Internet Privacy and Security Follies and Foibles


Published on

NGS Luncheon Lecture at RootsTech 2013, Salt Lake CIty, UT, 23 March 2013. "Internet Privacy and Security Follies and Foibles" covering Digital Due Process

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internet Privacy and Security Follies and Foibles

  1. 1. Internet Privacy & Security Follies & Foibles Jordan Jones NGS Luncheon / RootsTech 2013Saturday, March 23, 13 1
  2. 2. How Many of You Use? Evernote Pinterest Dropbox Amazon Twitter Tumblr Google Apple Facebook MicrosoftSaturday, March 23, 13 2
  3. 3. How Privacy Can be Breached The Privacy Rights Clearinghouse categorizes privacy breaches as: Unintended Disclosure Portable Device Hacking or Malware Stationary Device Payment Card Fraud Unknown or Other Insider Physical LossSaturday, March 23, 13 3
  4. 4. Read It and Weep In 2011, it was revealed that the iOS and Android apps of Facebook and Dropbox were accessible to anyone with physical access to the mobile device ... ... the passwords were in unencrypted text files. Cause: Unintended DisclosureSaturday, March 23, 13 4
  5. 5. 4 Hour Free-for-All June 20, 2011 – Dropbox announced that during a four- hour period ... ... a bug in their authentication software would have allowed anyone access to any account, without a password. Cause: Unintended DisclosureSaturday, March 23, 13 5
  6. 6. E-mail Switcheroo August 1, 2012 – Dropbox revealed that someone hacked into an employee’s account and gained access to a list of customer e-mail addresses, which were then spammed. Additionally, “usernames and passwords stolen from other sites had also been used to sign in to” Dropbox accounts. Cause: Unintended Disclosure / Hacking or MalwareSaturday, March 23, 13 6
  7. 7. The Zen of Hacking February 21, 2013 – Zendesk was hacked. Customer e- mail addresses, the subject lines of support e-mail (and possibly phone numbers) for users of Twitter, Pinterest, and Tumblr were stolen. Cause: Hacking or MalwareSaturday, March 23, 13 7
  8. 8. Yes, Microsoft runs Mac OS February 22, 2013 – Microsoft was hacked. It is unclear what information if any was stolen. The method was similar to one recently used successfully against Apple, Facebook, and Twitter. A virus was placed on a legitimate website. This exploited a “zero day” (as yet unknown) security hole in Java for Mac OS X. Cause: Hacking or MalwareSaturday, March 23, 13 8
  9. 9. Hacktopia March 3, 2013 – Evernote was hacked. “User names, email addresses, and encrypted passwords may have been exposed.” “A total of 50 million users were told to reset their passwords.” Cause: Hacking or MalwareSaturday, March 23, 13 9
  10. 10. Information Wants to Be FreeSaturday, March 23, 13 10
  11. 11. Information Wants to be Free “On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.” — Stewart Brand, 1st Hackers Conference, 1984Saturday, March 23, 13 11
  12. 12. Two Kinds of Freedom 1. Free as in beer 2. Free as in speechSaturday, March 23, 13 12
  13. 13. Jones’s Corollary to Brand’s Law “Information is like water; information wants to flow free.” Thanks to Moore’s law and innovation, it is constantly getting cheaper and easier for: You to share data with people You accidentally to share information with people Others to share information you gave them, wider than you wanted Someone to steal or leak your informationSaturday, March 23, 13 13
  14. 14. Consequences for Records Access of Jones’s CorollarySaturday, March 23, 13 14
  15. 15. Open Access vs. Privacy Especially since 9/11, federal and state agencies have been tightening access to public records of interest to genealogists. The fact that information wants to flow like water means anything private and divulged can be disseminated further than prior to the Internet. The most obvious example of government tightening down access to electronic records is the SSDI.Saturday, March 23, 13 15
  16. 16. SSDI The Social Security Death Index (SSDI) is based on the Social Security Administration’s Master Death File (MDF). The MDF includes about 90 million names of people who have died and whose deaths have been reported to the SSA.Saturday, March 23, 13 16
  17. 17. Fraud Based on MDF Data The MDF was released due to a Freedom-of- Information ruling. It was expected to help combat fraud. Banks and other creditors could quickly determine whether the person was dead according to the MDF. The IRS was apparently not using this method to check returns and several people had the identities of their deceased children stolen.Saturday, March 23, 13 17
  18. 18. Removal of State Records In the process of looking at the privacy implications of the MDF / SSDI, the SSA noticed that some state records were being improperly divulged. As a result: SSA expunged 4 million records in Nov. 2011 SSA decreased the number of records added annually by about 1/3 (from 2.8 to 1.8 million)Saturday, March 23, 13 18
  19. 19. What’s Happening Now At least four federal bills have been introduced that would limit access to the MDF / SSDI: HR 295 “Protect and Save Act of 2013” HR 466 “Social Security Death Master File Privacy Act of 2013” HR 531 “Tax Crimes and Identity Theft Prevention” HR 926 “Social Security Identity Defense Act of 2013”Saturday, March 23, 13 19
  20. 20. Genealogy Partnerships Records Preservation and Access Committee Voting Members: The National Genealogical Society (NGS), the Federation of Genealogical Societies (FGS) and the International Association of Jewish Genealogical Societies (IAJGS) Non-Voting Members: The Association of Professional Genealogists (APG), the Board for Certification of Genealogists (BCG), the American Society of Genealogists (ASG), ProQuest and Ancestry.comSaturday, March 23, 13 20
  21. 21. Digital Due Process Coalition RPAC has joined the Digital Due Process coalition, along with key technology leaders (Adobe, Apple, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Oracle, Twitter) as well as leaders in content (Newspaper Association of America, American Library Association, Association of Research Libraries)Saturday, March 23, 13 21
  22. 22. Why This Matters What we need is a balance between open access and privacy As members of the privacy community, we can reflect our existing goals to maintain privacy while retaining open recordsSaturday, March 23, 13 22
  23. 23. What Can You Do?Saturday, March 23, 13 23
  24. 24. Protect Your Data Protect your data as much as you can. Post wisely. Don’t post anything on the Internet that would harm you if it were divulged Encrypt your most sensitive data. Clear browser cookies and cache periodically Use private browsing when on public computers Create strong, unique passwordsSaturday, March 23, 13 24
  25. 25. Act Responsibly Avoid sharing personally identifying information, especially of living or recently deceased persons Use privacy filtering and never publish information on living persons without their permission Consider creating a public file and a private file if sharing information in genealogical databases, as the filters might not do what you expect.Saturday, March 23, 13 25
  26. 26. Advocate for a Balanced Approach Learn about the need for balance between privacy and openness in genealogical data. Share what you learn with your genealogy society genealogy software providers legislatorsSaturday, March 23, 13 26
  27. 27. REFERENCESSaturday, March 23, 13 27
  28. 28. References Digital Data Breach Search Tool: FAQ Entry on the SSDI Letter to the House Ways and Means Committee from Leslie Brinkley Lawson, President, Council for the Advancement of Forensic Genealogy, March 23, 13 28
  29. 29. References BBC, “Dropbox details security breach that caused spam attack” http:// New York Times, “Researchers Wring Hands as U.S. Clamps Down on Death Record Access” limits-hinder-researchers.html Wired, “Zendesk Security Breach Affects Twitter, Tumblr and Pinterest,”, March 23, 13 29
  30. 30. References Records Preservation and Access Committee A joint committee of FGS, NGS, and IAJGS Digital Due Process Coalition Center for Democracy & Technology, March 23, 13 30
  31. 31. References Genealogical Privacy blog Electronic Freedom Foundation Electronic Privacy Information Center, March 23, 13 31
  32. 32. ForthcomingSaturday, March 23, 13 32
  33. 33. Join us in Las VegasSaturday, March 23, 13 33
  34. 34. These slides will be available at and, March 23, 13 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.