Privacy Industry Specialist

Question 1

Managing Consents in Salesforce

Answer 1

Salesforce enables you to honor people’s requests about how you as a business would use their data.
The Salesforce platform supports GDPR and nation-specific data protection laws like CCPA in the United States or CASL in Canada.

The most common use cases are implementing data privacy preferences to manage customer privacy in the form of Consent Management Objects.
These objects allow us to establish authorization audit details and manage communication methods for customers to provide consent authorization and record communication preferences, respectively. For example, these objects can enable customer preferences to prevent sending emails or prevent referring customer data.

Question 2

GDPR workflow for Microsoft Dynamics overview

Answer 2

Like the event registration workflow, the consent workflow relies on Surveys and campaign responses to manage to consent status. As part of the package we have introduced 2 new options of response code (Consented and Withdrawn) which should be used when building the consent survey. Like in the event registration workflow, the response codes get updated by the integration changing its status to consented or withdrawn triggering a Dynamics workflow that automatically updates the contact ‘Consent’ field.
The consent status of your campaign can be manged from ‘Consent Report’ form available within the Campaign.

Requirements
Concep Send for Microsoft Dynamics solution v1.4 or above installed
Microsoft Dynamics v7.0 or above

Question 3

Why Amazon?
What is the most innovative idea?
When you did not meet a commitment, how did you pivot?
- Tell me about a time when u had to work out of ur comfortzone? How did u manage? - Tell me about time when I innovated things in the project and how it helped - Tell me about a time when you solved the big problem with small solution

Question 4

Criteria: Ask clarifying questions to scope-down and define requirements.

Your interviewer is there to help you with clarifying questions, assumptions, and providing a customer’s perspective. As a designer you should start with the (primary) customer and work backwards:

Answer 4

Who are you designing the system for and why?
What expectations do they have in terms of functionality?
What things would a customer just assume will be in the system but they may not think about in the forefront of their minds? (e.g. it’ll be fast and secure)
What happens if we become hyper-popular with customers? What does 2x growth look like? Or 10x? And how would that influence the design?
Understand first what problem your system is supposed to solve. Ask clarifying questions if this is not clear.
See the interviewer as the customer, requirements might be intentionally vague, and she/he can give you clarifications.
Write/raise the requirements or assumptions you are making, and base your design on them.
Feel free to create a diagram if that helps you clarifying your thoughts.

Question 5

the candidate is asked to review a system that is designed to drive customers who visit an e-commerce website to use the mobile application instead by leveraging ads. The interviewer is asking questions to understand how the candidate would design for performance.

Alright, now that you’ve had some time to review this ads scenario, I’m interested to learn how you would monitor this solution?

Answer 5

Candidate: There are some baseline technical metrics that we could monitor such as CPU and memory utilization for the hosts or processes that are executing our workflow (e.g. if we were using Spark jobs or something similar). We should also emit metrics on workflow success/failure. This can start out granular but we should also be able to emit these for each workflow step in order to identify if there are particular steps that have errors or are less reliable. Timing metrics, per workflow and per overall step, would also be important here so that we can catch any performance degradation early. We should also look at business metrics and data quality metrics. For example, if we processed an unexpected number of records (too many or too few) that could be something an operator needs to look into. We should consult with our business users on what kind of quality metrics are important for them, as they may be closer to the data or have a better understanding of what certain fields mean and what their expected values are.

Question 6

Interviewer: Thanks for walking me through those examples. I agree capturing both technical and business metrics is important. You also mentioned having someone look into issues. How would you report and respond to failures or issues?

Answer 6

Candidate: Well, we could send notifications or reports (for example, via email) for someone to investigate. I’ve seen in past sometimes workflows can have intermittent failures, so we could also configure retries and only alarm if all retries are exhausted in order to prevent noisy work for our operators.

Question 7

What makes this a strong system design?

Answer 7

This response shows more strength criteria such as:

Designs for operational performance, plans for failure, and measures the results (e.g., metrics)
Considers both technical and business metrics, as well as data quality
Thinks about how to monitor for performance and catch potential problems
Considers resiliency and making things easier for operators

Question 8

t 23.3% of skills that requested privacy-sensitive information did not have a complete privacy policy. In other words, those developers neglected to address exactly how user data will be accessed, used and protected. What’s more, those researchers also discovered that many skills use the same wake up word. Consequently, users may inadvertently share information with the wrong developer.

Question 9

Alexa does record your voice. But it only records a short snippet of audio whenever it detects the wake word. Those recordings are automatically sent to the cloud, where they’re accessible to the user through the Alexa app.

Question 10

Perhaps worst of all, Amazon doesn’t verify the developers on their skills store. In other words, phishing scammers could pose as legitimate developers to fool unwitting consumers into sharing private information.

Question 11

Alexa best practices
To mitigate these privacy concerns, you need to know some best practices:
Routinely delete your voice recordings: At the end of every day, ask Alexa to delete your recordings. You can also choose to delete your entire history of recordings in the Alexa app.
Review your history to see what was recorded: In the Alexa app you can listen to your entire history of voice recordings to understand what information may have been collected.
Opt out of the quality assurance program: This is how you can ensure your recordings aren’t being sampled and exposed to Amazon’s team of specialists.
Mute the microphone when not in use: By physically turning off your Alexa device’s microphone, you won’t be able to make requests, but you also won’t risk unwanted recording.

Question 12

Amazon proudly states they are not in the business of selling your personal information to others, which is good. However, a good question to ask is, why would Amazon need to sell your data when they have their own advertising and retail juggernaut to use your data to sell you more stuff? Because Amazon is in the business of selling you more stuff. This means Amazon collects a whole lot of data on you – records of your shopping habits, Alexa search requests, the music you stream, the podcasts you listen to, when you turn your lights on and off, when you lock your doors, and on and on and on.

Question 13

What’s good with Alexa? They make it possible to automatically delete voice recordings immediately after they are processed. That’s a nice feature after the controversy around human reviewers listening in to Alexa voice recordings. However, Amazon says when you delete your voice recordings, they still can keep data of the interactions those recordings triggered. So, if you buy a pregnancy test through Amazon Alexa, they won’t forget you bought that pregnancy test just because you ask them to delete the voice recording of that purchase. That record of the purchase is data they have on you going forward and may use to target you with ads for more stuff.

Question 14

And then there are Alexa Skills, those little apps you use to interact with Alexa. These Skills can be developed by just about anyone with the, uhm, skill. And with too many of the Skills, third-party privacy policies are misleading, incomplete or simply nonexistent, according to one recent study.When your data is processed by an Alexa Skill, deleting your voice recordings doesn’t delete the data the developer of that Skill collects on you. With over 100,000 Alexa Skills out there, many of them developed by third parties, now your data is floating around in places you might never have imagined.

Question 15

These days Alexa is built into everything from your Echo Dot smart speakers to your kids’ toys to your glasses, headphones, and thermostats. And while Amazon doesn’t sell your personal information, they sure do use the heck out of it to target you with more stuff to buy. Is this creepy? Well, with so much data floating around in so many places (and we’re talking a lot of places, both within Amazon and with third parties too), yeah, Amazon’s Echo Dot smart speaker with Alexa can feel pretty creepy.

Question 16

Tips to protect yourself
Manage your Alexa privacy settings
Turn the microphone off when you do not need it
Regularly delete your voice history or set an auto-deletion of the old voice data
Minimize usage of Alexa Skills to only the most trusted ones
When using Amazon Skills, be mindful that they are not operating under Amazon’s privacy policy. Better not share sensitive data with Skills’ developers.

Question 17

How does the company use this data?
Amazon says they do not sell your personal information. They combine your voice data with third-party data to answer your requests as well as to train Alexa’s speech recognition. You can choose to not save any voice recordings, but it will cost you some features.
While voice recordings won’t be used for ad personalization, the transcripts of recordings, and the list of actions that Alexa did in response to your voice commands, may be.
Amazon uses personal information for purposes such as advertisement, recommendation and personalisation. Some personal data may be shared with the third parties. Amazon provides third-party advertisers with information that allows them to serve you more targeted ads, though it claims to not use information that personally identifies you. Instead, Amazon uses an advertising identifier like a cookie or other device identifier. The company also promises it does not “knowingly collect personal information from children” under 13 without parental consent.

Question 18

How can you control your data?

Answer 18

You can review and delete your voice recordings, one by one, by date range, or all at once. You can also set up an auto-deletion to automatically delete recordings older than 3 or 18 months. You can choose to not save any voice recordings, at the cost of some features. If you choose not to have any voice recordings saved, the text transcripts of your requests will be still retained for 30 days, after which they will be automatically deleted.
Note that even when audio or text records are deleted, Amazon may still retain other data concerning your interactions, such as all records of actions Alexa took in response to your request. They say this allows them to do things like continue to provide your reminders, timers, and alarms, process your orders, remember the things you’ve taught Alexa, and show your shopping and to-do lists and messages sent through Alexa Communications.
If your request was processed by an Alexa skill, deleting your voice recordings does not delete any information that was authorized to be given to and retained by the developer of that skill. Skill developers do not receive voice recordings, but they may be receiving recordings’ transcripts or records of actions Alexa took in response to your requests. This is problematic, because a big share of more than 100,000 skills are developed by third parties that are not necessarily bound by Amazon’s privacy policies

Question 19

The research by North Carolina State University found that “23.3% of 1,146 skills that requested access to privacy-sensitive data either didn’t have privacy policies or their privacy policies were misleading or incomplete.

Answer 19

For example, some requested private information even though their privacy policies stated they were not requesting private information.” In addition to misleading privacy policies, issues included things like developers being able to claim fake identity (‘Samsung’, ‘Apple’), multiple skills sharing the same Alexa trigger words, etc.

Question 20

Amazon collects data from third parties about you, to target ads better: “Some third- parties may provide Amazon pseudonymized information about you (such as demographic information or sites where you have been shown ads) from offline and online sources that we may use to provide you more relevant and useful advertising.”

Answer 20

Amazon’s privacy statement is not entirely clear regarding deletion rights: “To the extent required by applicable law, you may have the right to request access to or delete your personal information. If you wish to do any of these things, please contact Customer Service. Depending on your data choices, certain services may be limited or unavailable.

Question 21

What is the company’s known track record of protecting users’ data?

Answer 21

In August 2020, security researchers from Check Point pointed out a flaw in Amazon’s Alexa smart home devices that could have allowed hackers access to personal information and conversation history. Amazon promptly fixed the bug.

In October 2020, Amazon fired an employee for leaking customer email addresses to an unnamed third party.
In October 2019, Forbes reported that Amazon employees were listening to Amazon Cloud Cam recording, to train its AI algorythm.
In April 2019, it was revealed that thousands of employees, many of whom are contract workers and some not even directly employed by Amazon, had access to both voice and text transcripts of Alexa interactions.
In 2018, Amazon’s Echo Dot device recorded private conversation and sent it to random contact. The recording consisted of 1,700 audio files.

Question 22

Tracking health issues

Answer 22

Health is another area where Amazon appears to be attempting a takeover. The UK’s National Health Service (NHS) has signed a deal for medical advice to be provided via the Echo. At face value, this simply extends ways of accessing publicly available information like the NHS website or phone line 111 – no official patient data is being shared.
But it creates the possibility that Amazon could start tracking what health information we ask for through Alexa, effectively building profiles of users’ medical histories. This could be linked to online shopping suggestions, third-party ads for costly therapies, or even ads that are potentially traumatic (think women who’ve suffered miscarriages being shown baby products).
An Amazon spokesperson said: “Amazon does not build customer health profiles based on interactions with nhs.uk content or use such requests for marketing purposes. Alexa does not have access to any personal or private information from the NHS.”
The crudeness and glitches of algorithmic advertising would violate the professional and moral standards that health services strive to maintain. Plus it would be highly invasive to treat the data in the same way many Echo recordings are. Would you want a random external contractor to know you were asking for sexual health advice?

Question 23

Transparency

Answer 23

Underlying these issues is a lack of real transparency. Amazon is disturbingly quiet, evasive and reluctant to act when it comes to tackling the privacy implications of their practices, many of which are buried deep within their terms and conditions or hard-to-find settings. Even tech-savvy users don’t necessarily know the full extent of the privacy risks, and when privacy features are added, they often only make users aware after researchers or the press raise the issue. It is entirely unfair to place such a burden on users to find out and mitigate what these risks are.

Question 24

At Amazon, customer trust is at the centre of everything we do and we take privacy and security very seriously. We have always believed that privacy has to be foundational and built in to every piece of hardware, software, and service that we create. From the beginning, we’ve put customers in control and always look for ways to make it even easier for customers to have transparency and control over their Alexa experience.

Answer 24

We’ve introduced several privacy improvements including the option to have voice recordings automatically deleted after three or 18 months on an ongoing basis, the ability to ask Alexa to “delete what I just said” and “delete what I said today,” and the Alexa Privacy Hub, a resource available globally that is dedicated to helping customers learn more about our approach to privacy and the controls they have. We’ll continue to invent more privacy features on behalf of customers.

Question 25

Turn o Amazon Sidewalk

Answer 25

Sidewalk is the company’s new kind of wireless network built into Amazon devices that shares a little bit of your network with your neighbors. The option was turned on by default and people have no control over what sort of data flows over the network they’re a part of. (This can only be done in the app.)
Open the Alexa app on a phone, tap the More icon → Settings → Account Settings → Amazon Sidewalk. Turn off Enabled. It should now say Disabled.

Question 26

Clear and stop Alexa voice recordings

Answer 26

Alexa works by listening for commands, then saving those audio recordings to improve the underlying AI technology. You can stop the recordings from being saved.
In the app, go to Settings → Alexa Privacy → Manage Your Alexa Data → Choose How Long to Save Voice Recordings, then select Don’t Save Recordings.
Amazon claims this will “degrade” its ability to understand you. If you’re worried, you can just set it to auto delete more often.
Log in to your Amazon account on the web and, at the top of the page, go to Account & Lists → Settings → Your Devices and Content → Manage Devices → Devices (or, just use this link). Find your Echo or other Alexa device, click Manage Voice Recordings → Delete Voice Recordings.
Or you can do it in the Alexa app in Settings → Alexa Privacy → Review Voice History.
Turn on this setting to delete voice recordings at any time by voice. In the Alexa app, go to Settings → Alexa Privacy → Manage Your Alexa Data and toggle on Enable Deletion by Voice

Question 27

Stop Amazon from saving your search history

Answer 27

This just takes away a possibly revealing trail of everything you’ve looked up on Amazon. It’s a necessity if you share a computer.
Log in to Amazon on the web. Under the search bar, click Browsing History → View and Edit → Manage history → Off. You will no longer get personalized recommendations.

Question 28

If you want to be extra cautious

Mute or unplug all your Alexa devices when not in use, and don’t buy a Halo band.

Question 29

Amazon Sidewalk uses three layers of encryption to keep devices secure. The three layers include an application layer, network layer, and a flex message layer. This ensures that both the endpoint and the bridge are validated before the use of the bridge. Also, customers that utilize others customers’ wireless services have no access to view their devices. This means that if my neighbors use my wireless service to run their IoT devices, I run little risk of them being able to see my devices and data. The same encryption standards apply to all third-party applications utilizing

Answer 29

the wireless service as well.
Another nice feature of Sidewalk’s security is that all routing information for operating the network components is cleared every 24 hours without any user interaction. Amazon removes the data automatically on its end. Critical customer data isn’t sitting in storage collecting dust and waiting for a hacker to raid it as there is a limited window. Amazon also implemented some features that will help encrypt and anonymize user data, including hashing keys, cryptographic algorithms, and rotating device IDs. Implementing these measures will make it harder for hackers to identify your network and devices uniquely.