The mantra of some legal and marketing departments in industries using RFID and storing guest/customer data is “No Privacy Concerns”. They are hoping to ease the fear of consumers, and allow for easy adoption of the program. However, is this the reality? Facebook is a weak link of privacy in a corporate strategy. The company cannot be directly blamed for this, but the customer definitely has risk.

As a company attempts to gather more data, regardless of how benign it seems, there is a greater risk that someone will want to get that information. And if there is direct financial gain tied to it, there is even more risk.

Anytime data is stored, there should be privacy concerns

Anytime data is stored, there should be privacy concerns

My thought is that ANYTIME a company holds or gathers information there IS a privacy concern. Regarding a company’s stance on privacy, one of my students stated they should say, “Recognizing privacy is important, we have worked hard to address those concerns by building a range of consumer options into our RFID and Social Media program to give you full control of your personal information.”

The sooner companies accept the fact that privacy and security of information is at least a two party job, then we shall be working from the proper premise.  Even top financial companies have regular breaches of security. Heartland Payment Systems data breach Mastercard and Visa for example: Heartland disclosed Jan 20, 2009 that intruders cracked the system it uses to process 100 million card transactions per month from 175,000 merchants. I would imagine that was a VERY secure system.

Until then these threats are acknowledge and talked about, there are things we can do. I will offer you a non-RFID premise of which to be aware.  When using FACEBOOK, do not friend anyone who isn’t really a friend or verified acquaintance. This is not just for a ski area, this scenario can be easily target for any business which has a strong local following. Here is an example of what can happen.

Here is a scenario relevant to a skier or rider:

A crime ring in the Denver or Salt Lake City area opens a few dozen facebook accts and begins “friending” all of the people who like a business, ski resort, sports team, etc.

Companies want to be "liked" on Facebook

Companies want to be "liked" on Facebook

Chances are that a good majority of people are from a nearby metro area. A well established resort may have 50,000 people on Facebook who “Like” the company. The potential new friend (crime ring) writes a nice introduction “Great to have a fellow skier/rider of ‘Snowy Peaks Resort'”.  Let’s say 25% of those people accept the new “friend”. So we have 12,500 people who have friended this crime ring.

Next, the ring is looking for people who are planning a family ski/ride trip “this weekend”. The ring can do a some weekly “research” to find who is going to the mountains, and due to crappy Facebook security I can figure out where the person lives. There are easy free options to gather this data, although a ring can pay $200 a yr for access to programs which can do it more quickly and accurately.

The crime ring also have a few theives on “staff”. On saturday morning, the skier/rider posts, “heading up to the mountains now!”, or just arrived at ‘Snowy Peaks’. Now the burglary begins and guaranteed that nobody is home.

Privacy, what privacy?  ID thieves, are a creative sort. Although the resort did not infringe on any of its privacy policies, this has set a target on guests of “Snowy Peaks”.

I have a significant problem with allowing companies to collect ongoing data from me, especially if they do not recognize these as threats to their guests.

I sent this scenario including actual ways to harvest information to several major ski resorts in Colorado. I am hopeful they will respond with a joint effort of privacy. If there are resorts or businesses which would like to know more, I would be happy to send them a few of these scenarios.

2 potential solutions-

1) The resort can post reminders for people to not accept friends they do not know. Reinforce the message, Privacy is a joint effort between the business and the individual.

2) If the resort uses an application, they can create and promote delayed sending of messages to FB or twitter.  The most conservative settings will be preset, but ongoing management can be set by the guest. Immediate, 4hrs, 8hrs, 24hrs, etc.

Option 2 may create uncertainty in the mind of the thieves, as front range or close proximity skiers/riders often day trip.

Privacy knowledge is powerful. If resorts continue to take the arrogant attitude that there are “No privacy issues” then they are part of the problem.

UPDATE: Fox News just released information that US Governmental Agencies have been “Cyber-friending” people on Facebook and other social media sites.

The Ski Pass Defender is designed to offer the individual the ability to protect access to their RFID stored information. Privacy and security are a joint effort. And Ski Pass Defender costs less than a shared tank of gas.

Jonathan Lawson has been an expert in the field of Identity Theft Risk Management since 2005.  Mr. Lawson has held dozens of education seminars for minors, adults, and seniors regarding identity theft and risk mitigation.

Filed under: News

Like this post? Subscribe to my RSS feed and get loads more!