A few of my friends on Twitter alerted me to FamilyTreeNow in the past week. When they searched their names on the site, they were able to find, in the span of just a few clicks, their name, their current address, and even names of not only their parents, siblings, and relatives, but also current and former employers and coworkers.
FamilyTreeNow seems like a perfectly innocuous genealogy service. But what has people alarmed about this website isn’t its records of the past—its census records, birth records, death records, and marriage and divorce records, all available for free, date back to 1790—but rather its records of the present. This site takes records that usually take a lot of legwork to get and serves them up to you in less than a minute.
This might not seem as scary to some people as it might be to others. But it should be cause for concern to everybody. There are very good reasons why this service made alarm bells ring in the heads of people I knew, from long-distance friends on Twitter to some of my coworkers here at Gillware.
This isn’t the first time a genealogy website has put people’s personally identifiable information at risk, and far from the most egregious example. Ancestry.com came under fire as recently as 2015 for showing individuals’ social security numbers. At the very least MyFamilyTree seems to steer clear of sharing your SSN. But even the information FamilyTreeNow does provide may be cause for alarm. As an IT provider, it is your job to keep your clients safe. That includes paying attention to IT security issues as well as your other duties.
For starters, being able to pull up someone’s current address and other personal information so easily is an identity thief’s dream come true. It’s not giving them the keys to your bank account, of course. But information like this can be used in service of nefarious social engineering tactics such as phishing to obtain even more personal information about you. By exploiting personally identifiable information (which far more readily available online than you might think) identity thieves can make out like bandits at your expense—and in your name.
Sit down with your clients and have a good talk about these kinds of issues to prevent security breaches and IT disasters. Not only will it keep them safe, but having this conversation will also help you build a rapport with your clients and strengthen your bond with them—and that’s always a good thing.
Many people choose easy-to-remember passwords for both work and personal life. When people need easy-to-remember passwords, they turn to things like the names of their children, the street they grew up on, their date of birth… all things somebody can potentially glean from a website like FamilyTreeNow. A brute force dictionary attack to “guess” a password that would have taken billions of attempts now takes significantly less attempts to crack. A malefactor can also use this information to crack security questions, which tend to use topics such as your childhood home’s street name, or your mother’s maiden name.
Advise your clients on making good, difficult-to-guess passwords for their networks at work and even their accounts at home. An easy way to make your passwords truly secure is to use a password manager with powerful password generation features. Here at Gillware, we highly recommend KeePass (I use it at home for all of my password-related needs). KeePass not only allows you to store and keep track of all your passwords in a secure, highly-encrypted database. It also allows you to randomly generate much stronger passwords than you could come up with on your own.
You can also talk to your clients about two-factor authentication, for when a password isn’t enough to keep your data safe. Two-factor and multi-factor authentication has been around for a long time. However, over the past few years it has gotten increasingly easier to implement. The more sensitive data your client deals with, the more important having multi-factor authentication systems in place is.
There are other dangers associated with having your home address so easily accessible on the internet. It’s a great boon to stalkers, and can also make it easier for people seeking to dredge up and publish personal information on people they dislike and wish to harm—a practice known as “doxing”. Over the years, doxing has become an especially salient concern to people in online activist circles and among those who speak out on controversial or sensitive topics online. That abusive ex you traveled across a state line or three to escape? He knows where you live now. Those Twitter trolls harassing you for criticizing their favorite video game? If they can dredge up your name, now they can send their death threats and rape threats directly to your home! This, of course, may not be your clients’ biggest concern, depending on their wheelhouse.
Now, to be fair, FamilyTreeNow is certainly not some all-encompassing and omniscient system straight out of an Orwellian dystopia. When I searched for my own name, the site only had the address of my parents’ home in Michigan. Others didn’t share my luck. I could find frighteningly up-to-date information on some other people I knew, including coworkers. What still unnerved me about my information, though, was that I could find myself so easily on the site—including my childhood home in Michigan, even though they didn’t have my current address—just by putting in my first and last name and my current (Wisconsin) zip code.
Even the sparse records FamilyTreeNow had on me were just a bit too close for comfort for me, though. Fortunately, FamilyTreeNow makes it very easy to “opt out” and erase your data from their site. At the very least, you should look at what information FamilyTreeNow and other genealogy websites are sharing about you. Some sites only share information on deceased persons, but others like FamilyTreeNow share data on the living as well. Think about whether you’re comfortable with that information being so freely available.
To opt out of FamilyTreeNow, simply visit www.familytreenow.com/optout and begin the opt-out procedure. After running a search on the site and finding yourself, you need simply press the big red “Opt Out” button. FamilyTreeNow should delete all your information within 48 hours, so double-check after a day or two to make sure you’ve been removed.
It bears repeating that the creators of FamilyTreeNow are simply running a genealogy website. Of course, they don’t intend for any of the services they provide to be misused. It seems this is a common oversight of genealogy websites. How much information is too much information? The threats of identity theft, stalking, and doxing probably never once crossed the creators’ minds.
But therein lies the danger. Technology is value-neutral. A tool is only as moral as the person using it. A gun doesn’t care whether the person holding it is a burglar or a homeowner. A plutonium rod does not care if it lives inside a nuclear power plant or an atom bomb.
In this Internet age, we have created ever more tools and services to add convenience to our lives. But all too often the thought of how these tools can be misused just doesn’t cross our minds. Your IoT-enabled smoothie maker communicates via Wi-Fi to make your life easier! But it also can end up participating in a botnet that DDOSes half the Internet. The Internet has vastly expanded human potential to levels unforeseen in human history. A “shot heard ‘round the world” now moves at the speed of light. Before we create a new product or service or social media outlet, we should think just as carefully about its potential to hurt as we do about its potential to help.
Until then, however, it’s up to us to be mindful of the potential security issues out there. Taking five or ten minutes to sit down with your client for a brief chat about IT security can make all the difference.