Civet Solutions responds to recent privacy concerns

Trapa's picture

 

UPDATE Feb 24th 2018:
We have released version 9.3.4 which provides a username and password style login system for our registration kiosks. This resolves all the potential privacy concerns outlined below regarding the real name based login kiosks. 
 
 
 
-- 
On January 30th, 2018 we were contacted by Sky regarding a number of privacy concerns with the registration kiosk Convention Master uses. The issue is that the registration system uses your name rather than a username or email to manage accounts. This can potentially lead to a disclosure of a user's badge name, which we show in the kiosk in order to differentiate between two accounts with identical legal names.
 
--

Timeline
January 30th, 2018 - 9:48 pm
Sky sent us a message about the issue using our site's Contact Us form. He described his findings and concerns, how to reproduce what he tested, and his wish to publicly disclose stating “Disclosure: I would like to publish this vulnerability within two weeks, which should be enough time to apply fixes to the software. If, however, you don't think this is a problem and don't intend to apply fixes, a response would be appreciated as then I could publish faster.”
 
February 1st, 2018
Trapa officially responded to Sky, Thanking him for the information and requested that Sky work with CivetSolutions via email correspondence. Sky declined to coordinate with our team via email.
 
Following the initial contact from Sky, we reviewed the system as a whole to see what information could be gleaned by a user before reaching the password screen. We recognized that the issue was a valid concern and began constructing an action plan. Our objective was to resolve this issue by advancing the release date of a different login system that utilizes a username and password rather than name and password. We would have liked to have this functionality in the hands of our customers before Sky publicly disclosed the issues. However,  with what CivetSolutions believes to be an arbitrarily short time constraint cited by Sky, we have worked diligently to proactively mitigate potential attacks resulting from Sky’s disclosure. The industry accepted standard for security issues where fixes require design changes is 90 days.
 
February 18th, 2018
Sky posted his article on Medium, disclosing the issues and concurrently posting to our customer’s public chat rooms assumedly to make as many people aware of his findings as possible. In doing so, Sky misrepresented CivetSolutions’s concern for user privacy and falsely claimed CivetSolutions has no plans to act on our user’s behalf to ensure their privacy. In conversation with Sky privately and publicly on Telegram we have stated that we plan to move to a username and password system. This process change removes the core design issue that exposes the aforementioned privacy concerns. We have two statements that we have been repeating that conflict with the tone of Sky’s publication:
 
CivetSolutions takes privacy concerns very seriously and agrees that the concern with our registration kiosks presents a potential issue for user privacy.
 
CivetSolutions already has, and is continuing to take, active steps to reduce potential abuse of our system until the login process is changed as soon as possible.
 
February 18th, 2018
Immediately following the posting of the article, we released to our customers fixes that we completed to address the privacy concern, and proactively updated customer sites where we had the access to do so. The new version (9.3.3) contains changes to the kiosk system that makes searching for your own name much more strict, requiring an exact match, and will only show the last used badge name of an attendee when more than one person with the same name is in the system. (this is so you can tell yourself apart from other people in the world with the same name). The update also added search attempt limitations to prevent automated crawling for information.
 
February 19th, 2018
CivetSolutions posts this official response and continues to work on the fix to the root issue.
 
--
 
The root of this privacy concern is that our registration software only requires your real name to make accounts. In doing so, to login you use your real name rather than some anonymous username or email. The privacy issues this creates is that anyone who has a link to the registration kiosk can try a name and see if someone with that name has ever used the system to make an account. This, by itself, does not indicate if the name searched matches the identity of the being one may be searching for - but it is a concern to users.
 
Another privacy concern is that when you search for your account by your real name the system may show the previous badge name. Some of the conventions that use us have attendees that populate this field with their online alias in that community. This potentially creates a link between that alias and their real name. We understand why that is a great concern to users and have already disabled the showing of previous badge names except in certain circumstances. - We would like to note that this does require the person looking up the account to use the user full legal name. It does not let users search by badge name. We would also like to note that this “badge name” is printed on badges worn by attendees in public places and was not expected to be private, though we do appreciate the concern for privacy and the situations that might cause attendees concern.
 
In some situations, users may be concerned about having their name listed at all in the registration kiosk system for safety reasons. In 2016 we released the ability to hide users from the kiosk system, and convention staff can already use this functionality to address those users’ concerns.
 
All the privacy concerns raised by Sky revolved around this registration process. This core issue was already being addressed through a transition to a username/password kiosk system for some time before we were contacted by Sky. And we are still working to get it released as soon as it is production ready.
 
When Sky contacted CivetSolutions, he was asked to work with our team via email, and he declined to do so. To minimize the potential harm to our customer's attendees, we asked Sky to wait until we have addressed the issues before posting his findings and he declined to do so. As much as we would have preferred the delayed public disclosure, we thank Sky for bringing the matters to our attention.
 
CivetSolutions cares about the privacy and safety of all our users from con staff to attendees to vendors and art exhibitors. Our track record shows prompt action and updates to any security or privacy issues brought to our attention.
 
Once again, we would like to reiterate to our customers that even now we are hard at work programming an additional patch to be released as soon as it is possible that will allow conventions to switch to a more traditional username/password system. CivetSolutions does and has always taken privacy concerns very seriously and we want to encourage more people to come forward to us with concerns or bugs.
 
We encourage and welcome anyone who has ideas or concerns for improving our software's security or general features to contact us directly via email at support@civetsolutions.com or by using our contact us page on our website civetsolutions.com