It’s been called “the biggest lie on the internet,” or rather, the one that most of us tell when we click to agree that we’ve read the entire terms and conditions. The reality about those terms, though, is that you may be handing over a lot of your privacy when you check that little box.

Just for fun, an IT company posed a social experiment surrounding terms and conditions. Their online sweepstakes that claimed to give away a brand-new computer, and their terms and conditions were spelled out. They found that 100% of the entrants had not read the terms, despite checking the box that they had. How did the company know? One of the clauses stated that in order to be eligible, entrants had to submit a photograph of their shoes. No one submitted the photo, yet they agreed and entered anyway.

It’s important to know what many terms and conditions can include, especially if you’ll be activating new accounts in the coming weeks to go along with any holiday gifts. It’s also important to learn how to find those terms at a later date, just in case you went ahead and checked the box without reading it thoroughly.

1. Photographs and videos

If you upload your holiday photos to social media sites, you might have granted permission for the site to use it. You would still own the photo, but you would no longer control what they do with it and you would not make any money if they chose to use your photo for advertising purposes.

Be aware of a very common Facebook hoax: Copying and pasting a status onto your wall that states Facebook cannot use your photos is not a valid demand. You opted to use Facebook when you signed up for a free account… you don’t get to tell them they can’t share your photos.

Remember, even if the company itself doesn’t want to use your pictures, that doesn’t mean other social media users won’t copy and paste them and use them for themselves. Even changing your settings to Private only means there’s no “share” button, it doesn’t mean the image can’t be copied.

2. Location-based monitoring

Geotagging has gotten a lot of coverage in recent years, and technology manufacturers have responded by giving their customers the option to turn off the geotagging feature. But if you have certain options turned on, like the option to find your device if it’s lost or stolen, you’ve just agreed that the monitoring takes place anytime the phone is turned on. Presumably, that means that your phone in your pocket or purse is transmitting your location to the server that enables the find feature.

Other services, like in-car navigation systems and entertainment systems, also track your location when activated. This is how the service can pinpoint your location and give you directions, or send the police in an accident.

3. Automatic renewal

Some companies offer free trials to consumers in order to let them experience the service before they pay, but be careful. Some of the terms and conditions not only state that your service will be renewed automatically for a fee if you don’t cancel before the cutoff date, but they also bill annually, meaning you just signed up for a year’s service. You can still choose to cancel the service, but the refund may or may not occur depending on the terms and conditions.

4. Selling your information

Many companies reserve the right to use or sell your base-level information—things like your name, mailing address, or email address—and this isn’t necessarily a bad thing. After all, if you opened an account with a website, logically you might be interested in similar offers from other websites. At the same time, if the account you created was free, someone has to pay the bills. Selling your information to advertisers is one way that small companies can keep the lights on without having to charge you a lot of money for an account.

Typically, you’ll be offered the chance to opt out of newsletters, promotional mailings, or outside offers. If not, you might have granted them permission to sell your information when you agreed to the terms.

5. These terms may change

If you are one of the tech users who meticulously reads the service agreement before checking the box, great! But you still might find yourself surprised by sudden changes. That’s because many service agreements leave the door open for changes down the road; after all, if they discover that a facet of their company isn’t working out, they need to be able to fix it.

That’s why a lot of companies will send out emailed updates to their terms and conditions if they make any changes. You may find that you have to check the box again the next time you use that site or software, but you may also discover that the changes took effect whether you read the email or not. It all depends on the change and how the notification went out.


Connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

ID-theft criminals may be the ultimate Grinch this holiday season as kids’ smart toys create vulnerabilities for hacking, data theft and cyberattacks.

While the Black Friday and Cyber Monday cyberthreats are behind us, we cannot let our guard down, as ID- theft criminals continue to target new access points through the Internet of Things — for example, children’s toys. Mattel’s Barbie Doll, the iconic doll series coveted by millions of children, has now become “smart,” and that sadly means there’s a dark side. The cybervulnerability of smart toys is all too real.

Smart toys, similar to other smart devices and appliances, connect to your home’s Wi-Fi network. This means that if compromised, criminals have a conduit into all activities on your home network. ID-theft criminals may then attempt to garner your personally identifiable information, access your home security system or listen to personal conversations through baby monitors or even the new Hello Barbie doll.

According to the Huffington Post, the new Hello Barbie doll, which connects to the Web to provide answers to your children’s questions, “uses a microphone, voice recognition software and artificial intelligence to enable a call-and-response function similar to Siri or Google Now. A free smartphone app that connects the toy to a user’s Wi-Fi network brings this Barbie into a class of technology often referred to as the Internet of Things, or IoT.”

To the credit of Mattel, the company that markets the Barbie brand, it has partnered with entertainment company ToyTalk to develop the doll’s information-security technology to minimize potential security issues and to protect consumers’ security. However, it’s not just smart toys that create an opportunity for cybercriminals to steal our children’s information, such as names, ages and even photographs. It’s also through direct attacks on organizations where parents register their children’s information, such as VTech, a recent data-breach victim with millions of records compromised.

The VTech website advises that “4.8 million customer (parent) accounts and 6.3 million related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,000 parent and 227,000 kids accounts in PlanetVTech. Kid profiles, unlike account profiles, only include name, gender and birthdate.”

Understand that anytime you create accounts for your children for educational products or services, both you and your children’s information is a target for hackers. This is because hackers are looking for information such as your e-mail address or passwords. Simply attaining your e-mail address allows hackers to engage in spear phishing attacks, which have proven incredibly effective. Hackers also realize that people oftentimes utilize the same passwords for multiple sites. They can take the password to try to drain your bank accounts.

Mark’s most important: Don’t let cybercriminals steal your happy holidays by using strong and up-to-date Wi-Fi security along with strong password management.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

This article was originally published on and republished with the author’s permission.

There’s disturbing news for anyone who relies on a vehicle to get around: the National Safety Council has reported that motor vehicle deaths increased by 8% in 2015 over the previous year, marking the largest single-year increase in 50 years.

“Over the last year at the state level, the NSC estimates Oregon (27%), Georgia (22%), Florida (18%), and South Carolina (16%) all experienced increases in fatalities, while only 13 states showed improvement.”

One of the chief culprits that experts blame for the traffic deaths is distracted driving, which encompasses everything from texting, updating social media, and even attempting to post on Snapchat while driving, as in the case of one fatality involving the filter that displays the miles-per-hour the person was traveling when the image was taken. Several states have already enacted legislation that bans certain behaviors while driving in order to combat this epidemic.

Law enforcement may have a new weapon in the fight against distracted driving, but it has privacy experts taking a somewhat cautious stance. Called a Textalyzer after the word “breathalyzer” and already introduced a bill before the New York state legislature, it’s a device that allows officers to scan drivers’ phones to see if they were using their phones prior to a crash.

The issue of law enforcement interacting with citizens’ phones has already been a hotly contested topic, one that was heard by the Supreme Court back in 2014. The Court ruled that citizens’ smartphones contain just as much personal information, photos, and correspondence as their homes, and therefore require a warrant before they can be searched. The Textalyzer, however, doesn’t look at the contents of the activity but instead is only supposed to report whether the phone was being used in violation of the law.

There’s another privacy consideration, though, which is to be aware of the potential for hacking. As with any new technology, the full scope of the potential for identity theft has to be considered before it can be unleashed in the public sector. The Internet of Things has already taught us that the “unknowns” behind new technology can actually have serious ramifications for privacy and cybercrime.

Anyone who believes their identity has been stolen or their personal data has been compromised is invited to connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

As parents, you may have to pull off an especially tricky balancing act around the holidays. It can be hard to navigate the commercials that entice kids with the hottest holidays toys while still trying to stick to a budget, and no one wants to imagine the dilemma of not being able to find that one present a child has his heart set on. However, while you focus this year on maintaining some level of sanity to your holiday shopping, there’s another important factor to keep in mind.

Safety is always a consideration when you’re buying any toy for a child. Is it a choking hazard? Does it contain harmful chemicals in the plastic? Is it age-appropriate and will it encourage healthy play? Those are all important points to keep in mind, but it’s absolutely vital in the digital age to make cybersecurity a part of your shopping list as well.

Last year, holiday headlines went haywire with news of a Mattel product that posed a security risk to children. The company’s Hello Barbie interactive doll recorded children’s conversations with the doll and transmitted them over wifi to a third-party. The goal of the data gathering was to make the doll more personal to its owner and to make it more intuitive in its responses; most artificial intelligence relies on “machine learning,” after all, to help it be more useful and accurate. But many parents and security advocates balked at the notion that a third-party—and potentially any hackers who worked their way in—were listening in and recording underaged children.

Also, around this time last year educational technology toy manufacturer VTech suffered an intentional data breach that stole the user profiles for millions of consumers’ Learning Lodge accounts. The information included adult account holders’ names, email addresses and passwords, secret questions and answers, I.P. addresses, mailing addresses, and more. Even more alarming, the hacker also stole the names, genders, birth dates, and even photographs of the users’ children.

So this holiday shopping season, it’s important for parents to understand all the potential security risks and mechanisms that drive the toys they plan to buy. We tend to discover a security vulnerability after the fact, but there are some common sense questions you can ask before you make that purchase:

1. Does the toy require a wifi connection, Bluetooth connection, or downloaded app to make it work?

2. Does the toy require you to make an account in order to use it?

3. Does it record, store, or share any information about you or your child?

4. If it’s installed on your computer or mobile device, what permissions does it require, like access to your camera and microphone?

5. If it’s installed, are there optional permissions it wants, like access to your contacts list or photo albums?

It’s important to find these things out before you buy so that you can make a determination about the product’s potential for harm. If you’re confident that your child is old enough to understand the security requirements and can follow your rules for safe use, then you’ll feel better knowing the risks and knowing that you’ve addressed them.

Questions about identity theft? Connect with the ITRC through our toll-free call center at (888) 400-5530, live chat feature or on-the-go through our IDTheftHelp app for iOS and Android.

The latest tech craze in the realm of GPS mapping might be more of a timesaver than a world changer, but that hasn’t stopped customers from hurrying to jump on board. And anyone who’s been late getting out the door due to some misplaced car keys won’t have any trouble seeing the allure.

There’s a category of new devices on the market from a growing number of providers, and they make everyday life a little easier. These small tags come in different shapes, colors, and sizes depending on the manufacturer, but they all let you attach them to a typical object like your car keys, then track that object on your smartphone. Once you begin the search for the keys or the TV remote or any other small item, the tag may emit a small alarm (depending on the company) and will provide its location on the accompanying app through your mobile device.

Given their typical size, they can be placed on practically anything that gets misplaced easily. But some researchers are more afraid of the potential for harm and the loss of consumers’ privacy than the inconvenience of your child misplacing his lunchbox. First, there were the concerns over the lax security that some of the apps had. More importantly, as these tags rely on GPS coordinates for their location and sync to your device over Bluetooth to provide that data, it doesn’t take a criminal mastermind to think up some possible—although currently unlikely—scenarios in which your tracking tag can turn on you.

One of the chief complaints from researchers regardless of the manufacturer has been the open pairing with Bluetooth. Your smartphone might be paired with the tag, but what’s to stop someone in your vicinity (such as at the mall) from searching for Bluetooth devices on his phone, “forgetting” or removing your device, then pairing your car keys with his phone in order to track you. We’d have to ask ourselves why someone would want to do that, but we don’t have to wonder if they actually can do it because the answer is yes.

Researchers found other reasons for concern based on what type of device was being investigated, but the real takeaway is this: consumers have to be cautious about what can be done with any new technology before they sign on to use it. If consumers are aware that their objects can be tracked and are comfortable with any plausible or implausible risks, then they’re fine. But what we have to constantly safeguard against, though, is the not knowing. We cannot come to rely on a new service, technology, or concept without educating ourselves on its functionality, assessing any potential dangers, and determining our comfort level with the possibility of harm.

Interested in more cyber news? Check out the ITRC blog to keep you updated and aware of the latest topics and events.

Short Answer: We Don’t Think So

Privacy is a hot commodity in the current climate of technology and connectivity. It can be hard to balance out the need for security with the enticing functionality of latest apps and gadgets. When we factor in the additional need for public safety and effective law enforcement, it can feel like our privacy gets tossed around like a beach ball.

One of the ways that tech companies are working to ensure protection and privacy for their customers is by developing better security protocols, such as end-to-end encryption. This type of encryption, now being put into use for things like messaging apps, means that the text is encrypted when the user sends it, and then encrypted again when the recipient receives it. It also means the company who created the app can never see the content of the messages, share the messages, or have them fall into the wrong hands by being hacked.

One company in particular has taken the time to weigh the pros and cons and decided the best approach was to skip end-to-end encryption on one of its apps. Google’s new Allo messaging app was expected to employ this level of security, but the company has decided it is not compatible with its ongoing efforts at machine learning and artificial intelligence. This has some security experts and privacy advocates up in arms, as users can well imagine.

Yes, this decision does leave the door open for your messages to be nabbed in a data breach. It also means law enforcement can seek a warrant for those messages if they have reasonable proof that you’ve committed a crime and the content of those messages is involved. But for most app users, neither of those concerns register high on their list of priorities because they’re not sending sensitive information through the app.

The important take away is that Google did not make this decision through a lack of effort or through empty promises of security; the company isn’t leaving your texts vulnerable due to oversight or lack of protocols, as is too often the case in data breaches. This was an intentional decision because Google relies on user activity to “educate” its artificial intelligence lab and to help you with better autocorrect options, for example.

When a company makes a conscious decision about its security measures and then makes consumers aware of its decision and the reasons behind it, the company is being transparent. This empowers the consumer to make their own decisions based on the facts. Therefore, if users are concerned about the lack of end-to-end encryption, there are plenty of apps that do offer it. The more concerning security risk comes when a company assures its customers that their data is safe and locked up tight, then fails to put into place the adequate protections they promised. Basically, if you don’t like the methodology behind Allo, don’t use it. Make sure before you use any app that you understand its security and how it impacts your privacy.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The New York attorney general’s office has concluded an investigation of some major toy brands, and the findings were rather alarming. In direct violation of the Children’s Online Privacy Protection Act, Viacom, Matel, Jumpstart, and Hasbro were tracking children’s internet use through their popular branded websites in order for their advertisers to benefit.

The affected websites included major toy and entertainment brands that are popular with children under thirteen, including Nickelodeon and Nick, Jr., Spongebob Squarepants, Barbie, My Little Pony, Neopets, and several others.

When young users logged onto these sites, the websites tracked information like their IP addresses, then used that information to target the kids with advertising. While that may seem harmless enough, the law clearly blocks access to kids’ internet behaviors for this kind of purpose.

Targeted online advertising and search tracking get a really bad rap in technology circles. And sure, they can feel like a form of spying when you find out that some faceless company has been monitoring which sites you visit and how long you spend there. But there’s a flip-side to all that monitoring: the ability to target you with advertisements is something keeps the internet affordable and accessible, and presumably makes the online browsing experience better. After all, if the only way to provide a solid browsing experience is to show you ads once in a while, wouldn’t you rather those ads were for products you might actually want? The only way to show you a tailor-made ad is to track what you search for in order to anticipate something you might want and block items you wouldn’t want.

If you conduct yourself online as though others can see your browsing activity—meaning you were made aware of the possibility in the terms and conditions before you opened an account—then a lot of what some people consider “spying” is more like someone taking a quick peek in your grocery cart at the store and writing down which brand of potato chips you like. Then they hand you a coupon for those chips before you check out.

But children are legally off-limits when it comes to this kind of tracking and targeted advertising, and not just because adults don’t want to be pestered with cries for the latest toy. In the case of kids, it’s a hands-off agreement that says we won’t do anything that could lead a predator to a child. By gathering information from these branded websites, a hacker could potentially discover a child’s name, age, gender, and even physical location, and that’s not acceptable. Of course, the law still functions to limit the number of commercials and ads that children see, which is a long-standing recommendation from the American Academy of Pediatrics.

As a result of the investigation and its findings, all of the companies involved were assessed some fines and agreed to strict reforms, namely by improving the vetting and compliance process for hiring outside companies to handle their web traffic. This is a case where those who were investigated have cooperated fully and admitted the wrongdoing in order to move forward in a direction that protects children online.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The battle for your privacy is an ongoing one, a battle which plays out in marketing meetings, board rooms, and courtrooms. Companies have to weigh their customers’ needs and wants against the investment they make in their goods and services, while still meeting the government’s current regulations for protecting data and not infringing on citizen’s rights.

It’s those regulations that are making news this week, as an appeals court has now ruled that AT&T is outside of the Federal Trade Commission’s regulatory reach. The company’s “common carrier” status means it functions more like a utility than a service provider, and as such, does not fall under the same privacy umbrella that other companies do.

While consumer privacy—especially in relation to phone companies and internet providers—is a really big deal, it’s also a tricky issue. Giving these companies access to their customers’ internet searches, for example, is what enables advertising. Those pesky ads you see online might be annoying, but they’re also what make the internet operate at a price that consumers can afford.

But what really happens as a result of the Ninth Circuit Court of Appeals’ decision in FTC v AT&T Mobility is that common carriers are currently operating without a lot of regulation concerning what is private and what isn’t. That means the door is now open for Congress to have to step in and draft legislation that outlines what those companies can and cannot do with your activity.

This might seem like one of those “facts of life” areas where we have to take the good with the bad. After all, you can avoid having companies track your activity if you just stay off the internet. But there is another huge implication here, and that’s how this will affect the Internet of Things connected devices that are slowly but surely making their way into common household use.

Without regulation concerning consumer privacy, who’s to say the activity of your IoT devices has to be protected information? Who will be allowed to see when your IoT thermostat kicks on, meaning you’re home? Who will track the data when you lock your front door remotely, potentially telling anyone that you’ve left for the day? Even more alarming, who will be allowed to see the hourly readout from your IoT insulin meter, including your health insurance or life insurance companies?

Those are all very alarming hypothetical examples, but they speak to the need to establish regulations on what private data will be gathered, how it will be protected, and who will legally be allowed to access it. Without regulations, consumer data safeguards aren’t fully in place.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

There are tens of millions of smartphone users in the US, and if you asked them their feelings on having their phones lost or stolen, the reactions might surprise you. The obvious answers involve inconvenience or the expense of replacing it, but some users might list losing their phone right up there with fear of bodily harm. Why? As one teenager put it, “My whole life is in that phone!”

She wasn’t really exaggerating. Her email, text messages, phone contacts, and social media accounts are all routed through her smartphone. Her credit card is stored in there in order to purchase apps or music, but also as a real-world payment method through a mobile wallet. As a college student, her textbooks are in there, complete with all of the annotations she made, and her calendar is stored in there with her work schedule, her class schedule, and even activities involving her private life.

Now envision all of that information—her physical location and when to find her there, her friends’ names, her credit card, her entire online identity—falling into a thief’s hands.

There’s a downside to all the convenience and connectivity that smartphones provide. Without the proper protection in place, anyone who picks up your device can have complete access. The best way to stop someone from using your physical device against you is to make sure you’ve passcode locked the device, and that your passcode is not a sequence that is easily guessed, like 1-2-3-4.

But even with a passcode, it’s still a good idea to log out of your apps whenever you use them, or at least log out of the critical apps if entering your password is too much of a bother. Which apps should you be especially careful of?

  1. Email – With all of the flashy ways to communicate now, email might seem a little bit outdated. But with access to your email, a thief can alter practically every account you own. The first step is to get into your account and change your email password. Right away, you’re locked out of it. Then, once he controls the password, he simply opens every app you have and clicks “forgot my password.” The reset link will come to your email address, which again, he now controls. He changes your password on every account you own.
  2. Online Banking – This one is too obvious, and fortunately, a lot of banks’ apps automatically log you out. But just in case, make sure your banking app is secure by exiting it completely every time you use it, and by protecting it with a strong, unique password.
  3. Mobile Wallet – The same is true for your mobile payment method. Mobile payments are very convenient and very secure, but they also have the added benefit of being accepted at more and more retailers. But with so much at stake, don’t leave it logged in or trust that the app will kick you out after it closes. Log out, and actually watch the screen return to the log in screen.
  4. Social Media – You might be tempted to think that anyone who gets in your Snapchat or Facebook account is going to be pretty bored by all the birthday wishes and cat videos, but there is actually a whole world of damage a thief can do with social media. The first step is to start sending out friend requests to people he knows, including himself or his ghost accounts, and then invite your friends to “like” or connect with those invitations. That opens the door to scams and fraud. Of course, the very last thing you need is relationship- and career-ending posts, like inflammatory political, religious, or even prejudicial posts, or posts which contain pornography or illegal activity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The world of social media is a truly great innovation thanks to the connectivity that it brings to all of us. But each platform functions in distinct ways, and understanding how to protect yourself from major threats is crucial to staying safe online.

Social media platforms aren’t inherently dangerous. It’s what other users choose to do with those platforms that can result in harm to your privacy and your identity. One of the chief threats you may face is in connecting with other people who are either intentionally or accidentally out to cause trouble.

Intentional threats on social media tend to be self-explanatory. But it’s not just people stealing your posts or photographs, or the danger of oversharing information about yourself. Sometimes, the people you connect with can be at the heart of the problem. It may come in the form of accepting a friend request from someone you don’t know, only to be lured into a scam and asked for money. You may find a new friend who sends you the link to a video through a private message, only the link actually contains a virus that steals data from your computer. You may even be pulled into a criminal activity through your new social media connections, one that you have no idea how to get yourself out of.

One of the most surprising social media platforms swarming with users who are intentionally seeking to cause you harm is Skype. Skype is truly one of the most useful internet tools; depending on the type of account you have, you can text, talk, or video chat with people all around the world through your computer.

But Skype has been flooded with scammers who use the video chat feature to extort money from their victims. You receive a contact request from someone who wants to connect with you, so you click it, even though you don’t know the person (usually a bad idea). You strike up a text-based conversation, which then escalates to video chatting. Before long, you and the sweet-talking person on the other side of the screen engage in more intimate video communication, only you’re unaware that the other person is recording you.

After the video session ends, you’re threatened with all manner of public disclosure if you don’t pay up. The video of you from this private conversation will be posted on your Facebook wall, sent to your professional connections over LinkedIn, emailed to your spouse, and worse. Sadly, there’s no guarantee the extortion will end once you pay their price; you may be subjected to further demands for money, or the video may still end up online even if you pay.

That’s a very extreme example of what can happen when you friend someone you don’t actually know on social media, and there a lot of other ways these intentional scammers can come after you. But what about your actual friends, or people you’re somewhat connected to? What’s the harm in friending that lady from your old neighborhood, or your former co-worker from a summer job?

It’s hard to know how safe that person is being online. Are you being subjected to hate speech or inflammatory images? Worse, are you being tagged in those posts, so that your name is now connected to something that you wouldn’t want people to see? What about viruses being sent out as links in your inbox, or Facebook hoaxes that get shared to thousands of people at once?

It can be hard to protect yourself from social media connections with “real life” friends or relatives. There’s always the fear that unfriending or unfollowing them will lead to public embarrassment the next time you two meet. Fortunately, a lot of platforms make it easy to avoid the discomfort, and simply let you “hide” the person’s posts instead of actually going so far as to sever the connection. They will still see what you share online, but you won’t be subjected to their content or unsafe internet activity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.