Eleven years ago, Joanne McNabb started the nation's first-ever state Office of Privacy Protection, under then-Gov. Gray Davis.
Recently, her job was moved to the state attorney general's office, which has launched an eCrime unit focused on nabbing and prosecuting cyber-criminals.
McNabb discussed with The Bee her new role and California's ongoing battle against identity theft and cybercrime.
>The Federal Trade Commission reports California has the most ID theft complaints of any state and third highest per capita. Why is California ranked so high for identity theft and online crime?
I don't think we can draw many conclusions from the FTC data on ID theft complaints because it is a limited sample of ID theft victims. California's ranking as third in complaints per 100,000 population is based on just 38,607 complaints.
It doesn't necessarily mean we have a higher percentage of victims. We might be more vocal. In the last decade, so many privacy issues have arisen in this state and a lot of new technologies have come out of California, so Californians may be more aware of the issues.
Do you feel firms like Google, Apple and Facebook are doing enough to protect the privacy of their users?
The AG's office is bringing those companies together and encouraging them to do better and better. (Under an agreement announced by Attorney General Kamala Harris in February, the nation's top mobile and social networking companies agreed to improve privacy protections for consumers who access the Internet through applications, or apps, on their smartphones and other devices.)
We're working with a broadly representative group of 20 people in the "mobile ecosystem" that includes Google, Facebook, as well as telecom carriers, mobile advertising networks, academics. We're doing a "best practices" project on how to improve consumer privacy notices on mobile phone apps.
How would it work?
Privacy notices are required by state law for most online applications. What we're trying to avoid is having people be surprised and unhappy about inappropriate information flows. For example, if you download a flashlight app, you don't expect it to pull your address book from your phone. With a privacy notice, that would be disclosed to you in the app store or on your device before you use it. You're given the opportunity to say 'No,' before it happens.
Consumers have a right to know what is going on with their information.
Aside from mobile phones, where else are you focused on privacy protection?
Medical ID theft, which can lead to inappropriate diagnoses, being denied jobs because of (inaccurate) medical information, getting billed for medical care that's not yours.
We're working on best practices among various players in the health care industry. As health records become electronic, it's about looking for anomaly detection. Just like your credit card company notifies you if it sees a purchase in Paris on your account. Imagine if your doctor's office suddenly sent an alert or flagged suspicious information that appeared in your records.
When it comes to identity theft, where are consumers especially vulnerable?
Passwords. We've seen a number of data breaches involving email addresses and passwords. Someone armed with your email address can take over your account and do all sorts of things, including committing crime (disguised) as you. Passwords can be astonishingly easy to guess: Your dog's name, your kid's name, things gleaned from social networking sites.
How should consumers protect themselves?
We should all be using a variety of strong passwords: At least 8 characters; a combination of uppercase, lower case and numbers; not a searchable dictionary word; not your anniversary, birthday or your dog's name.
It's a pain to not be able to use the same password everywhere, but if one password gets compromised, you're exposed with every account you have. It's amazing how many people don't have passwords on their mobile phones. A password makes it less useful to the casual thief.
Are you discouraged by how prevalent and insidious cybercrime continues to be?
No, not discouraged, but certainly concerned. Like crime in general, cybersecurity is something we have to work on continually; to keep making ourselves smarter about what we do online. Schools are starting to teach online safety and that's where it has to start. Our kids will be better at it than we are.