Internet Privacy & Security Follies & Foibles
Jordan Jones NGS Luncheon / RootsTech 2013
1Saturday, March 23, 13
How Many of You Use?
Evernote
Dropbox
Amazon
Tumblr
Apple
Microsoft
2Saturday, March 23, 13
How Privacy Can be Breached
The Privacy Rights Clearinghouse categorizes privacy breaches as:
Unintended Disclosure
Hacking or Malware
Payment Card Fraud
Insider
Physical Loss
Portable Device
Stationary Device
Unknown or Other
3Saturday, March 23, 13
Read It and Weep
In 2011, it was revealed that the iOS and Android apps of Facebook and Dropbox were accessible to anyone with physical access to the mobile device ...
... the passwords were in unencrypted text files.
Cause: Unintended Disclosure
4Saturday, March 23, 13
4 Hour Free-for-All
June 20, 2011 – Dropbox announced that during a four-hour period ...
... a bug in their authentication software would have allowed anyone access to any account, without a password.Cause: Unintended Disclosure
5Saturday, March 23, 13
E-mail Switcheroo
August 1, 2012 – Dropbox revealed that someone hacked into an employee’s account and gained access to a list of customer e-mail addresses, which were then spammed.
Additionally, “usernames and passwords stolen from other sites had also been used to sign in to” Dropbox accounts.Cause: Unintended Disclosure / Hacking or Malware
6Saturday, March 23, 13
The Zen of Hacking
February 21, 2013 – Zendesk was hacked. Customer e-mail addresses, the subject lines of support e-mail (and possibly phone numbers) for users of Twitter, Pinterest, and Tumblr were stolen.Cause: Hacking or Malware
7Saturday, March 23, 13
Yes, Microsoft runs Mac OS
February 22, 2013 – Microsoft was hacked. It is unclear what information if any was stolen. The method was similar to one recently used successfully against Apple, Facebook, and Twitter.
A virus was placed on a legitimate website. This exploited a “zero day” (as yet unknown) security hole in Java for Mac OS X.Cause: Hacking or Malware
8Saturday, March 23, 13
Hacktopia
March 3, 2013 – Evernote was hacked. “User names, email addresses, and encrypted passwords may have been exposed.”
“A total of 50 million users were told to reset their passwords.”
Cause: Hacking or Malware
9Saturday, March 23, 13
Information Wants to Be Free
10Saturday, March 23, 13
Information Wants to be Free
“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”
— Stewart Brand, 1st Hackers Conference, 1984
11Saturday, March 23, 13
Two Kinds of Freedom
1. Free as in beer
2. Free as in speech
12Saturday, March 23, 13
Jones’s Corollary to Brand’s Law
“Information is like water; information wants to flow free.” Thanks to Moore’s law and innovation, it is constantly getting cheaper and easier for:
You to share data with people
You accidentally to share information with people
Others to share information you gave them, wider than you wanted
Someone to steal or leak your information
13Saturday, March 23, 13
Consequences for Records Access of Jones’s Corollary
14Saturday, March 23, 13
Open Access vs. Privacy
Especially since 9/11, federal and state agencies have been tightening access to public records of interest to genealogists.
The fact that information wants to flow like water means anything private and divulged can be disseminated further than prior to the Internet.
The most obvious example of government tightening down access to electronic records is the SSDI.
15Saturday, March 23, 13
SSDI
The Social Security Death Index (SSDI) is based on the Social Security Administration’s Master Death File (MDF).
The MDF includes about 90 million names of people who have died and whose deaths have been reported to the SSA.
16Saturday, March 23, 13
Fraud Based on MDF Data
The MDF was released due to a Freedom-of-Information ruling.
It was expected to help combat fraud.
Banks and other creditors could quickly determine whether the person was dead according to the MDF.
The IRS was apparently not using this method to check returns and several people had the identities of their deceased children stolen.
17Saturday, March 23, 13
Removal of State Records
In the process of looking at the privacy implications of the MDF / SSDI, the SSA noticed that some state records were being improperly divulged. As a result:
SSA expunged 4 million records in Nov. 2011
SSA decreased the number of records added annually by about 1/3 (from 2.8 to 1.8 million)
18Saturday, March 23, 13
What’s Happening Now
At least four federal bills have been introduced that would limit access to the MDF / SSDI:
HR 295 “Protect and Save Act of 2013”
HR 466 “Social Security Death Master File Privacy Act of 2013”
HR 531 “Tax Crimes and Identity Theft Prevention”
HR 926 “Social Security Identity Defense Act of 2013”
19Saturday, March 23, 13
Genealogy Partnerships
Records Preservation and Access Committee
Voting Members: The National Genealogical Society (NGS), the Federation of Genealogical Societies (FGS) and the International Association of Jewish Genealogical Societies (IAJGS)
Non-Voting Members: The Association of Professional Genealogists (APG), the Board for Certification of Genealogists (BCG), the American Society of Genealogists (ASG), ProQuest and Ancestry.com
20Saturday, March 23, 13
Digital Due Process Coalition
RPAC has joined the Digital Due Process coalition, along with
key technology leaders (Adobe, Apple, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Oracle, Twitter) as well as
leaders in content (Newspaper Association of America, American Library Association, Association of Research Libraries)
21Saturday, March 23, 13
Why This Matters
What we need is a balance between open access and privacy
As members of the privacy community, we can reflect our existing goals to maintain privacy while retaining open records
22Saturday, March 23, 13
What Can You Do?
23Saturday, March 23, 13
Protect Your Data
Protect your data as much as you can.
Post wisely. Don’t post anything on the Internet that would harm you if it were divulged
Encrypt your most sensitive data.
Clear browser cookies and cache periodically
Use private browsing when on public computers
Create strong, unique passwords
24Saturday, March 23, 13
Act Responsibly
Avoid sharing personally identifying information, especially of living or recently deceased persons
Use privacy filtering and never publish information on living persons without their permission
Consider creating a public file and a private file if sharing information in genealogical databases, as the filters might not do what you expect.
25Saturday, March 23, 13
Advocate for a Balanced Approach
Learn about the need for balance between privacy and openness in genealogical data.
Share what you learn with your
genealogy society
genealogy software providers
legislators
26Saturday, March 23, 13
REFERENCES
27Saturday, March 23, 13
References
Digital Data Breach Search Tool: http://www.privacyrights.org/data-breach/new
FAQ Entry on the SSDIhttps://www.privacyrights.org/fs/fs10-ssn.htm#death
Letter to the House Ways and Means Committee from Leslie Brinkley Lawson, President, Council for the Advancement of Forensic Genealogyhttp://waysandmeans.house.gov/uploadedfiles/sfr_cafg_ss_2_2_12.pdf
28Saturday, March 23, 13
References
BBC, “Dropbox details security breach that caused spam attack” http://www.bbc.co.uk/news/technology-19079353
New York Times, “Researchers Wring Hands as U.S. Clamps Down on Death Record Access”http://www.nytimes.com/2012/10/09/us/social-security-death-record-limits-hinder-researchers.html
Wired, “Zendesk Security Breach Affects Twitter, Tumblr and Pinterest,” http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/
29Saturday, March 23, 13
References
Records Preservation and Access Committee A joint committee of FGS, NGS, and IAJGShttp://www.fgs.org/rpac/
Digital Due Process Coalition http://www.digitaldueprocess.org/
Center for Democracy & Technology https://www.cdt.org/
30Saturday, March 23, 13
References
Genealogical Privacy blog http://www.genealogicalprivacy.org/
Electronic Freedom Foundation https://www.eff.org/
Electronic Privacy Information Center http://epic.org/
31Saturday, March 23, 13
Forthcoming
32Saturday, March 23, 13
Join us in Las Vegas
33Saturday, March 23, 13
These slides will be available at
genealogymedia.com/talks
and
slideshare.net/genealogymedia
34Saturday, March 23, 13