Kira and I recently tried to join a group that gathers regularly for events after a recommendation from a friend. In their rules on how to join they state that they “take [their] members’ safety, privacy, and freedom […] very seriously!” Yet when I reached out to them we discovered that their practices actually put their members’ identities in danger of being compromised.
The information they keep for each member is:
- legal name
- identity name to call you (handle, alter-ego, avatar/character name)
They require this information from anyone who joins before they attend. Since we would have to travel a distance to attend, meeting in person was not an option. In this scenario they direct potential members to send them an email with their legal name and identity name.
Kira and I maintain multiple identities for different contexts. Whether you are aware of it or not, you most likely use multiple identities as well. You act differently in different contexts depending on when you are with your friends, family, work, school, or group of hobbyists. Kira and I take this a step further and protect each of our identities by creating different email addresses, usernames, and accounts for each; and we’re careful about who we give information to that can compromise our identities, like our legal names.
Most email is not sent with end-to-end encryption. The type of encryption typically used only protects you from someone listening into your network traffic, but your email can still be opened by the servers that pass it along. You can imagine sending email like sending a postcard. The mail slot protects the mail from getting stolen or read by anyone, but the post office and the mail men and women handling your postcard can read it. However, email is much worse since they can be easily copied, searched, and are often stored indefinitely. There is also no guarantee that when you delete an email from your trash that it is actually deleted because it’s more economical for big providers to just delete the reference at the scale they operate.
In short, emailing our legal name with our alternate identity would compromise our identities. There would be no way for us or the intended recipients to guarntee that they are the only ones that have access to that information. There are two ways to solve this:
- Communicate the information in person.
- Use end-to-end encryption.
End-to-end encryption simply means that the message remains encrypted from my end and can only be read by the intended recipient. The services handling the messages cannot read it. GPG/PGP allows you to send and receive end-to-end encrypted emails using your existing services. It can also encrypt normal files and text.
Now, in my communication with the group leaders, I explained our concerns with using email and offered some solutions. We could provide this information when we arrive or use end-to-end encryption. I know not everyone is familiar with it so I explained it as simply as I could and included a link to a written tutorial and a link to a video tutorial on how to set it up. In their response they refused to use end-to-end encryption since they were just going to put the information into an unencrypted database. Again they reassured us they are safe and discreet with member information.
At this point, Kira and I had some concerns about how they stored member information. It didn’t bother me that they didn’t encrypt their actual database, but I wanted to know if some basic measures were taken to protect the database. Let’s say they store member information in a hand written booklet. Your concern would be the risk of someone walking off with it or someone having a copy and never returning it. So, it’d be perfectly reasonable of me (and the members) to ask if they keep it locked when not in use.
You may have heard from one news source or another that professional sites get hacked and their databases compromised. It happens so often that I tend to tune it out, but it’s not just professionals getting compromised; small databases are targets too. If you’re keeping a member database for a small private community, you don’t need to do too much to protect your members’ identities from being compromised. These three things will go a long way to protect this kind of database:
- Keep the database on as few devices as possible.
- Encrypt the drives that your database and backups of your database are on.
- Do not store the database with an online service like Dropbox, Google Drive, etc.
The less devices you have then the less places you have where you can be compromised. This is called reducing your attack surface area. Encrypting your drives means you don’t have to worry as much that your database is compromised if someone steals the device it is stored on. Most operating systems now make it easy to encrypt your drives, including Windows, MacOS, Android, iOS, Ubuntu, and likely others. When you use an online service like Dropbox or Google Drive, you have to trust that they are safe and will not search your database, which they keep track of at least the title of the documents you save in the profile they keep on you. So by not using a service like that you are able to keep the document from being linked to a group or another person. All three of these things are free to do and don’t require much time or effort to setup and use.
When I asked if they practiced any of these three things, I was again assured about their concern for their members’ privacy but they did not address my concerns. Instead, they believe that how they secure the database must be kept a secret in order to protect it. This leads me to believe they rely on what’s called security through obscurity. Examples of this are hiding a file in folder you don’t think anyone would look or hiding a key under the door mat. On its own, this is not a method of security you should rely on.
Let’s say member information is kept in a handwritten booklet. You could safely say whether you kept it (and any copies) in a safe when not in use, and whether you can account for all the copies; without compromising your security. Instead of a simple answer, I was treated as if I was asking for the combination to the safe and names of people who had all the copies.
All the communication I received was cordial, but I got the sense that I was being treated as a problem to them. I understand I’m not dealing with security professionals and I explained my concerns and solutions in terms anyone can understand. However, because I was a problem, they became defensive and did not heed what I was trying to tell them. They kept thinking that end-to-end encryption was a replacement of their email system, despite my repeated statements that it’s not. They also thought I was asking for their location when I never asked it.
I’ve been on the other side of the fence and I know the challenges that small communities have and the work that goes into running events. I genuinely believe that they protect their members’ identities the way that they know how to, which I suspect is on a more personal level. However, I believe that there is room for improvement in their policies and practices in order to protect how member data is transmitted and stored electronically. The thing is, we expect this basic level of security for anything we use electronically that has access to our legal names. We weren’t asking for “military grade” security, just basic assurance.
Needless to say, Kira and I decided to not join the group or attend their events. This experience makes me wonder how many private communities who believe they protect their members’ identities are actually putting them at risk? Would this conversation have gone differently if more people were conscious of protecting their privacy electronically?
Something I’ve learned is how important it is to ask questions and not assume.