Internet Privacy & Security Follies & Foibles

Jordan Jones NGS Luncheon / RootsTech 2013

1Saturday, March 23, 13

How Many of You Use?

Evernote

Dropbox

Twitter

Google

Facebook

Pinterest

Amazon

Tumblr

Apple

Microsoft

2Saturday, March 23, 13

How Privacy Can be Breached

The Privacy Rights Clearinghouse categorizes privacy breaches as:

Unintended Disclosure

Hacking or Malware

Payment Card Fraud

Insider

Physical Loss

Portable Device

Stationary Device

Unknown or Other

3Saturday, March 23, 13

Read It and Weep

In 2011, it was revealed that the iOS and Android apps of Facebook and Dropbox were accessible to anyone with physical access to the mobile device ...

... the passwords were in unencrypted text files.

Cause: Unintended Disclosure

4Saturday, March 23, 13

4 Hour Free-for-All

June 20, 2011 – Dropbox announced that during a four-hour period ...

... a bug in their authentication software would have allowed anyone access to any account, without a password.Cause: Unintended Disclosure

5Saturday, March 23, 13

E-mail Switcheroo

August 1, 2012 – Dropbox revealed that someone hacked into an employee’s account and gained access to a list of customer e-mail addresses, which were then spammed.

Additionally, “usernames and passwords stolen from other sites had also been used to sign in to” Dropbox accounts.Cause: Unintended Disclosure / Hacking or Malware

6Saturday, March 23, 13

The Zen of Hacking

February 21, 2013 – Zendesk was hacked. Customer e-mail addresses, the subject lines of support e-mail (and possibly phone numbers) for users of Twitter, Pinterest, and Tumblr were stolen.Cause: Hacking or Malware

7Saturday, March 23, 13

Yes, Microsoft runs Mac OS

February 22, 2013 – Microsoft was hacked. It is unclear what information if any was stolen. The method was similar to one recently used successfully against Apple, Facebook, and Twitter.

A virus was placed on a legitimate website. This exploited a “zero day” (as yet unknown) security hole in Java for Mac OS X.Cause: Hacking or Malware

8Saturday, March 23, 13

Hacktopia

March 3, 2013 – Evernote was hacked. “User names, email addresses, and encrypted passwords may have been exposed.”

“A total of 50 million users were told to reset their passwords.”

Cause: Hacking or Malware

9Saturday, March 23, 13

Information Wants to Be Free

10Saturday, March 23, 13

Information Wants to be Free

“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”

— Stewart Brand, 1st Hackers Conference, 1984

11Saturday, March 23, 13

Two Kinds of Freedom

1. Free as in beer

2. Free as in speech

12Saturday, March 23, 13

Jones’s Corollary to Brand’s Law

“Information is like water; information wants to flow free.” Thanks to Moore’s law and innovation, it is constantly getting cheaper and easier for:

You to share data with people

You accidentally to share information with people

Others to share information you gave them, wider than you wanted

Someone to steal or leak your information

13Saturday, March 23, 13

Consequences for Records Access of Jones’s Corollary

14Saturday, March 23, 13

Open Access vs. Privacy

Especially since 9/11, federal and state agencies have been tightening access to public records of interest to genealogists.

The fact that information wants to flow like water means anything private and divulged can be disseminated further than prior to the Internet.

The most obvious example of government tightening down access to electronic records is the SSDI.

15Saturday, March 23, 13

SSDI

The Social Security Death Index (SSDI) is based on the Social Security Administration’s Master Death File (MDF).

The MDF includes about 90 million names of people who have died and whose deaths have been reported to the SSA.

16Saturday, March 23, 13

Fraud Based on MDF Data

The MDF was released due to a Freedom-of-Information ruling.

It was expected to help combat fraud.

Banks and other creditors could quickly determine whether the person was dead according to the MDF.

The IRS was apparently not using this method to check returns and several people had the identities of their deceased children stolen.

17Saturday, March 23, 13

Removal of State Records

In the process of looking at the privacy implications of the MDF / SSDI, the SSA noticed that some state records were being improperly divulged. As a result:

SSA expunged 4 million records in Nov. 2011

SSA decreased the number of records added annually by about 1/3 (from 2.8 to 1.8 million)

18Saturday, March 23, 13

What’s Happening Now

At least four federal bills have been introduced that would limit access to the MDF / SSDI:

HR 295 “Protect and Save Act of 2013”

HR 466 “Social Security Death Master File Privacy Act of 2013”

HR 531 “Tax Crimes and Identity Theft Prevention”

HR 926 “Social Security Identity Defense Act of 2013”

19Saturday, March 23, 13

Genealogy Partnerships

Records Preservation and Access Committee

Voting Members: The National Genealogical Society (NGS), the Federation of Genealogical Societies (FGS) and the International Association of Jewish Genealogical Societies (IAJGS)

Non-Voting Members: The Association of Professional Genealogists (APG), the Board for Certification of Genealogists (BCG), the American Society of Genealogists (ASG), ProQuest and Ancestry.com

20Saturday, March 23, 13

Digital Due Process Coalition

RPAC has joined the Digital Due Process coalition, along with

key technology leaders (Adobe, Apple, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Oracle, Twitter) as well as

leaders in content (Newspaper Association of America, American Library Association, Association of Research Libraries)

21Saturday, March 23, 13

Why This Matters

What we need is a balance between open access and privacy

As members of the privacy community, we can reflect our existing goals to maintain privacy while retaining open records

22Saturday, March 23, 13

What Can You Do?

23Saturday, March 23, 13

Protect Your Data

Protect your data as much as you can.

Post wisely. Don’t post anything on the Internet that would harm you if it were divulged

Encrypt your most sensitive data.

Clear browser cookies and cache periodically

Use private browsing when on public computers

Create strong, unique passwords

24Saturday, March 23, 13

Act Responsibly

Avoid sharing personally identifying information, especially of living or recently deceased persons

Use privacy filtering and never publish information on living persons without their permission

Consider creating a public file and a private file if sharing information in genealogical databases, as the filters might not do what you expect.

25Saturday, March 23, 13

Advocate for a Balanced Approach

Learn about the need for balance between privacy and openness in genealogical data.

Share what you learn with your

genealogy society

genealogy software providers

legislators

26Saturday, March 23, 13

REFERENCES

27Saturday, March 23, 13

References

Digital Data Breach Search Tool: http://www.privacyrights.org/data-breach/new

FAQ Entry on the SSDIhttps://www.privacyrights.org/fs/fs10-ssn.htm#death

Letter to the House Ways and Means Committee from Leslie Brinkley Lawson, President, Council for the Advancement of Forensic Genealogyhttp://waysandmeans.house.gov/uploadedfiles/sfr_cafg_ss_2_2_12.pdf

28Saturday, March 23, 13

References

BBC, “Dropbox details security breach that caused spam attack” http://www.bbc.co.uk/news/technology-19079353

New York Times, “Researchers Wring Hands as U.S. Clamps Down on Death Record Access”http://www.nytimes.com/2012/10/09/us/social-security-death-record-limits-hinder-researchers.html

Wired, “Zendesk Security Breach Affects Twitter, Tumblr and Pinterest,” http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/

29Saturday, March 23, 13

References

Records Preservation and Access Committee A joint committee of FGS, NGS, and IAJGShttp://www.fgs.org/rpac/

Digital Due Process Coalition http://www.digitaldueprocess.org/

Center for Democracy & Technology https://www.cdt.org/

30Saturday, March 23, 13

References

Genealogical Privacy blog http://www.genealogicalprivacy.org/

Electronic Freedom Foundation https://www.eff.org/

Electronic Privacy Information Center http://epic.org/

31Saturday, March 23, 13

Forthcoming

32Saturday, March 23, 13

Join us in Las Vegas

33Saturday, March 23, 13

These slides will be available at

genealogymedia.com/talks

and

slideshare.net/genealogymedia

34Saturday, March 23, 13