure to your online communities. Just take a look at your reality and do what you need to do to take back your time and control that unruly third child once and for all. You’ve got this!

The post Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control appeared first on McAfee Blogs.

What Parents Need to Know About Live-Stream Gaming Sites Like Twitch

Live-Stream GamingClash of Clans, Runescape, Fortnite, League of Legends, Battlefield V, and Dota 2. While these titles may not mean much to those outside of the video gaming world, they are just a few of the wildly popular games thousands of players are live streaming to viewers worldwide this very minute. However, with all the endless hours of entertainment this cultural phenomenon offers tweens, teens, and even adults, it also comes with some risks attached.

The What

Each month more than 100,000 people log onto sites like Twitch and YouTube to watch gamers play. Streamers, also called twitchers, broadcast their gameplay live online while others watch and participate through a chat feature. Each gamer attracts an audience (a few dozen to hundreds of thousands daily) based on his or her skill level and the kind of commentary, and interaction with viewers they offer.

Reports state that video game streaming can attract more viewers than some of cable’s most popular televisions shows.

The Why

Ask any streamer (or viewer) why they do it, and many will tell you it’s to showcase and improve their skills and to be part of a community of people who are equally as passionate about gaming.

Live-Stream Gaming

Live streaming is also free and global so gamers from any country can connect in any language. You’ll find streamers playing games in Turkish, Russian, Spanish, and the list goes on. Many streamers have gone from amateurs to gaming celebrities with elaborate production and marketing of their Twitch or YouTube feeds.

Some streamers hold marathon streaming sessions, and multi-player competitions designed to benefit charities. Twitch is also appealing because it allows users to watch popular gaming conventions such as TwitchCon, E3, and Comic-Con. There are also live gaming talk shows and podcasts and a channel where users can watch people do everyday things like cook, create pieces or art or play music.

The Risks

Although Twitch’s community guidelines prohibit violent behavior, sexual content, bullying and harassment, after browsing through some of the  live games, many users don’t seem to take the guidelines seriously.

Here are just a few things to keep in mind if your kids frequent live streaming communities like Twitch.

  1. Bullying. Bullying happens on every social network in some form. Twitch is no different. In one study, over 13% of respondents said they felt personally attacked on Twitch, and more than 27% have witnessed racial or gender-based bullying in live streaming.Live-Stream Gaming
  2. Crude language. While there are streamers who put a big emphasis on keeping things clean, most Twitch streamers do not. Some streamers will put up a “mature content” warning before you click on their site. Both streamers and viewers can get harsh with language, conversations, and points of view.
  3. Violent games. Many of the games on Twitch are violent and intended for mature viewers. However, you can also find some more mild games such as Minecraft and Mario Brothers if your kids are younger. The best way to access a game’s violence is to sit and watch it with your child.
  4. Health risks. Sitting and playing video games for extended periods of time can affect players and viewers physical and emotional well-being. In the most extreme cases, gamers have died due to excessive gaming.
  5. Costs. Twitch is free to sign-up and watch games, but if you want the extras (no ads), it’s $8.99 a month. Viewers can also subscribe to individual gamers’ feed. Viewers can also purchase “bits” to cheer on their favorite players (kind of like badges), which can add up quickly.
  6. Stalking. Viewers have been known to stalk, harass, rob, and try to meet celebrity streamers. Recently, Twitch announced both private and public chat rooms to try to boost privacy among users.
  7. Live-Stream GamingSwatting. An increasingly popular practice called “swatting” involves reporting a fake emergency at the home of the victim in order to send a SWAT team to barge in on them. In some cases, swatter cases connected to Twitch have ended tragically.
  8. Wasted time. Marathon gaming sessions, skipping school to play or view games, and gaming through the night are common in Twitch communities. Twitch, like any other social network, needs parental attention and ground rules.
  9. Privacy. Spending a lot of time with people in an online “community” can result in a false sense of trust. Often kids will answer an innocent question in a live chat such as where they live or what school they go to. Leaking little bits of information over time allows a corrupt person to piece together a picture of your data.

An endnote: If your kids love Twitch or live stream gaming on YouTube or other sites, spend some time on those sites. Listen to the conversations your kids are having with others online. What’s the tone? Is there too much sarcasm or cruel “joking” going on? Put time limits on screen time and remember balance and monitoring is key to guiding healthy online habits.

The post What Parents Need to Know About Live-Stream Gaming Sites Like Twitch appeared first on McAfee Blogs.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.


Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

Vietnam Approves New Cybersecurity Law

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face substantial penalties for failure to disclose information upon governmental request. In addition, the law bans internet users in Vietnam from organizing people for anti-state purposes and imposes broad restrictions on using speech to distort the country’s history or achievements. As reported in BNA Privacy Law Watch, the law will take effect on January 1, 2019.

Facebook Publishes Privacy Principles and Announces Introduction of Privacy Center

On January 28, 2018, Facebook published its privacy principles and announced that it will centralize its privacy settings in a single place. The principles were announced in a newsroom post by Facebook’s Chief Privacy Officer and include:

  • “We give you control of your privacy.”
  • “We help people understand how their data is used.”
  • “We design privacy into our products from the outset.”
  • “We work hard to keep your information secure.”
  • “You own and can delete your information.”
  • “Improvement is constant.”
  • “We are accountable.”

In conjunction with the publication of the privacy principles, Facebook also announced the creation of a new privacy center and an educational video campaign for its users that focuses on advertising, reviewing and deleting old posts, and deleting accounts. The videos will appear in users’ news feeds and will be refreshed throughout the year.

Advocate General Rejects Facebook’s Claim of Sole Irish Jurisdiction in EU

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

Although Facebook’s EU data processing activities are handled jointly by Facebook, Inc. in the U.S. and Facebook Ireland, its European headquarters, Facebook has a number of subsidiaries in other EU Member States that promote and sell advertising space on the social network. In line with Directive 95/46/EC and the Google Spain decision, Bot held that the processing of personal data via cookies, which Facebook used to improve its targeting of advertisements, had to be considered as being in the context of the activities of the German establishment. It therefore followed that Facebook fell under the jurisdiction of the German DPA and other DPAs in which its subsidiaries engaged in the promotion and sale of advertising space.

The opinion is non-binding and Facebook awaits the CJEU’s verdict. It should be noted, however, that most CJEU verdicts follow the prior opinions of Advocate Generals. Also, this situation may be interpreted differently under the EU’s General Data Protection Regulation (“GDPR”), which replaces existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on May 25, 2018. Under the GDPR, the One-Stop-Shop mechanism will see the DPA in an organization’s main EU establishment take the role of lead authority. In other EU Member States where the organization has establishments, DPAs will be regarded as ‘concerned authorities,’ but any regulatory action will be driven by the lead authority—which in Facebook’s case likely is the Irish Data Protection Commissioner.

Washington Becomes Third State to Enact Biometric Privacy Law

On May 16, 2017, the Governor of the State of Washington, Jay Inslee, signed into law House Bill 1493 (“H.B. 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The law will become effective on July 23, 2017. With the enactment of H.B. 1493, Washington becomes the third state to pass legislation regulating the commercial use of biometric identifiers. Previously, both Illinois and Texas enacted the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001), respectively.

H.B. 1493 defines “biometric identifier” as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual. Interestingly, unlike the Illinois and Texas statutes, H.B. 1493’s definition of “biometric identifier” does not reference a record or scan of face geometry (i.e., facial recognition data). The definition also explicitly excludes “physical or digital photographs, video or audio recording or data generated therefrom,” and certain health-related data processed pursuant to Health Insurance Portability and Accountability Act of 1996. Notably, several putative class action lawsuits have been filed against social networking sites, such as Shutterfly, for allegedly using facial recognition technology to scan users’ uploaded photographs in violation of BIPA’s notice and consent requirements. Although it is unclear whether H.B.1493 covers scans of face geometry, the lack of explicit inclusion of such data may be a response to such lawsuits.

Pursuant to H.B.1493, a person may not “enroll” a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. In contrast to the Illinois and Texas statutes, which broadly regulate the capture (or, in the case of BIPA, the possession) of biometric identifiers, Washington’s statute is limited to those persons that “enroll” biometric identifiers by capturing the data, converting it into a reference template that cannot be reconstructed into the original output image, and storing it in a database that matches the biometric identifier to a specific individual. Notably, the statute’s limitations on disclosure and retention of biometric identifiers do not apply to biometric identifiers that have been “unenrolled.”

H.B. 1493 contains detailed requirements governing the enrollment of biometric identifiers for a commercial purpose, as well as the subsequent disclosure of such data. In particular:

  • The statute makes it clear that the notice required under the law is separate from, and is not considered, “affirmative consent.”
  • Unlike BIPA, which explicitly requires a written release from the subject before obtaining his or her biometric identifier, H.B. 1493 broadly states that the exact notice and type of consent required to achieve compliance is “context-dependent.” The notice must be given through a procedure reasonably designed to be readily available to affected individuals.
  • A person who enrolls a biometric identifier for a commercial purpose or obtains a biometric identifier from a third party for a commercial purpose may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new use or disclosure.
  • Unless consent has been obtained, a person who has enrolled an individual’s biometric identifier may not sell, lease or otherwise disclose the biometric identifier to another person for a commercial purpose unless one of certain enumerated statutory exceptions applies, including: (1) where necessary to provide a product or service requested by the individual; or (2) where disclosed to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose that is inconsistent with the notice and consent provided.

Importantly, unlike the Illinois and Texas statutes, H.B. 1493 contains a broad “security exception,” exempting those persons that collect, capture, enroll or store biometric identifiers in furtherance of a “security purpose.”

Similar to the Illinois and Texas statutes, H.B. 1493 also contains data security and retention requirements. In particular, the statute requires (1) reasonable care to guard against unauthorized access to and acquisition of biometric identifiers and (2) retention of biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was enrolled.

As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois biometric law currently is the only state biometric statute that includes a private right of action.

Although Washington is only the third state to enact a biometric privacy law, several other states are considering similar legislation as the commercial collection and use of biometric identifiers becomes more commonplace.

Texas AG Settles Suit with Messaging App Over Children’s Data Practices

On October 3, 2016, the Texas Attorney General announced a $30,000 settlement with mobile app developer Juxta Labs, Inc. (“Juxta”) stemming from allegations that the company violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding the collection of personal information from children.

The Texas Attorney General alleged that Juxta, the developer of the “Jott” messaging app and other apps for gaming and social media, misled consumers regarding the company’s privacy practices and compliance with privacy laws. According to the Texas Attorney General, Juxta’s apps were previously easy for children of any age to access. Many of the company’s apps offered free children’s games, generating revenue from advertisements and in-app purchases. Personal information was transmitted over these apps, including IP addresses and GPS coordinates, which could be used to pinpoint a child’s location.

Under the terms of the Assurance of Voluntary Compliance (“AVC”), approved by the Travis County District Court, Juxta agreed not to misrepresent its privacy practices regarding the personal information it collects from children under the age of 13, and not to engage in such collection through its apps unless the apps are in compliance with the Children’s Online Privacy Protection Act (“COPPA”). The AVC adopts COPPA’s definition of “Personal Information,” which includes data such as online contact information (such as an instant message user identifier); a photograph, video or audio file that contains a child’s image or voice; geolocation information sufficient to identity street name and name of a city or town; and persistent identifiers that can be used to recognize a user over time and across different websites or line services (e.g., IP addresses or a customer number held in a cookie). Juxta must also develop and maintain an up-to-date and accurate privacy policy that is clear, conspicuous and understandable. This privacy policy must be made prominently available on each of its apps and websites, including a hyperlink to the policy in any areas of its apps or websites that collect personal information from children younger than 13.

Additionally, Juxta is required to develop, implement and maintain procedures to ensure its Jott app does not contain any networks that are likely to predominantly include children under the age of 13. In particular, Juxta must refrain from designating any of its networks as an “Elementary School” network within the State of Texas. In the event Juxta seeks to prevent children under the age of 13 from using its apps or providing personal information, Juxta must implement and maintain reasonable neutral age screening mechanisms that discourage children from falsifying their age. Juxta further agreed to delete within 30 days (1) all personal information of children under 13 in its custody or control, and (2) all personal information in its custody or control regarding members of its “Elementary School” networks.

WhatsApp Updates Privacy Policy to Share Information with Facebook

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition.

WhatsApp has developed FAQs that discuss the changes to the Terms of Service and Privacy Policy. In addition to describing new product features, such as WhatsApp Calling, the FAQs describe the new information sharing with Facebook. WhatsApp will begin to share users’ phone numbers that are registered with WhatsApp, as well as the last time that individuals used the service. According to the update, WhatsApp will not disclose the content of any messages or photos sent via WhatsApp to Facebook.

The information disclosed to Facebook will be used for several purposes. These include enabling WhatsApp and Facebook to (1) more accurately count users, (2) fight spam and abuse, and (3) improve user experiences across WhatsApp and Facebook services, such as providing better friend suggestions and more relevant ads on Facebook. WhatsApp will provide its users with the ability to opt out from sharing information with Facebook for the purpose of improving Facebook ads and product experiences.

Anti-Terrorism Law Enacted in China

On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.

As its name suggests, the main goal of the law is to strengthen national security and to prevent terrorism. The law defines terrorism and declares it to be illegal, authorizing both civil and criminal sanctions. The law also takes certain actions that promote its objectives, such as (1) allowing for the designation of certain organizations as terrorist organizations, (2) establishing institutions such as a counter-terrorism intelligence agency and counter-terrorism units of the armed police forces and of the People’s Liberation Army to allow for the requisition of property in urgent circumstances, (3) mandating a system for incident response planning and (4) providing for international cooperation. It also empowers public security agencies to take actions such as launching investigations and even using weaponry in emergency or dangerous circumstances.

Certain provisions in the law require telecommunications system operators and Internet service providers to provide technical support and assistance, such as access to their technical interfaces and assistance with decryption, to public security and state security authorities which may be conducting investigations of terrorist activities or taking action to prevent them. The law also requires telecommunications system operators and Internet service providers to adopt network security systems and information content monitoring systems to prevent the dissemination of information containing terrorist or extremist content over their systems. If they discover information with terrorist or extremist content being disseminated over their systems, they must halt the dissemination, close the relevant websites, keep records of the incident and make a report to the relevant public security organizations. A fine of more than RMB ¥500,000 may be imposed on telecommunications system operators and Internet service providers who fail to provide technical interfaces, decryption and other technical support or assistance to competent government agencies, and the person in charge may be subject to a fine of up to RMB ¥500,000 and possibly detention of up to 15 days.

The Anti-Terrorism Law permits the People’s Liberation Army to get involved in anti-terrorism operations overseas. It also restricts the right of media of various types to report the details of terrorist attacks. For instance, social media cannot report on details of terror activities that might inspire copycat attacks, and cruel and inhuman scenes cannot be depicted in their reports.

The Anti-Terrorism Law contains several provisions that are significant in the context of personal information protection. For instance, the law requires railway, road, water and air transport operators and postal offices, couriers or other logistics operators to conduct an examination of the identities of their clients, and to perform security checks and visual checks on the articles they transport and deliver. An operator listed above which fails to comply with the foregoing obligations may face a fine of up to RMB ¥500,000 (approximately $76,250 USD at current exchange rates), and the person in charge may face a fine of up to RMB ¥100,000.

Service providers in certain industry sectors, such as the telecommunications, Internet, finance, hotel, long-distance passenger transportation and automobile leasing sectors, are required to conduct an examination of the identities of their clients as well. Service providers which fail to examine their clients’ identities, or provide services to those who refuse to make this examination, may be subject to fines of more than RMB ¥500,000. The person in charge may face a fine of up to RMB ¥500,000.

The law permits the collection of financial personal information, including information that would be considered sensitive personal information in other jurisdictions, for purposes of investigating suspected terrorist activities. For instance, during such investigations public security organizations have the authority to investigate the financial information of suspects, such as information relating to their bank deposits and stock and bond holdings. Also during an investigation, public security organizations are given the authority to collect information about suspects including their portrait, fingerprints, iris images and biological samples such as blood samples. In addition, government authorities and other entities or individuals that may be involved are required to keep in confidence any state secret, trade secret or private personal information which may be obtained during the performance of their anti-terrorism investigations.

The Anti-Terrorism Law defines circumstances in which state security organizations have authority to collect personal information. In such circumstances, when there is a conflict with other data privacy regulations that may otherwise prohibit collection, the Anti-Terrorism Law presumably would control. The Anti-Terrorism Law represents a further step in the sector-by-sector development of China’s data privacy framework.

Hunton Sponsors 14th Annual Data Protection Compliance Conference

On October 15 and 16, 2015, Hunton & Williams is pleased to sponsor PDP’s 14th Annual Data Protection Compliance Conference in London. Bridget Treacy, Head of the UK Privacy and Cybersecurity practice at Hunton & Williams, chairs the conference, which features speakers from the data protection industry, including Christopher Graham, UK Information Commissioner, and Rosemary Jay, senior consultant attorney at Hunton & Williams.

The conference is designed to provide data protection professionals with information regarding the latest challenges in the data protection landscape, including managing crisis communications and the intersection of U.S. and EU privacy law. The second day of the conference includes in-depth and interactive workshops on topics ranging from the EU General Data Protection Regulation and cross-border data transfers to data breaches and social media.

For more information and to register, visit the PDP website.

Delaware Governor Signs Set of Online Privacy Bills

On August 7, 2015, Delaware Governor Jack Markell signed four bills into law concerning online privacy. The bills, drafted by the Delaware Attorney General, focus on protecting the privacy of website and mobile app users, children, students and crime victims.

1. The Delaware Online and Personal Privacy Protection Act

The Delaware Online and Personal Privacy Protection Act (S.B. 68) will require operators of commercial internet services such as websites and mobile apps to make a privacy policy conspicuously available to the extent they collect online personally identifiable information (“PII”) of Delaware residents. Pursuant to the bill, the website or mobile app must have a privacy policy in place that discloses, among other things, information regarding the service’s collection and disclosure of PII and its online tracking practices.

This bill also aims to protect children’s privacy by restricting online businesses from advertising or marketing specific types of age-restricted products (such as alcohol and firearms) and services (such as certain gambling activities) on websites and mobile apps directed to children. In addition, the bill regulates the privacy practices of online businesses that primarily provide services related to e-books, including audio books. The bill restricts book service providers from knowingly disclosing a user’s PII to third parties without written consent and requires them to post an annual transparency report on their website.

2. The Student Data Privacy Protection Act

The Student Data Privacy Protection Act (S.B. 79) is modeled on California’s Student Online Personal Information Privacy Act and restricts education technology providers from selling student data, using student data to engage in targeted advertising directed to students or their families, amassing a profile on students to be used for non-educational purposes or disclosing student data unless in accordance with a permissible purpose set forth in the bill.

3. The Employee/Applicant Protection for Social Media Act

Similar to similar laws in other states, the Employee/Applicant Protection for Social Media Act (H.B. 109) places restrictions on an employer requiring or requesting access to an employee’s or applicant’s personal social media account.

4. The Victim Online Privacy Act

The Victim Online Privacy Act (H.B. 102) provides privacy protection for witnesses and victims of crimes. It prohibits posting or publicly disclosing online contact information or images of crime victims, material witnesses or their families for the purpose of inciting someone to commit violence against them.

States Writing Biometric-Capture Laws May Look to Illinois

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

Read the full article now.

Europe’s Highest Court Delays Decision in Safe Harbor Case Schrems vs. Facebook

On June 9, 2015, Max Schrems tweeted that the Advocate General of the European Court of Justice (“ECJ”) will delay his opinion in Europe v. Facebook, a case challenging the U.S.-EU Safe Harbor Framework. The opinion was previously scheduled to be issued on June 24. No new date has been set.

The delay may allow the U.S. and EU to conclude their negotiations regarding updating the Safe Harbor Framework before the ECJ issues an opinion that could impact the Framework. According to reports, although certain issues concerning the national security exemptions to the U.S.-EU Safe Harbor Framework still need to be resolved, the negotiations are expected to be concluded within weeks.

In his case against Facebook, Austrian law student Max Schrems challenges the Irish Data Protection Commissioner’s claim that the Safe Harbor agreement precluded the agency from stopping data transfers from Ireland to the U.S. by Facebook, which participates in the Safe Harbor. Schrems’ case was prompted by the Snowden revelations about U.S. national security authorities accessing personal data of EU citizens transferred to the U.S. via the Safe Harbor Framework. Schrems is seeking the end of the U.S.-EU Safe Harbor Framework.

Belgian Data Protection Authority Issues Recommendation on Facebook’s User Tracking

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

In taking the position that Facebook is subject to Belgian data protection law, the Recommendation focuses on the legitimacy of tracking user activities through Facebook’s social plug-ins. When used to track Internet activities, the DPA asserts that Facebook should obtain a user’s unambiguous and specific consent prior to placing or obtaining cookies through social plug-ins. The DPA further finds that it is excessive to systematically collect information concerning individuals’ visits to websites that contain social plug-ins, even where individuals do not interact with the social plug-ins.

The Recommendation advocates that Facebook be transparent regarding its use of cookies and cease collecting information through cookies and social plug-ins from non-Facebook users or users who have de-activated or logged out of their Facebook account without first obtaining opt-in consent. With respect to active Facebook users, the DPA noted that Facebook should only collect and use information through cookies and social plug-ins when strictly necessary to provide a service explicitly requested by the particular user. In all other cases, opt-in consent from Facebook users is required, according to the DPA.

Furthermore, the Recommendation warns against automatically sharing information with Facebook based on the mere presence of a social plug-in. As a final recommendation to Facebook, the DPA emphasizes that Facebook should modify its user interface to facilitate opt-in consent from its users for the collection and use of information obtained through cookies, in particular, for the use of this information for advertising purposes.

The Recommendation also includes guidance aimed at owners and hosts of websites using social plug-ins from Facebook, as well as Internet users. With regard to website owners and hosts, the DPA points out that they should ensure that social network buttons are only activated after the website users’ consent has been obtained. To comply with this obligation, the DPA recommends the use of instruments, such as “Social Share Privacy,” to help ensure that third party plug-ins only connect to the third party’s servers after the user has clicked on the social plug-in button.

The DPA has indicated in the media that an enforcement action against Facebook may be necessary if the recommendation is not followed.

CNIL, ICO and GPEN Review Websites Aimed at Children During Internet Sweep

On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

In addition to the CNIL and the ICO, 27 other DPAs that are members of the GPEN will participate, including four German DPAs (the Federal Commissioner for Data Protection and Freedom of Information, the Data Protection Supervisory Authority of Bavaria, the Berlin Data Protection Commissioner and the Data Protection Commissioner of Hessen). View the full list of participating DPAs.

The joint effort will run from May 11 to 15, and will target child-directed websites and apps, such as gaming websites, social networking websites and educational websites. Specifically, the participating DPAs will verify whether the targeted websites and apps:

  • Seek parents’ consent before allowing children to use the services offered or provide personal data;
  • Raise public awareness regarding privacy;
  • Provide a privacy notice tailored to younger audiences (e.g., clear language, animated images, etc.); and
  • Facilitate the erasure of personal data provided by children.

As in prior years, the participating DPAs will use an analysis grid to obtain (1) a global picture of the privacy practices of child-directed websites and (2) details about practices common to particular jurisdictions. The DPAs intend to publish a combined report in Fall 2015.

The CNIL and the ICO have stressed that they could conduct further inspections and launch enforcement proceedings if their initial findings reveal serious breaches of applicable data protection law. Other DPAs participating in the joint audit may take similar action.

Finland Introduces New Electronic Privacy Requirements for Online Communications Services Providers

On January 1, 2015, Finland’s Information Security Code (2014/ 917, the “Code”) became effective. The Code introduces substantial revisions to Finland’s existing electronic communications legislation and consolidates several earlier laws into a single, unified text. Although many of these earlier laws remain unchanged, the Code includes extensive amendments in a number of areas.

The most significant change is the broadened obligation to protect the confidentiality of communications, which previously applied only to telecommunications providers. Under the Code, this obligation applies to all providers of electronic communications services, such as instant messaging services and many online social networking tools. As a result of this change, providers of these services have an obligation to maintain the security and confidentiality of electronic messages sent over their systems.

Another important new provision allows for the extraterritorial application of the Code. Businesses that are established outside the EU, but offer their services in Finnish or otherwise target Finnish residents are, in theory, subject to the requirements of the Code. This is a similar approach to that taken in the forthcoming EU General Data Protection Regulation, which seeks to require businesses located outside the EU to comply with EU privacy laws if they (1) offer goods or services to EU residents, or (2) monitor the behavior of EU residents. How these extraterritoriality provisions will be enforced against businesses that have no assets in the EU remains an open question at this stage.

German DPA Appeals Court Decision on Facebook Fan Pages and Suggests Clarification by ECJ on Data Controllership

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

The Schleswig DPA claimed that because companies create the fan pages, they are responsible for the data collected and processed by Facebook through the fan pages for purposes such as behavioral advertising. The Schleswig DPA also alleged that the court failed to (1) examine Facebook´s business model, (2) assess technical details related to the functioning of fan pages, and (3) consider the social use of fan pages. The Schleswig DPA argued that the Court of Appeals is in an appropriate position to rule and review decisions of lower courts only after it addresses the three issues above. In addition, the Schleswig DPA stated that Facebook´s business model violates a number of provisions in the German Telemedia Act, including the sections related to user profiling. The Schleswig DPA also suggested that if the court does not concur with the Schleswig DPA’s interpretation of EU data protection law regarding data controllership on social networking websites, the case should be referred to the European Court of Justice (“ECJ”) for a preliminary ruling. An ECJ preliminary ruling is a decision regarding the interpretation of European Union law at the request of a EU member state court.

NLRB Reverses Register Guard; Grants Workers Right to Use Employer Email System for Section 7 Purposes

As reported in the Hunton Employment & Labor Perspectives Blog:

In Purple Communications, Inc., a divided National Labor Relations Board (“NLRB”) held that employees have the right to use their employers’ email systems for statutorily protected communications, including self-organization and other terms and conditions of employment, during non-working time. In making this determination, the NLRB reversed its divided 2007 decision in Register Guard, which held that employees have no statutory right to use their employer’s email systems for Section 7 purposes.

The NLRB reasoned that the Register Guard decision was “clearly incorrect” and focused “too much on employers’ property rights and too little on the importance of email as a means of workplace communication.” The NLRB, however, claims to have limited its decision by 1) applying it only to employees who have already been granted access to the employer’s email system in the course of their work; 2) permitting employers to justify a total ban on non-work use of email, including Section 7 use on non-working time, by demonstrating that special circumstances make the ban necessary to maintain production or discipline; and 3) permitting employers, absent justification of a total ban, to apply uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline. Moreover, the decision did not address the issues of email access by third parties or any other type of electronic communication systems.

Employers, particularly those with “business only” restrictions on company email use, potentially face new exposure to unfair labor practice charges. As such, employers are now pressed to reconsider their existing email communication policies, possibly through modification or repeal depending on the restrictions in place. We have covered labor-related developments regarding email and social media communications in previous entries.

A Few Thoughts on Privacy in the Age of Social Media

Everyone already knows there are privacy issues related to social media and new technologies. Non-tech-oriented friends and family members often ask me questions about whether they should avoid Facebook messenger or flashlight apps. Or whether it's OK to use credit cards online in spite of recent breach headlines. The mainstream media writes articles about leaked personal photos and the Snappening. So, it's out there. We all know. We know there are bad people out there who will attempt to hack their way into our personal data. But, that's only a small part of the story.

For those who haven't quite realized it, there's no such thing as a free service. Businesses exist to generate returns on investment capital. Some have said about Social Media, "if you can't tell what the product is, it's probably you." To be fair, most of us are aware that Facebook and Twitter will monetize via advertising of some kind. And yes, it may be personalized based on what we like or retweet. But, I'm not sure we fully understand the extent to which this personal, potentially sensitive, information is being productized.

Here are a few examples of what I mean:

Advanced Profiling

I recently viewed a product marketing video targeted to communications service providers. It describes that massive adoption of mobile devices and broadband connections suggesting that by next year there will be 7.7 billion mobile phones in use with 15 billion connections globally. And that "All of these systems produce an amazing amount of customer data" to the tune of 40TB per day; only 3% of which is transformed into revenue. The rest isn't monetized. (Gasp!) The pitch is that by better profiling customers, telcos can improve their ability to monetize that data. The thing that struck me was the extent of the profiling.

As seen in the screen capture, the user profile presented extends beyond the telco services acquired or service usage patterns into the detailed information that flows through the system. The telco builds a very personal profile using information such as favorite sports teams, life events, contacts, location, favorite apps, etc. And we should assume that favorite sports team could easily be religious beliefs, political affiliations, or sexual interests.

IBM and Twitter

On October 29, IBM and Twitter announced a new relationship that enables enterprises to "incorporate Twitter data into their decision-making." In the announcement, Twitter describes itself as "an enormous public archive of human thought that captures the ideas, opinions and debates taking place around the world on almost any topic at any moment in time." And now all of those thoughts, ideas, and opinions are available for purchase through a partnership with IBM.

I'm not knocking Twitter or IBM. The technology behind these capabilities is fascinating and impressive. And perhaps Twitter users allow their data to be used in these ways by accepting the Terms of Use. But, it feels a lot more invasive to essentially provide any third party with a siphon into the massive data that is our Twitter accounts than it would be to, for example, insert a sponsored tweet into my feed that may be selected based on which accounts I follow or keywords I've tweeted.

Instagram Users and Facebook

I recently opened Facebook to see an updated list of People I may know. Most Facebook users are familiar with the feature. It can be an easy way to locate old friends or people who recently joined the network. But something was different. The list was heavily comprised of people who I sort of recognize but have never known personally.

I realized that Facebook was trying to connect me with many of the people behind the accounts I follow on Instagram. Many of these people don't use their real names, talk about their work, or discuss personal family matters on Instagram. They're photographers sharing photos. Essentially, they're artists sharing their art with anyone who wants to take a look. And it feels like a safe way to share.

But now I'm looking at a profile of someone I knew previously only as "Ty_Chi the landscape photographer" and I can now see that he is actually Tyson Kendrick, retail manager from Chicago, father of three girls and a boy. Facebook is telling me more than Mr. Kendrick wanted to share. And I'm looking at Richard Thompson, who's a marketing specialist for one of the brands I follow. I guess Facebook knows the real people behind brand accounts too. It started feeling pretty creepy.

What does it all mean?

Monetization of social media goes way beyond targeted advertising. Businesses are reaching deep into any available data to make connections or discover insights that produce better returns. Service providers and social media platforms may share customer details with each other or with third parties to improve their own bottom lines. And the more creative they get, the more our sense of privacy erodes.

What I've outlined here extends only slightly beyond what I think most people expect. But, we should collectively consider how far this will all go. If companies will make major financial decisions based on Twitter user activity, will there be well-funded campaigns to change user behavior on Social Media platforms? Will the free-flow exchange of ideas and opinions become more heavily and intentionally influenced?

The sharing/exchanging of users' personal data is becoming institutionalized. It's not a corner case of hackers breaking in. It's a systemic business practice that will grow, evolve, and expand.

I have no recipe to avoid what's coming. I have no suggestions for users looking to hold onto to the last threads of their privacy. I just think it's worth thinking critically about how our data may be used and what that may mean for us in years to come.

California Governor Approves New Privacy Legislation

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

New Student Privacy Laws 

On September 29, 2014, California Governor Jerry Brown signed into law bill (SB 1177) that places restrictions on the data practices of online educational services for K-12 schools. In general, the new law, the Student Online Personal Information Protection Act (“SOPIPA”), prohibits an “operator” of an online educational services for K-12 students from:

  • Engaging in targeted advertising based on any information the operator acquired from usage of its online service;
  • Assembling student profiles for non-educational purposes from information derived from the operator’s online service;
  • Selling a student’s information; and
  • Disclosing “covered information,” unless an exception applies.

Under SOPIPA, “covered information” is defined as personally identifiable information created or provided by a student or an employee of a K-12 educational institution, or descriptive or identifiable information gathered by an operator through the operation of its online service. The bill also requires operators to implement and maintain reasonable and appropriate security procedures and practices to safeguard covered information, and to delete a student’s covered information upon the request of the relevant educational institution. SOPIPA comes into effect on January 1, 2016.

Another bill (AB 1584) signed into law on September 29 regulates the usage of third party cloud services and other digital services related to student records management by California educational institutions. Under the new law, student records must remain the property of and under the control of the educational agency. The law also sets contractual requirements and restrictions relating to accessing, reviewing, using and securing the student records related these services.

In addition, Governor Brown signed into law on September 29 a bill (AB 1442) that requires school districts to first notify students and their parents before adopting any program that gathers or maintains information obtained from a student’s online social media. The new law also sets requirements related to a student’s right to review, correct and delete such social media information gathered by the school district, and imposes retention restrictions on this information.

Updates to California’s Data Breach Law

On Tuesday, September 30, Governor Brown signed into law a bill (AB 1710) that amends the California’s breach notification law, making three updates to the existing law:

  • For a business providing notification that was the source of the breach, “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
  • Businesses that maintain personal information about California residents (e.g., service providers) must employ reasonable and appropriate security procedures and practices for the personal information they maintain.
  • The updated law strengthens the current restrictions on the use or disclosure of Social Security numbers by prohibiting businesses from selling, advertising for sale or offering to sell Social Security numbers, with limited exceptions.

Updated Invasion of Privacy Law

Governor Brown signed into law on September 30 a bill (AB 2306) that updates California’s invasion of privacy law. Under the existing law, a person can be liable for a constructive invasion of privacy if he or she uses a visual or auditory enhancing device to capture an unlawful image, sound or recording. The updated law expands the scope of liability for an invasion of privacy by making it unlawful to use any device to unreasonably capture an image, sound or recording of another person engaging in a personal or familial activity under circumstances in which the other person had a reasonable expectation of privacy.

Expansion of Revenge Porn Liability

Governor Brown signed into law on September 30 a bill (AB 2643) that enables victims to bring lawsuits for civil damages against violators of California’s revenge porn law. According to the bill, the updated law creates a “private right of action against a person who intentionally distributes a photograph or recorded image of another that exposes the intimate body parts…without his or her consent, knowing that the other person had a reasonable expectation that the material would remain private, if specified conditions are met.”

SEC Issues New Guidance on the Use of Social Media

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

Read the full client alert on the SEC’s new C&DIs.

FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition

On April 10, 2014, the Federal Trade Commission announced that the Director of the FTC’s Bureau of Consumer Protection had notified Facebook and WhatsApp Inc., reminding both companies of their obligation to honor privacy statements made to consumers in connection with Facebook’s proposed acquisition of WhatsApp.

In a letter to the companies, Bureau Director Jessica Rich wrote, “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties – promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.”

The letter further noted that the companies could be in violation of Section 5 of the FTC Act if WhatsApp fails to honor its promises after the acquisition is completed, and that Facebook also may be in violation of the FTC’s 2012 order against Facebook, which settled allegations from the FTC that Facebook deceived consumers by making false privacy promises.

Read the related post on the FTC’s Business Center Blog.

German DPAs Adopt Resolutions on Employee Privacy, Facial Recognition and EU Draft Regulation

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

During the Conference, Resolutions concerning the following topics were adopted:

New Employee Data Protection Law Required

The DPAs reiterated their call for a new employee data protection law, particularly since it will still take several years before the proposed General Data Protection Regulation (“Proposed Regulation”) becomes binding in Germany. In their view, in light of the ever-increasing monitoring of employees, the current uncertainties in the Federal Data Protection Act need to be resolved.

Biometric Facial Recognition Online

The growing use and accuracy of facial recognition technologies pose a significant risk to the public’s protected interests. Accordingly, the DPAs emphasized that such technology must meet rigorous legal standards:

  • Consent is the sole applicable legal basis for processing such data if permanent biometric templates for facial recognition are created. The standard for valid consent required here is the same as for the processing of sensitive personal data (i.e., explicit, informed, opt-in consent). The purpose for the processing may not be changed, and it is not possible to obtain consent by reference to general terms and conditions or a privacy policy.
  • Legitimate interest can provide a legal basis for the processing where biometric templates are temporarily created (“for a logical second”) to compare them with existing templates that were created after obtaining valid consent. Temporary templates must be deleted immediately after such comparison, and the data subject must always be sufficiently informed.
  • The storage of biometric templates relating to third parties who cannot provide consent is unlawful.

Future Structure of Data Protection Supervision in Europe

This Resolution concerns the Proposed Regulation’s “One-Stop-Shop” regulatory model, as well as other proposals currently being considered by the European Council. Regarding these proposals, the DPAs outlined certain key elements that should be reflected in the future regulatory model, including:

  • Wherever data subjects in a particular EU member state are affected by data processing, the relevant national DPA should be responsible, regardless of whether the data controller has an establishment in the relevant state or not.
  • The “One-Stop-Shop” principle should apply where a company maintains establishments in several different EU Member States. The DPA responsible for compliance at the company’s headquarters should be the lead authority, and should closely cooperate with the other relevant DPAs, but data subjects should always be free to contact their local DPAs. The lead authority should work toward consensus with the other relevant DPAs.
  • There is no need for a formal, time-limited procedure to obtain EU-wide privacy decisions. Responsibility for data protection compliance should not be shifted to the data protection authorities.

Human Rights and Electronic Communications

Building on their earlier Resolution concerning mass surveillance by the U.S. National Security Agency, the DPAs have provided a more detailed set of measures to be implemented. Their demands, which are listed in an Annex to the Resolution, include:

  • Increased use of encryption technologies in a variety of scenarios;
  • Further development of measures to protect traffic data (including metadata);
  • More anonymous communications products;
  • Development of optional localized Internet routing;
  • Higher encryption standards for mobile communications and restrictions on geolocation;
  • Restriction of cloud computing to trustworthy and certified providers if personal data are processed;
  • Increased use of certified and open source software; and
  • Increased public spending on IT security.

Police Requests for Assistance to Locate Suspects via Social Media

In this detailed Resolution, the DPAs reiterated their position that public authorities using social networks for prosecution purposes is highly problematic, emphasizing public authorities can only use social networks for prosecutions if the networks fully comply with the provisions of the German Telemedia Act, especially as regards anonymization and pseudonymization.

The previous Conference was held in Bremen in October 2013.

2014 Privacy, Policy and Technology Summit

Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”

Other sessions will cover timely topics such as social media, Big Data, managing vendors and third party relationships, risk management and protecting data during transactions.


French Data Protection Authority Issues Guidance on Cookie Consent and Expiration

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

The CNIL’s Guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers.

The CNIL’s Guidance also states that only certain cookies are exempt from the consent requirement under French data protection law, namely cookies whose sole purpose is to enable or facilitate electronic communications or that are strictly necessary for the provision of an online communication service as expressly requested by the user. According to the CNIL’s Guidance, this includes:

  • cookies used for a “shopping basket” on a merchant’s website;
  • “Session ID” cookies for the duration of the session (or persistent cookies limited to a few hours in some cases);
  • authentication cookies;
  • multimedia player session cookies;
  • load balancing session cookies; and
  • persistent user interface customization cookies.

Some web analytics solutions also may qualify for an exemption from the consent requirement.

In all other cases, the CNIL’s Guidance emphasizes that:

  • web users’ consent must be obtained before placing or reading cookies and similar technologies (such as web bugs and fingerprinting technologies), and such consent must be obtained each time these technologies are used for a new purpose;
  • the validity of the consent is linked to the quality of the information provided to web users – in particular, web users must be clearly informed of the different purposes for which the cookies and similar technologies will be used; and
  • web users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies.

In practice, the CNIL recommends obtaining consent using a two-pronged approach, as described below.

Step 1: Provide Information to the Web User About the Cookies and Their Purposes 

According to the CNIL’s Guidance, a banner must appear on the home page or on a subpage of the website when a user visits it. The banner must specify:

  • the exact purposes of the cookies used on the website; and
  • the fact that, by continuing to use the website, the user accepts the use of cookies.

The banner must also include a link to another page (“For more information”) that explains how to change cookie settings and accept or refuse cookies. The CNIL’s Guidance includes a template banner and specifies that such a banner must remain until the user interacts with the website. If the user does not continue to use the website, this absence of action cannot be interpreted as the user’s consent to the use of cookies.

Step 2: The “More Information” Page

According to the CNIL’s Guidance, when a user clicks on the “For more information” link provided in the banner, the user must be directed to information about how to accept or refuse cookies. This may be presented as:

  • a cookie consent mechanism directly available on the website or application;
  • a link to opt-out solutions offered by advertising networks, social networks and website analytics solutions providers, (assuming that these solutions are user-friendly and functional); or
  • under certain circumstances, details on how to modify browser settings to accept or refuse cookies.

Cookie Expiration

The CNIL’s Guidance recommends that a user’s cookie consent may be considered valid for up to 13 months. After this period, the website must get renewed consent from the user. The CNIL’s Guidance states that cookies should be programmed to expire 13 months after they are placed on a user’s device.