There was a very interesting article in the Washington Post today, “Enjoying Technology’s Conveniences But Not Escaping Its Watchful Eyes”
This documentary of the day in the life of a woman shows how privacy issues are encountered throughout the day, and how virtually all of us leave a bit of ourselves, and along with it our privacy, whenever we get online, make purchases from stores, make phone calls, or do any number of things in virtually any place.
This could provide a great case study in a privacy training class, and the article itself would make a very good awareness article with an introduction and/or conclusion discussing the various privacy issues. Many questions related to your own organization’s practices could be asked throughout.
For example, the article demonstrates privacy issues related to many different topics:
* Wide-spread surveillance. Security cameras are more wide-spread than ever before. They can do a lot of good and help convict criminals filmed breaking the law and doing even more evil activities. However, are they sometimes placed in non-public places that compromise privacy?
* E-mail. Your employer’s e-mail system and company e-mail address you use is typically subject to monitoring. However, what about your personal e-mail within your home? Who is looking at that information? Many employees forward their business e-mail to their personal e-mail address, putting business information, and potentially customer information, at risk. What controls are in place within your organization to prevent, or at least catch, such e-mail forwarding activity?
* Website monitoring. When you visit a website, a trail of some sort or another is created that shows you have been there. Such tracking of visitors is used extensively for marketing purposes, to analyze demographics, and so on. How is your organization tracking the people who have visited your websites? Is personal information being collected from them without their knowledge? Are your sites planting web bugs on their computers to see where else they are visiting?
* Cellphone call records. There is a great amount of information collected about your cell phone calls; time, date, approximate location, who you called and who called you, and numerous other technical information. Who has access to these records? If you had a cell phone provided by your employer, there is high likelihood that your employer is monitoring your calls. Does your organization have policies governing cell phone monitoring? Have they communicated them to all personnel? Do you use your business-provided cell phone for personal calls?
* RFID chips. RFID chips are in credit cards, passports, items on store shelves, in employee ID cards, and even under some people’s skins. Does your employer use RFID chips within your facilities? How? If so, has your organization communicated how they are being used? Are they used for tracking employee activities?
* Mobile computers. Large amounts of personally identifiable information (PII) is being stored on mobile computers and storage media. This PII is overwhelmingly NOT being secured…not being encrypted…not being inventoried to even know it is stored in such a vulnerable location. Does your organization allow PII to be stored on mobile computers, such as laptops? How is it protected? What polices, procedures and technologies are in place to protect PII? Is training provided to those who use these mobile computers?
* Phone records. Calling from your office phone to outside businesses may very well be tracked by those organizations you are calling. They may also be surreptitiously recording your calls. Do you know if your calls are being recorded? Does your organization have your phone systems implemented in such a way to prevent such tracking, and to keep personal information about your calls from being collected?
* GPS. Global positioning systems (GPS) are being placed into a large number of devices, commonly within vehicles. Does your organiztion use GPS? Do they track company vehicle locations and movements? Are there policies in place addressing GPS use? Have they been communicated and explained to personnel?
* Pretexting/social engineering. It is becoming more common for people to call businesses pretending to be a customer to obtain passwords and other personal information that they then go on to use to access online bank accounts, or sell the collected data to others.
* Electronic keys (e-keys). A growing number of gated facilities use e-keys that transmit via infrared beam the date and time, name and phone number, and company name, and other information to the lockbox where they are stored and from which they are obtained. Does your organization use these types of lockboxes? Does the community in which you live?
* Internet search engines such as Google: Search engines such as Google collect billions of search queries, creating gigantic databases information showing the behaviors, interests, likes and dislikes of the people using them. What do the searches your personnel do reveal about your organization?
Tags: awareness and training, call records, e-mail, encryption, government, GPS, Information Security, IT compliance, laptops, monitoring, policies and procedures, privacy, RFID, search engines, social engineering, surveillance