Is There Any Security In Genealogy Data?

By and large, genealogists are a warm and welcoming group.  In many cases, we are also a trusting group.  Perhaps too trusting.

I continually receive requests from distant cousins to include the names and associated dates of themselves and their families in my online genealogy data.  Oops.  I explain to them why that will never knowingly ever happen.

Most of the requests come through the communications tools on my own hosted site, so they aren’t exposed to normal email traffic servers and the inherent risk of the data being read by anyone along that path.  The data can still be intercepted however, it is just less likely because its routing profile is very low.

I’m not concerned about the requests but rather the fact that they include information on living individuals.  The names are fine but I don’t want the associated birthdates and locations.  I won’t post the names online, but they help me keep my private data organized so I don’t forget how they are related as we work on research together later.

If I wanted their personal information, I’d just go to a site like spokeo.com and find them.  If they haven’t taken the time to remove their information from Spokeo or the other related sites, I’d quickly find far more information about them than just their birthdates. 

Stolen ID

Why am I so sensitive about these requests?  My identity has been stolen three times in as many years all without any fault of my own other than having an account on well-known commercial websites by companies who didn’t carefully protect their data.  My information and that of everyone else in the group had their names, addresses and credit card information served up on the bad-guys market like a new Harry Potter release on Amazon. 

Match that data with info from Spokeo and Whala!, your carefully cultivated perfect financial life is toast.

I won’t include the comments and thoughts from incidences two and three from either my financial institutions or myself, but I’m sure you can fill in representative words and emotions.  I will say that anger rather than the shock and fear felt in the first theft better expresses my response to them.  Oops.

Security

While talking to the security folks at our main bank about the first theft, they offered to help me set up new credentials on the replacement credit card account.  Of course they wanted me to use my mother’s maiden name as my ‘security’ question.  “What?  You just lectured me on being careful using my credit card on the web, even with a major vendor like the one that lost my data and then you ask for my mothers maiden name as protection?  Are you nuts?   Let me show you something…”  After a few minutes and a couple of questions, I showed them their own mothers maiden name and lineage on the monitor on their desk…  Oops..

Next, they would only allow passwords with a maximum of 8-characters on their accounts.  “I must be on Candid Camera.  I wonder if the bank is letting the TV show use their security cameras to catch my reaction?” 

“I’ve been thinking.  I’m going to close my account with you while I’m here today.  Thanks for your help and revealing policies.”

Email Gotcha’s

We all know that anything sent in email might as well be written in the sky by a talented aerial pilot with a stunt plane.  Unless we have encrypted our email and shared an encryption key with the recipient, it is simply open text for any and all stops and snoops along the way.

That even includes law enforcement agencies.  Folks in the U.S. think they have some expectation of privacy in the digital communications.  Hogwash.  Most folks don’t know that by law, under the 1986 Electronic Communications Privacy Act, any email left on a server more than six months is considered to be abandoned and is accessible by authorities without the need for a warrant. 

Add all the snoops, both corporate, email service and bad guys long the way and you have to realize that your email text is about the same as a public blog post.

Don’t include information in unencrypted email that you don’t want the world to see.  Assume that someone is watching your communications.  They are.  Oops.

Facial Recognition

Some of our young friends and extended family members have a penchant for posting their photos online in sites like Facebook and then tagging the names of every individual in them.  Swell.  They just gave up the name and associated facial information of themselves, their kids, their friends and family. 

If you don’t understand how powerful the facial recognition algorithms are that are used by Facebook and in other free commercial software like Picasa, upload photos of your ancestors to your Picasa account, tag the face of grandma in a few photos and then ask Picasa to find her in all of the photos you’ve uploaded.  Oops.

Passwords

How many times do folks have to be told to NOT use the same password for more than one online account?  How many times are they told to only use passwords of thirteen or more random characters utilizing upper and lower case and symbols?  

We seem to hear daily reports of the account information of online sites being hacked resulting in users loosing their login credentials to bad guys.  If the guys in black hats got your credentials that way, hopefully it doesn’t mean that they can subsequently use them to access your other online accounts.  If so, they might as well buy a new computer, television and some music while they are logged in to your Amazon account where you have your credit card information on record. 

Don’t fall into this trap.  Use hard to guess passwords that don’t contain words found in a dictionary.  Manage them with LastPass.  Don’t let your grandchildren embarrass you by showing how easily they can crack your milquetoast strength password.  Oops.

Data Storage Encryption

You are finally backing your data up online in addition to on your external hard drive.  Great!  Did you encrypt it first?  “No”, you say.  “The site / service that I’m using has encrypted it for me.”  Really?   You mean the data you posted on your Dropbox account is secure?  Hogwash.  It may have encryption added to it by them but they have the keys to your jewel box and it can be read by them or any agency that makes a legal request for it. 

Some folks use Dropbox or other similar storage sites as their online hard drive.  They point their genealogy software to the drive letter associated with their online account.  Can you do that?  Yes, you can do that but why?  Do you really want the data on living individuals posted where it is available to others?

Consider not using online sites as working hard drive for your data.  Encrypt your data first with something like TrueCrypt before you upload it to your online storage site.  Let them add their encryption to your already encrypted data.

If you are a U.S. citizen, don’t think that your data has protection under U.S. law when you upload your data to a storage site.  The data may not be stored in the U.S. and hence U.S law has no application at its current residence.

Example.  I shopped for an online host that represented their storage sites were U.S. based.  Maybe they were when they wrote their advertisement but they aren’t now.  I found my data residing on servers in a country with little to no regard for privacy or any protection of security from government and other entities.  Fortunately, I had listened to my own recommendations and no information on living individuals was included in the mix.  Some of it was encrypted here locally before it was uploaded.  Some couldn’t be because it is used on one of my genealogy research sites and my online software can’t read doubly encrypted data, but if the folks looking at it are interested in genealogy in the 1700’s good for them.

Just be aware that the name on the site and any representation of the storage location of your data is just front window dressing.  Don’t be lulled in to complacency with a false sense of security “under the law”.  Data moves around the world at almost the speed of light.  Oops.

Location By Cell Phone

I won’t take the time to talk about the privacy we give up using our smart phones.  Every move of our cell phones has been tracked for years.  By extension, so have you.  You had to know that your cellular company and any government agency with a written request could access your locational and other data anytime without a warrant.  As long as you keep the shiny side up, you should be ok if you want to use these magical devices. 

If your life is on your phone though, be aware that the lock on your diary is open.  Hopefully, you’ll enjoy the limelight when it becomes a best seller.  Oops.

Copyright (c) Lee Drew 2011-05-06 15:38:00
The URL for this post is:
http://www.famhist.us/2011/05/06/is-there-any-security-in-genealogy-data/
Tags:
avatar

About lineagekeeper

Family history research is a favored avenue of relaxation. It is a Sherlock-like activity that can continue almost anywhere at any time. By leveraging a lifetime involvement in technology, my research efforts have resulted in terabytes of ancestral data, earning me the moniker of Lineagekeeper. And yes - We are all related to Royalty.