NGS Luncheon Lecture at RootsTech 2013, Salt Lake CIty, UT, 23 March 2013. "Internet Privacy and Security Follies and Foibles" covering Digital Due Process
1. Internet
Privacy & Security
Follies & Foibles
Jordan Jones
NGS Luncheon / RootsTech 2013
Saturday, March 23, 13 1
2. How Many of You Use?
Evernote Pinterest
Dropbox Amazon
Twitter Tumblr
Google Apple
Facebook Microsoft
Saturday, March 23, 13 2
3. How Privacy Can be Breached
The Privacy Rights Clearinghouse categorizes privacy
breaches as:
Unintended Disclosure Portable Device
Hacking or Malware Stationary Device
Payment Card Fraud Unknown or Other
Insider
Physical Loss
Saturday, March 23, 13 3
4. Read It and Weep
In 2011, it was revealed that the iOS and Android apps
of Facebook and Dropbox were accessible to anyone
with physical access to the mobile device ...
... the passwords were in unencrypted text files.
Cause: Unintended Disclosure
Saturday, March 23, 13 4
5. 4 Hour Free-for-All
June 20, 2011 – Dropbox announced that during a four-
hour period ...
... a bug in their authentication software would have
allowed anyone access to any account, without a
password.
Cause: Unintended Disclosure
Saturday, March 23, 13 5
6. E-mail Switcheroo
August 1, 2012 – Dropbox revealed that someone
hacked into an employee’s account and gained access to
a list of customer e-mail addresses, which were then
spammed.
Additionally, “usernames and passwords stolen from
other sites had also been used to sign in to” Dropbox
accounts.
Cause: Unintended Disclosure / Hacking or Malware
Saturday, March 23, 13 6
7. The Zen of Hacking
February 21, 2013 – Zendesk was hacked. Customer e-
mail addresses, the subject lines of support e-mail (and
possibly phone numbers) for users of Twitter, Pinterest,
and Tumblr were stolen.
Cause: Hacking or Malware
Saturday, March 23, 13 7
8. Yes, Microsoft runs Mac OS
February 22, 2013 – Microsoft was hacked. It is unclear
what information if any was stolen. The method was
similar to one recently used successfully against Apple,
Facebook, and Twitter.
A virus was placed on a legitimate website. This
exploited a “zero day” (as yet unknown) security hole
in Java for Mac OS X.
Cause: Hacking or Malware
Saturday, March 23, 13 8
9. Hacktopia
March 3, 2013 – Evernote was hacked. “User names,
email addresses, and encrypted passwords may have
been exposed.”
“A total of 50 million users were told to reset their
passwords.”
Cause: Hacking or Malware
Saturday, March 23, 13 9
11. Information Wants to be Free
“On the one hand information wants to be expensive,
because it’s so valuable. The right information in the
right place just changes your life. On the other hand,
information wants to be free, because the cost of getting
it out is getting lower and lower all the time. So you
have these two fighting against each other.”
— Stewart Brand, 1st Hackers Conference, 1984
Saturday, March 23, 13 11
12. Two Kinds of Freedom
1. Free as in beer
2. Free as in speech
Saturday, March 23, 13 12
13. Jones’s Corollary to Brand’s
Law
“Information is like water; information wants to flow
free.” Thanks to Moore’s law and innovation, it is
constantly getting cheaper and easier for:
You to share data with people
You accidentally to share information with people
Others to share information you gave them, wider
than you wanted
Someone to steal or leak your information
Saturday, March 23, 13 13
15. Open Access vs. Privacy
Especially since 9/11, federal and state agencies have
been tightening access to public records of interest to
genealogists.
The fact that information wants to flow like water
means anything private and divulged can be
disseminated further than prior to the Internet.
The most obvious example of government tightening
down access to electronic records is the SSDI.
Saturday, March 23, 13 15
16. SSDI
The Social Security Death Index (SSDI) is based on
the Social Security Administration’s Master Death
File (MDF).
The MDF includes about 90 million names of people
who have died and whose deaths have been reported
to the SSA.
Saturday, March 23, 13 16
17. Fraud Based on
MDF Data
The MDF was released due to a Freedom-of-
Information ruling.
It was expected to help combat fraud.
Banks and other creditors could quickly determine
whether the person was dead according to the MDF.
The IRS was apparently not using this method to
check returns and several people had the identities of
their deceased children stolen.
Saturday, March 23, 13 17
18. Removal of State Records
In the process of looking at the privacy implications
of the MDF / SSDI, the SSA noticed that some state
records were being improperly divulged. As a result:
SSA expunged 4 million records in Nov. 2011
SSA decreased the number of records added
annually by about 1/3 (from 2.8 to 1.8 million)
Saturday, March 23, 13 18
19. What’s Happening Now
At least four federal bills have been introduced that
would limit access to the MDF / SSDI:
HR 295 “Protect and Save Act of 2013”
HR 466 “Social Security Death Master File Privacy Act of 2013”
HR 531 “Tax Crimes and Identity Theft Prevention”
HR 926 “Social Security Identity Defense Act of 2013”
Saturday, March 23, 13 19
20. Genealogy Partnerships
Records Preservation and Access Committee
Voting Members: The National Genealogical Society (NGS), the
Federation of Genealogical Societies (FGS) and the International
Association of Jewish Genealogical Societies (IAJGS)
Non-Voting Members: The Association of Professional Genealogists
(APG), the Board for Certification of Genealogists (BCG), the American
Society of Genealogists (ASG), ProQuest and Ancestry.com
Saturday, March 23, 13 20
21. Digital Due Process Coalition
RPAC has joined the Digital Due Process coalition,
along with
key technology leaders (Adobe, Apple, Dell,
Facebook, Google, HP, IBM, Intel, Microsoft,
Oracle, Twitter) as well as
leaders in content (Newspaper Association of
America, American Library Association,
Association of Research Libraries)
Saturday, March 23, 13 21
22. Why This Matters
What we need is a balance between open access and
privacy
As members of the privacy community, we can reflect
our existing goals to maintain privacy while retaining
open records
Saturday, March 23, 13 22
24. Protect Your Data
Protect your data as much as you can.
Post wisely. Don’t post anything on the Internet
that would harm you if it were divulged
Encrypt your most sensitive data.
Clear browser cookies and cache periodically
Use private browsing when on public computers
Create strong, unique passwords
Saturday, March 23, 13 24
25. Act Responsibly
Avoid sharing personally identifying information,
especially of living or recently deceased persons
Use privacy filtering and never publish
information on living persons without their
permission
Consider creating a public file and a private file if
sharing information in genealogical databases, as
the filters might not do what you expect.
Saturday, March 23, 13 25
26. Advocate for a
Balanced Approach
Learn about the need for balance between privacy
and openness in genealogical data.
Share what you learn with your
genealogy society
genealogy software providers
legislators
Saturday, March 23, 13 26
28. References
Digital Data Breach Search Tool:
http://www.privacyrights.org/data-breach/new
FAQ Entry on the SSDI
https://www.privacyrights.org/fs/fs10-ssn.htm#death
Letter to the House Ways and Means Committee from Leslie Brinkley
Lawson, President, Council for the Advancement of Forensic Genealogy
http://waysandmeans.house.gov/uploadedfiles/sfr_cafg_ss_2_2_12.pdf
Saturday, March 23, 13 28
29. References
BBC, “Dropbox details security breach that caused spam attack” http://
www.bbc.co.uk/news/technology-19079353
New York Times, “Researchers Wring Hands as U.S. Clamps Down on Death
Record Access”
http://www.nytimes.com/2012/10/09/us/social-security-death-record-
limits-hinder-researchers.html
Wired, “Zendesk Security Breach Affects Twitter, Tumblr and Pinterest,”
http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/
Saturday, March 23, 13 29
30. References
Records Preservation and Access Committee
A joint committee of FGS, NGS, and IAJGS
http://www.fgs.org/rpac/
Digital Due Process Coalition
http://www.digitaldueprocess.org/
Center for Democracy & Technology
https://www.cdt.org/
Saturday, March 23, 13 30
31. References
Genealogical Privacy blog
http://www.genealogicalprivacy.org/
Electronic Freedom Foundation
https://www.eff.org/
Electronic Privacy Information Center
http://epic.org/
Saturday, March 23, 13 31