The Windows announcements came during Microsoft’s annual Build developer conference, during which the Redmond, Wash. tech giant made several key AI announcements, including Windows 11 Copilot.

Windows 365 Boot

Among the Windows 11 IT and management announcements, the preview of Windows 365 Boot was perhaps the most notable, as it gives Windows 11 Pro or Enterprise users the ability to log directly into their Windows 365 Cloud PC as the primary Windows experience on their device. Windows 365 Boot will take users to their Windows 11 login experience, and they will then be directly connected to their Windows 365 Cloud PC with no additional steps.

Microsoft bills this as a tool for shared devices as logging in with a unique user identity can take a user to their own personal and secure Windows experience.

To deploy Windows 365 Boot to endpoints via Microsoft Intune, IT administrators will first need to ensure that they have Windows 11-based endpoints (Windows 11 Pro and Enterprise), enrollment in the Windows Insider Program (Dev Channel), Intune Administrator rights and Windows 365 Cloud PC licenses.

This Tech Community blog includes more information on how to deploy Windows 365 Boot.

Privacy and security

Microsoft is releasing several other new features designed to make Windows 11 more secure, including the public preview of ability to isolate Win32 applications for both consumer and commercial users.

According to Microsoft, this gives developers the ability to reduce the risk of security breaches by running Win32 apps in isolation to help prevent apps from having unexpected or unauthorized access to critical internal Windows subsystems, thereby minimizing the damage of an app is compromised.

Microsoft also rehashed its Sign-in Session Token Protection Policy, which it first announced at Microsoft Secure in March, which allows applications and services to cryptographically bind security tokens on the device to restrict attackers’ ability to impersonate users on a different device after stealing tokens.

In addition, Microsoft announced account badging, starting in June, which will send users an alert to their Start menu when their account needs attention.

Other security and privacy tools now available include new app privacy settings that give users the ability to allow or block access to presence sensor information and enable or disable presence sensing features, as well as a glanceable VPN on the taskbar to give users quick access to their VPN status.

IT management

For simplified IT management, Microsoft is adding new cloud-powered capabilities to Windows 11 Enterprise designed to lower the cost of managing and securing Windows devices.

This starts with Universal Print secure release with QR code for Android delivering step-by-step process authentication, including the ability to securely release a print job only to the employee for which it’s intended. This is designed to help prevent leaks of confidential information.

Microsoft is also making it easier for IT teams to connect to hybrid workers with organizational messages. The company says this allows IT in Windows 11 Enterprise organizations to send company-branded messages from Microsoft Intune to users on various Windows surfaces, including the notification panel, above the taskbar and the Get Started app.

Although it was announced last month, Microsoft also reiterated the preview release of the ability to upgrade from Windows 10 to Windows 11 Enterprise via Windows Autopatch.

Read Microsoft’s blog to learn more about these announcements.

The post Microsoft Releases Windows 365 Boot Preview, Windows 11 IT Management Features appeared first on My TechDecisions.

HHS cited a 2020 study from Ponomon, which found that 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. Nearly 14% of breaches, however, are malicious, and nearly one in four involve stolen credentials. That same report found the average cost of insider threats per incident was $871,700 for credential theft, $755,800 for criminal and malicious insiders, and $307,100 for employee or contractor negligence.

The HHS report also covered the risks associated with insiders who are working on behalf of external groups, saying that 82% of organizations can’t determine the actual damage that an insider attack has actually caused. That said, the percentage of common types of insider threat damage include:

• Critical data loss, 40%
• Operational outage/disruption, 33%
• Brand damage, 26%
• Legal liabilities, 21%
• Expenses on remediating intrusions, 19%
• Competitive loss, 17%

Disgruntled employees pose a significant insider threat because of their access to a healthcare facility’s systems. Additionally, often they are emotional threat actors with an intent to cause harm to the company. Sometimes they believe they are owed something, according to the HHS report. About 80% of privilege misuse by disgruntled employees was financially motivated.

Related: Why Healthcare Needs Better Data Security

Third parties are also a threat since 94% of organizations give third parties access to their systems. Very often, third party vendors are given elevated permissions on those systems.

Insider threat activities in healthcare usually consist of fraud, data thefts, and/or system sabotage.

Behavior indicators of an inside threat actor can include:

• Official records of security violations or crimes
• Cases of unprofessional behavior
• Cases of bullying other employees
• Personality conflicts
• Misuse of travel, time, or expenses
• Conflicts with coworkers or supervisors

Indicators of IT sabotage include:

• Creating backdoor accounts
• Changing all passwords so that no one can access data
• Disabling system logs
• Installing a remote network administration tool
• Installing malware
• Accessing systems or machines of other employees

Indicators of data theft include:

• Massive downloading of corporate data
• Sending sensitive data to a non-corporate address
• Sending emails with heavy attachments to non-corporate addresses
• Extensive use of corporate printers
• Remotely accessing a server during non-working hours

The report also found that detecting insider attacks has become more difficult with so many organizations switching to the cloud.

HHS recommends the following practices to mitigate insider cybersecurity threats:

• Incorporate insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Ensure that sensitive information is available only to those who require access to it.
• Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
• Develop a formal insider threat mitigation program.

CISA offers free cybersecurity services and tools, along with pertinent guidelines and updates that can help large and small organizations in the health sector. This information can be accessed online at .cisa.gov/free-cybersecurity-services-and-tools.

This article originally appeared on MyTechDecisions’ sister-site Campus Safety. 

The post Insiders Pose Cybersecurity Threat to Healthcare appeared first on My TechDecisions.

The research shows hackers could use popular AR/VR headsets with built in motion sensors to record subtle, speech-associated facial dynamics to steal sensitive information communicated via voice-command, including credit card data and passwords.

To demonstrate the existence of security vulnerabilities, the researchers developed an eavesdropping attack targeting AR/VR headsets, known as “Face-Mic.”

The researchers studied three types of vibrations captured by AR/VR headsets’ motion sensors, including speech-associated facial movements, bone-borne vibrations and airborne vibrations.

The research led by Yingying “Jennifer” Chen, associate director of WINLAB and graduate director of Electrical and Computer Engineering at Rutgers University-New Brunswick, noted that bone-borne vibrations in particular are richly encoded with detailed gender, identity and speech information.

“By analyzing the facial dynamics captured with the motion sensors, we found that both cardboard headsets and high-end headsets suffer security vulnerabilities, revealing a user’s sensitive speech and speaker information without permission,” Chen said in a statement.

“Face-Mic is the first work that infers private and sensitive information by leveraging the facial dynamics associated with live human speech while using face-mounted AR/VR devices,” she said. “Our research demonstrates that Face-Mic can derive the headset wearer’s sensitive information with four mainstream AR/VR headsets, including the most popular ones: Oculus Quest and HTC Vive Pro.”

Although vendors usually have policies regarding utilizing the voice access function in headset microphones, Chen’s research found that built-in motion sensors, such as an accelerometer and gyroscope within a VR headset, do not require any permission to access. This security vulnerability can be exploited by malicious actors intent on committing eavesdropping attacks.

Oculus Quest, for example, supports voice dictation for entering web addresses, controlling the headset and exploring commercial products. Rutgers’ Face-Mic research shows that hackers may leverage these zero-permission sensors to capture sensitive information, leading to severe privacy leakages.

Read: Yamaha Announces VSP-2 Speech Privacy System

The eavesdropping attackers can derive simple speech content, including digits and words, to infer sensitive information, such as credit card numbers, Social Security numbers, phone numbers, PIN numbers, transactions, birth dates and passwords. Exposing such information could lead to identity theft, credit card fraud and confidential and health care information leakage.

Chen said once a user has been identified by a hacker, an eavesdropping attack can lead to further exposure of user’s sensitive information and lifestyle, such as AR/VR travel histories, game/video preferences and shopping preferences. Such tracking compromises users’ privacy and can be lucrative for advertising companies.

“Given our findings, manufacturers of VR headsets should consider additional security measures, such as adding ductile materials in the foam replacement cover and the headband, which may attenuate the speech-associated facial vibrations that would be captured by the built-in accelerometer/gyroscope,” she said.

Chen said she hopes these findings will raise awareness in the general public about AR/VR security vulnerabilities and encourage manufacturers to develop safer models.

The post Security Vulnerabilities Found in VR Headsets appeared first on My TechDecisions.

The report reveals 30% of district administrators with at least a medium level of influence on technology decisions do not have a security platform to protect cloud applications. Half of respondents either did not have a platform in place or did not know if platform had been implemented in their district.

“School districts have long led the charge into cloud technology by embracing Google Workspace and Microsoft 365 cloud applications. This new research tells us that some district administrators are unaware of the cybersecurity, safety, and privacy risks that come with using them,” said Charlie Sander, chief executive officer at ManagedMethods in a statement. “Technology leaders need to know their cloud environments may be vulnerable, and that it’s their responsibility to secure them.”

Related: How to Mitigate Cyberattacks Against School Districts

The report indicates among district administrators, cloud security, safety, privacy are not a concern, despite schools being heavily reliant on cloud applications. Only 60% of respondents have a high level of confidence in the privacy and security of the data stored in their cloud applications.

• 37% are not concerned about data breaches and leaks.
• 45% are not concerned about compliance with state and federal laws that protect student data.
• 36% are not concerned about the sharing and viewing of explicit content on their devices.

Of the district administrators surveyed that say they operate in a cloud environment, 28% do not know if they have a monitoring solution in place that protects the data in the school-provided cloud applications.

• 31% do not know if their cybersecurity platforms consistently monitor the level of risk of files shared with users outside the district’s domain or monitor for potential violations of government regulations.
• 28% do not know if their cybersecurity platforms monitor the level of risk of files shared within or uploaded into their domains, or report who has access.

District Leaders Store Sensitive Information in the Cloud With Limited Security Budgets

The research findings show the median budget district administrators have available for cybersecurity is $20,000 annually. Of this amount, 20% will go toward protecting cloud applications in 2022. The research also shows that some of the most sensitive information districts have is stored in the cloud — or soon will be.

• 86% use cloud-based learning management systems (LMS) or plan to move these systems to the cloud.
• 69% have their human resources systems in the cloud or have plans to move to the cloud.
• 95% report students and/or staff collaborate using Zoom and/or Google Meet.

Further research can be found in ManagedMethods’ special report, What You Don’t Know Can Hurt You: New Survey Identifies Gaps in K-12 Cloud Security, administered by the EdWeek Research Center.

The post ManagedMethods Survey: 30% of K-12 School Districts Lack Cloud Security appeared first on My TechDecisions.

In multiple blogs, the company cited the fluidity of hybrid work and the merging of work and personal activities, which is leading to more personal data being generated, creating additional cyber risk.

Because of those concerns, Microsoft has released Privacy Management for Microsoft 365, a tool that allows organizations to identify critical privacy risks and conflicts, automate privacy operations and respond to subject rights requests and empower employees to make smart data handling decisions, according to the company.

“With role-based access controls and data de-identified by default, Privacy Management for Microsoft 365 helps organizations to have end-to-end visibility of privacy risks at scale in an automated way,” wrote Vasu Jakkal, Microsoft’ corporate vice president of security, compliance and identity.

The tool automatically and continuously discovers personal data in customers’ Microsoft 365 environments by leveraging data classification and user mapping intelligence, enabling organizations to see an aggregated view of their privacy posture. Privacy admins can also see the current status and trends of the associated privacy risks arising from personal data being overshared, transferred or unused, according to Microsoft.

To help organizations mitigate privacy risks before they become a problem, Privacy Management correlates data signals across the Microsoft 365 suite to deliver actionable insights that allow privacy admins to automate privacy policies via an out-of-box template. This helps organizations keep tabs on data transfers, data minimization, data overexposure and subject-rights request management.

The tool also provides insights and contexts to admins to help them automate privacy policies and protect sensitive data. Data owners are also given recommended actions, training and tips to make smart data-handling decisions, eliminating the need to choose between privacy and productivity, Jakkal wrote.

The tool comes with APIs that allow organizations to integrate with existing solutions to automatically create and manage subject rights requests in privacy management.

Microsoft is also partnering with privacy software companies like OneTrust, Securiti.ai and WireWheel to extend capabilities to personal data stored outside of the Microsoft 365 environment.

Microsoft also announced new regulation assessments in Microsoft Compliance Manager.

Check out Jakkal’s blog for more information, or this Tech Community blog for more technical details.

The post Microsoft Makes Privacy Easier With Privacy Management For Microsoft 365 appeared first on My TechDecisions.

“Do Not Track is one thing that you can do that will opt you out of all the tracking. All that’s really left is to give it regulatory teeth,” says Weinberg. “What you need to do is have the government establish what opting out of tracking really means.”

Scandals involving Cambridge Analytica, Marriott, Equifax, and many others have proven private companies either incompetent or simply unable to build and maintain adequate privacy policies and infrastructure that protect their customers. It’s no surprise that the fight to preserve consumer privacy—seeing the tech industry has largely failed at self-regulation, would eventually end up in the legislative sector.

But the bill’s chances are rather bleak. Weinberg has yet to bring any lawmakers on board and is likely to stall in Congress like many privacy and data bills before it. And with a White House and Senate so adverse to regulation and unknowledgeable of the inner workings of the tech industry—and technology itself—it will likely be skimmed over.

If it did pass, however, the bill would institute strict rules regarding the opt-out setting and create clear penalties for sites and ad networks that don’t abide. First-party tracking would be limited to “what the user expects” and all third-party tracking would default to off for any user sending the DNT signal.

It is a David up against a Goliath amalgamated from anti-regulatory politicians, large tech and wireless corporations, and slow-working bureaucracy, but Weinberg’s main goal is to simply bring a legitimate privacy conversation back to the forefront.

The post DuckDuckGo CEO Attempts to Revive Do Not Track Standard appeared first on My TechDecisions.

“According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day. All told, there were at least 11.6 billion records lost in those breaches.” — article by John Zorabedian

Many experts today believe that consumers are now suffering from “data breach fatigue.” Instead of being outraged, consumers either feel despondent or apathetic – often choosing to not discuss it with their friends or family after reading data breach statistics such as the ones above.

If pressed, most consumers will say that they care; however, a recent study by the Ponemon Institute found that 32% of data breach victims took no action to protect their data after a breach, and 55% took no action to guard against identity theft.

It’s clear that our actions don’t match our words when it comes to data breaches.

Given the relative apathy from consumers and the likelihood that all organizations will eventually become the victim of a breach, it’s inevitable that businesses will choose to not dedicate an adequate amount of resources toward their cybersecurity programs.

However, becoming the victim of a cybersecurity incident often results in the company having to pay substantial direct and indirect costs.

Costs to Consumers and Businesses

The costs of a significant data breach in the United States is astounding.

According to the study published by IBM, the average cost of a breached record for a U.S. company was an astounding $233, and the average total cost of a data breach in the United States was nearly $8 million.

These costs were demonstrated to an extraordinary degree in the 2017 Equifax breach of approximately 143 million records. Since that time, reports indicate that Equifax has paid a total of $439 million in costs, which include security upgrades, credit monitoring services, legal fees, as well as fines and settlements from scores of lawsuits.

Hidden Costs of Data Breaches

Not only do organizations pay an exorbitant amount of direct costs as the result of a breach, cybersecurity incidents can affect an organization’s bottom line through indirect costs.

Before it was revealed that Yahoo! suffered a mega-breach of approximately 500 million accounts in 2013 and 2014, Yahoo! was set to be purchased by Verizon for approximately $4.8 billion.

After the breach, Verizon purchased Yahoo! for approximately $4.48 billion. This breach, which did not include sensitive information such as payment card or bank information, costed Yahoo! $350 million.

Worse yet, this amount did not include costs related to legal fees, fines, breach notifications, and various corrective actions.

Given the astronomical costs of a data breach, it’s important to discuss some quick data breach detection tools and action items that companies can use to guard against such incidents.

Strategies for Preventing Data Breaches

What can be done to protect your customers’ information? While the answer is always going to be “adopt a best-practices information security program such what is stated in the NIST 800-53 framework,” there are some immediate action items that can be undertaken to mitigate against the risk of being the victim of a material breach.

First, approximately 25% of data breaches are the result of well-meaning employee mistakes such a falling for a phishing scheme or inadvertently disclosing sensitive data.

To guard against these mistakes, organizations should provide basic security awareness training to information system users, including managers, senior executives, and contractors as part of initial onboarding training.

Companies should provide this training within 60 days of onboarding. The organization’s workforce members should also be provided with refresher training on an annual basis.

Second, organizations should ensure that their patching practices are up to speed.

Within the past couple of years, studies have shown that inadequate patching of information systems have been one of the main causes of data breaches.

For new systems, the organization should ensure that the latest patches are installed on the systems so that those systems comply with the organization’s hardened system configuration. For those systems that are considered critical, organizations should patch those systems within one month of that particular patch’s release.

Finally, its important to be aware of who is doing what within the information system.

Companies should ensure that an audit logging mechanism is running on the information system and also that the mechanism cannot be disabled by users.

This audit logging solution should log, among other things, all user access to the sensitive information environment as well as invalid access attempts. The logging mechanism should identify the user and record the type of event that was performed as well identify the affected data, component or resource.

Logs should be reviewed daily, and when suspicious activity is discovered, the organization should address the incident according to the organization’s incident response policy.

Many incidents last for months or years due to administrators not actively monitoring the system activity on a daily basis. By monitoring the system activity, companies can greatly reduce the severity of the incident should it occur.

While cybersecurity incidents have become commonplace in today’s information security landscape, the costs incurred by companies that have been breached have demonstrated the need for continued cybersecurity vigilance.

By training their workforce, patching their systems, and monitoring the activity that takes place on the information system, companies can reduce the risk of an incident as well as lessen the severity should one occur.

The post 3 Ways to Prevent Data Breaches appeared first on My TechDecisions.

If you have any sort of data center in your organization, then you have a need for a critical infrastructure.

A single hour of outage – whether a result of a blackout, faulty tech, or, most likely, human error – can cost a company anywhere from thousands of dollars to hundreds of millions of dollars depending on its size and need for a critical infrastructure space.

With that in mind, its important to ensure that your space has as little risk of outage as possible.

Here are some critical infrastructure best practices to help make sure that you’re setting your critical infrastructure implementation up for success:

Understand Power Needs

From a critical infrastructure standpoint, you need to be able to power the space with pure power. That means it needs to be conditioned – the same way that a water supply needs to be conditioned.

If you can condition your power using the right technology and proper distribution, you won’t run into problems that many will.

When it comes to power in critical infrastructure systems, we’re talking about standby generators, uninterruptible power supplies, automatic or static transmit switchers, high-end cooling systems, and environmental control.

It’s not just about buying the equipment, either. You’ll also need to test and commission it properly.

The challenge – whether a legacy facility or a brand-new build – is to get a consultant that understands the market and the geography of the area. Is your area prone to earthquakes, tornadoes, or hurricanes? That will play a huge part in the power sources and backup sources you need.

Needs change every year – companies acquire new companies, inherit legacy critical infrastructures, they’re run and managed different ways, and consistency is lost. A proper consultant will look at the full lifecycle of care for these spaces, taking into account the past, present, and future of your organization.

Invest in the Right Technology, Not Most Expensive

When you design a new critical infrastructure implementation, you need to start with the basis of design document.

Get every stakeholder in the room to discuss what their needs and requirement are. It’s a vetting process when this occurs. When this document is created, people will become aware of the risk, and the resiliency that the implementation requires.

That process is going to give the installer a tome of valuable information. Each line of business is going to require different capabilities, but that doesn’t mean that everyone needs Tier 4 solutions.

If you don’t have that initial discussion, you might decide to go with all Tier 4 (the highest level of reliability and redundancy) solutions right off the bat.

That’s going to cost a substantial investment, and you won’t learn until later that you might have overspent in certain areas where specific stakeholders didn’t need the top-of-line coverage you assumed they did.

Identify which sections of your business don’t need to be up 24/7, and which sections do.

Define your requirements, identify the cost of being down for an hour, and make your decisions based on the potential loss. If you do a good job with the basis of design, you’ll end up with the proper implementation.

Understand MGMT Needs & Train Operators

When you buy a new car, it comes with an owner’s manual. You can spend $100 million to build out a critical infrastructure – it doesn’t come with an owner’s manual.

It comes with a trunk of information that sits on the primary stakeholder’s shelf until they move to another company or position.

From the basis of design to the transition of operations, you need to put controls in place that allow you to understand how to manage the facility once you’re handed the keys. Most times, the proper programs aren’t in place.

The key is training, education, and a continued improvement process not just with people, but with equipment in the facility.

The majority of downtime in critical infrastructures occurs as a result of human error. The technology is the technology, but the human element is unpredictable. You need to use education and training as the tool to fight against human error the way you might use maintenance cycles to fight against technological error.

The challenge is a lack of talent. Students often don’t learn to operate critical infrastructure environments – they’ll learn electrical, mechanical, civil, and structural engineering, but not operation.

When a new employee comes in, start with a skills assessment. Identify those skills, strengths and weaknesses. Knowing the weaknesses is most important – once identified, you can put a program together that educates them and turns weaknesses into strengths.

Proper inspections every day, proper response, action, and standard operating procedures, and so on. You shouldn’t only have these in place, but you should have software programs that help educate employees on this.

That way not only does the staff understand how to operate the space, but new employees will, too. An orientation program keeps these spaces consistent and builds culture in the organization.

Keep in mind that the people that are running these spaces now will be retiring sooner than later. You should set up programs for those individuals to set up a transfer of knowledge to newer employees that will one day take over.

It’s people that run these facilities. If the critical infrastructure goes down, it hurts the company. If you don’t properly educate the employees maintaining and operating the facility, you’re setting yourself up for failure.

The Efficiency Factor

Both people and technology work to make a critical infrastructure efficient.

From the technology side, the equipment you buy must be efficient. You have to ensure they’re loaded properly. People are the ones that maintain them, though. You can become inefficient operationally, and in turn not set the proper thresholds, which will affect the technology.

Cooling systems are a great example. It’s an important and costly aspect of any data center. If you don’t have proper thresholds and set points calibrated appropriately, that data center might spend another 10% on cooling.

Over the course of a year that’s a large amount of money for electricity – a cost that could have been avoided by raising the set points to the industry standard. Human and technology work together to make that efficient – the human calibrates and the technology works based off of that set point.

Listen: My TechDecisions Podcast – Episode 64, Peter Curtis of PMC Group One

You need both in tandem to remain efficient and eliminate unnecessary costs.

Let’s say you want to use a fuel cell for your data center, rather than going grid to chip for power. It can provide efficiencies above 65%, while the grid efficiency is only 33%. That becomes a problem. You have to outlay a bit more money, but you’ll see a return on your investment over the life of the building.

What makes a critical infrastructure environment robust is blending alternative energy with conventional energy. When the grid is out, then the alternative energy can provide some capacity to run processing.

Power, people, and processes – put best practices into those three areas and you’ll have an efficient data center.

The post 4 Critical Infrastructure Best Practices for Increased Efficiency appeared first on My TechDecisions.

The early developers of facial recognition began growing a database of faces that would feed the machine learning mechanism by having people come in, sign a form of consent, and taking their pictures. But why rely on such a cumbersome and expensive when you’ve got the internet, chock full of a diverse array of images and face.

The internet now provides gargantuan amounts of data for AI-based facial recognition technologies to comprehensively understand human facial features. “For the facial recognition systems to perform as desired, and the outcomes to become increasingly accurate, training data must be diverse and offer a breadth of coverage,” said IBM’s John Smith, in a blog post announcing the release of the data.

But the process of obtaining data is not always kosher. IBM, for instance, recently released a collection of almost a million photos that they had taken from Flickr, a photo hosting site, and annotated with details to help build their facial recognition algorithm.

“People gave their consent to sharing their photos in a different internet ecosystem,” said Meredith Whittaker, co-director of the AI Now Institute, which studies the social implications of artificial intelligence. “Now they are being unwillingly or unknowingly cast in the training of systems that could potentially be used in oppressive ways against their communities.”

John Smith, though, claims that the company is committed to “protecting the privacy of individuals” and “will work with anyone who requests a URL to be removed from the dataset.”

NBC News, however, found this to be a bit misleading. “IBM requires photographers to email links to photos they want removed, but the company has not publicly shared the list of Flickr users and photos included in the dataset, so there is no easy way of finding out whose photos are included,” they wrote. “IBM did not respond to questions about this process.”

IBM is not the lone culprit in such practices. Dozens of other companies looking to get an edge in the race towards the best facial recognition technology are skirting the lines of privacy and consent.

The post Facial Recognition’s All-Too-Close Relationship with Privacy Violation appeared first on My TechDecisions.

But, while more people are using these DNA tests, more problems are arising, especially with privacy. The issue took off in spring of 2018, when police gained access to genetic data from a genealogy website to nail down a suspect in the Golden State Killer case. More recently, consumer DNA-testing company FamilyTreeDNA enabled federal law enforcement to have access to the genetic information of millions of people.

“On a case-by-case basis, the company has agreed to test DNA samples for the FBI and upload profiles to its database, allowing law enforcement to see familial matches to crime-scene samples,” Bloomberg says. “FamilyTreeDNA said law enforcement may not freely browse genetic data but rather has access only to the same information any user might.”

While that might be the intent, genealogists are reporting a concern for users’ right to privacy. For example, reliance on genetics testing might lead law enforcement on a wild goose chase while chasing a suspect, and land them with the wrong person. “The real risk is not exposure of info but that an innocent person could be swept up in a criminal investigation because his or her cousin has taken a DNA test,’’ Debbie Kennett, a genealogist, told Bloomberg.

Similarly, people who opt to have their DNA tested put family members at risk, too. “That’s how police caught the alleged Golden State Killer,” Bloomberg says. “A study last year estimated that only 2 percent of the population needs to have done a DNA test for virtually everyone’s genetic information to be represented in that data.”

Similar to sensitive data that is stored in the Cloud or on a network – both secured and unsecured – there seems to be no such thing as “protected data;” people who take genetic tests give DNA companies their genetic data, and, depending on contracts that company has, give other entities – businesses, the government – that data, too. As a result, end users and decision makers alike should keep this case study in mind when considering how and where to store their data, and imparting privacy best practices to employees and customers.

The post The Government Has Access to Your Genes – Here’s Why That’s a Problem appeared first on My TechDecisions.