NGS Luncheon Lecture at RootsTech 2013, Salt Lake CIty, UT, 23 March 2013. "Internet Privacy and Security Follies and Foibles" covering Digital Due Process
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
Â
Internet Privacy and Security Follies and Foibles
1. Internet
Privacy & Security
Follies & Foibles
Jordan Jones
NGS Luncheon / RootsTech 2013
Saturday, March 23, 13 1
2. How Many of You Use?
Evernote Pinterest
Dropbox Amazon
Twitter Tumblr
Google Apple
Facebook Microsoft
Saturday, March 23, 13 2
3. How Privacy Can be Breached
The Privacy Rights Clearinghouse categorizes privacy
breaches as:
Unintended Disclosure Portable Device
Hacking or Malware Stationary Device
Payment Card Fraud Unknown or Other
Insider
Physical Loss
Saturday, March 23, 13 3
4. Read It and Weep
In 2011, it was revealed that the iOS and Android apps
of Facebook and Dropbox were accessible to anyone
with physical access to the mobile device ...
... the passwords were in unencrypted text ïŹles.
Cause: Unintended Disclosure
Saturday, March 23, 13 4
5. 4 Hour Free-for-All
June 20, 2011 â Dropbox announced that during a four-
hour period ...
... a bug in their authentication software would have
allowed anyone access to any account, without a
password.
Cause: Unintended Disclosure
Saturday, March 23, 13 5
6. E-mail Switcheroo
August 1, 2012 â Dropbox revealed that someone
hacked into an employeeâs account and gained access to
a list of customer e-mail addresses, which were then
spammed.
Additionally, âusernames and passwords stolen from
other sites had also been used to sign in toâ Dropbox
accounts.
Cause: Unintended Disclosure / Hacking or Malware
Saturday, March 23, 13 6
7. The Zen of Hacking
February 21, 2013 â Zendesk was hacked. Customer e-
mail addresses, the subject lines of support e-mail (and
possibly phone numbers) for users of Twitter, Pinterest,
and Tumblr were stolen.
Cause: Hacking or Malware
Saturday, March 23, 13 7
8. Yes, Microsoft runs Mac OS
February 22, 2013 â Microsoft was hacked. It is unclear
what information if any was stolen. The method was
similar to one recently used successfully against Apple,
Facebook, and Twitter.
A virus was placed on a legitimate website. This
exploited a âzero dayâ (as yet unknown) security hole
in Java for Mac OS X.
Cause: Hacking or Malware
Saturday, March 23, 13 8
9. Hacktopia
March 3, 2013 â Evernote was hacked. âUser names,
email addresses, and encrypted passwords may have
been exposed.â
âA total of 50 million users were told to reset their
passwords.â
Cause: Hacking or Malware
Saturday, March 23, 13 9
11. Information Wants to be Free
âOn the one hand information wants to be expensive,
because itâs so valuable. The right information in the
right place just changes your life. On the other hand,
information wants to be free, because the cost of getting
it out is getting lower and lower all the time. So you
have these two ïŹghting against each other.â
â Stewart Brand, 1st Hackers Conference, 1984
Saturday, March 23, 13 11
12. Two Kinds of Freedom
1. Free as in beer
2. Free as in speech
Saturday, March 23, 13 12
13. Jonesâs Corollary to Brandâs
Law
âInformation is like water; information wants to ïŹow
free.â Thanks to Mooreâs law and innovation, it is
constantly getting cheaper and easier for:
You to share data with people
You accidentally to share information with people
Others to share information you gave them, wider
than you wanted
Someone to steal or leak your information
Saturday, March 23, 13 13
15. Open Access vs. Privacy
Especially since 9/11, federal and state agencies have
been tightening access to public records of interest to
genealogists.
The fact that information wants to ïŹow like water
means anything private and divulged can be
disseminated further than prior to the Internet.
The most obvious example of government tightening
down access to electronic records is the SSDI.
Saturday, March 23, 13 15
16. SSDI
The Social Security Death Index (SSDI) is based on
the Social Security Administrationâs Master Death
File (MDF).
The MDF includes about 90 million names of people
who have died and whose deaths have been reported
to the SSA.
Saturday, March 23, 13 16
17. Fraud Based on
MDF Data
The MDF was released due to a Freedom-of-
Information ruling.
It was expected to help combat fraud.
Banks and other creditors could quickly determine
whether the person was dead according to the MDF.
The IRS was apparently not using this method to
check returns and several people had the identities of
their deceased children stolen.
Saturday, March 23, 13 17
18. Removal of State Records
In the process of looking at the privacy implications
of the MDF / SSDI, the SSA noticed that some state
records were being improperly divulged. As a result:
SSA expunged 4 million records in Nov. 2011
SSA decreased the number of records added
annually by about 1/3 (from 2.8 to 1.8 million)
Saturday, March 23, 13 18
19. Whatâs Happening Now
At least four federal bills have been introduced that
would limit access to the MDF / SSDI:
HR 295 âProtect and Save Act of 2013â
HR 466 âSocial Security Death Master File Privacy Act of 2013â
HR 531 âTax Crimes and Identity Theft Preventionâ
HR 926 âSocial Security Identity Defense Act of 2013â
Saturday, March 23, 13 19
20. Genealogy Partnerships
Records Preservation and Access Committee
Voting Members: The National Genealogical Society (NGS), the
Federation of Genealogical Societies (FGS) and the International
Association of Jewish Genealogical Societies (IAJGS)
Non-Voting Members: The Association of Professional Genealogists
(APG), the Board for CertiïŹcation of Genealogists (BCG), the American
Society of Genealogists (ASG), ProQuest and Ancestry.com
Saturday, March 23, 13 20
21. Digital Due Process Coalition
RPAC has joined the Digital Due Process coalition,
along with
key technology leaders (Adobe, Apple, Dell,
Facebook, Google, HP, IBM, Intel, Microsoft,
Oracle, Twitter) as well as
leaders in content (Newspaper Association of
America, American Library Association,
Association of Research Libraries)
Saturday, March 23, 13 21
22. Why This Matters
What we need is a balance between open access and
privacy
As members of the privacy community, we can reïŹect
our existing goals to maintain privacy while retaining
open records
Saturday, March 23, 13 22
24. Protect Your Data
Protect your data as much as you can.
Post wisely. Donât post anything on the Internet
that would harm you if it were divulged
Encrypt your most sensitive data.
Clear browser cookies and cache periodically
Use private browsing when on public computers
Create strong, unique passwords
Saturday, March 23, 13 24
25. Act Responsibly
Avoid sharing personally identifying information,
especially of living or recently deceased persons
Use privacy ïŹltering and never publish
information on living persons without their
permission
Consider creating a public ïŹle and a private ïŹle if
sharing information in genealogical databases, as
the ïŹlters might not do what you expect.
Saturday, March 23, 13 25
26. Advocate for a
Balanced Approach
Learn about the need for balance between privacy
and openness in genealogical data.
Share what you learn with your
genealogy society
genealogy software providers
legislators
Saturday, March 23, 13 26
28. References
Digital Data Breach Search Tool:
http://www.privacyrights.org/data-breach/new
FAQ Entry on the SSDI
https://www.privacyrights.org/fs/fs10-ssn.htm#death
Letter to the House Ways and Means Committee from Leslie Brinkley
Lawson, President, Council for the Advancement of Forensic Genealogy
http://waysandmeans.house.gov/uploadedïŹles/sfr_cafg_ss_2_2_12.pdf
Saturday, March 23, 13 28
29. References
BBC, âDropbox details security breach that caused spam attackâ http://
www.bbc.co.uk/news/technology-19079353
New York Times, âResearchers Wring Hands as U.S. Clamps Down on Death
Record Accessâ
http://www.nytimes.com/2012/10/09/us/social-security-death-record-
limits-hinder-researchers.html
Wired, âZendesk Security Breach Affects Twitter, Tumblr and Pinterest,â
http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/
Saturday, March 23, 13 29
30. References
Records Preservation and Access Committee
A joint committee of FGS, NGS, and IAJGS
http://www.fgs.org/rpac/
Digital Due Process Coalition
http://www.digitaldueprocess.org/
Center for Democracy & Technology
https://www.cdt.org/
Saturday, March 23, 13 30
31. References
Genealogical Privacy blog
http://www.genealogicalprivacy.org/
Electronic Freedom Foundation
https://www.eff.org/
Electronic Privacy Information Center
http://epic.org/
Saturday, March 23, 13 31