Rocky Mountain Bank, a small regional bank in Wyoming, has been in the news recently because it sued Google to reveal the identity of the owner of a GMail account to which the bank accidentally sent customer data. In addition, the bank wanted Google to delete that email as well as deactivate the user’s account. Many articles I’ve seen about the incident focus on the privacy of the GMail user.

More concern should be focused on Rocky Mountain Bank’s 1,325 loan customers. The bank sent their names, addresses, social security numbers and loan balances to the “wrong” GMail address. There are just so many things wrong with that statement. Most glaring is how could this information ever be sent to the right GMail account. This bank has opened up 1,325 people to the possibility of the irreparable damage of identity theft.

As a financial institution, Rocky Mountain Bank is bound by regulations meant to protect consumers from having their personally identifiable information exposed. The bank was completely and utterly reckless in the way this was handled. It is likely that the bank could be fined. The bank may even face lawsuits.

What They Did Wrong

They emailed personally identifiable information.
First, personally identifiable information should never been emailed even if requested. The moment unencrypted data is transmitted over the internet, that data is practically available for all to see. Data is stored at each server it has to traverse to get to its destination. It can also be intercepted by anyone on that route. While RMB focused on that one email account, it is impossible to delete all traces of this data as it could be anywhere by now. If this user is in a country that does not cooperate with U.S. law enforcement and has already downloaded or otherwise saved the email, that user is not subject to any litigation originating from the U.S. This data could already be available on the black market.

They did not use encryption.
If there is no other way to transmit the information other than email it must be encrypted. That data must be encrypted whether it’s at rest (on a hard drive, in a database, on a floppy, etc.) or whether it’s in motion (emailed, FTPed, etc.). This is a very basic principle.

Does anything else matter?
The bank could have also used filtering on outgoing messages to recognize sensitive data being emailed. The bank could have also double checked the email address that the message was being sent to as well as the actual email attachment. Or the bank could have implemented a secure messaging system so sensitive information never leaves their network. I’m not so sure this is the point, however. The fact that the wrong file was sent and the wrong email address are beside the point. If the bank made a habit of encrypting data and not sending financial records via email, all the other “what ifs” regarding the incident wouldn’t matter.

They covered their butts first.
In requesting these court orders Rocky Mountain Bank wanted the lawsuit sealed. That to me looks like the bank was trying to protect itself hoping the details of this data breach would not be exposed. The bank has most likely reported the breach to its customers but likely not how the breach occurred. What they have done by getting the email deleted, receiving the GMail user’s identity and deactivating that account does nothing to remedy a situation that cannot be remedied. This bank should bear sole responsibility for releasing customer information in such a reckless manner and should be held accountable.

Rocky Mountain Bank found that the email containing the sensitive data was not read by the email account owner. Rocky Mountain Bank has dropped its lawsuit against Google. Bank representatives are certainly relieved but this hardly means the data is not available elsewhere.

You might also be interested in:

• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• Data Loss, Identity Theft and Credit Card Fraud Links
• Mobile Websites Suck

Do you enjoy posting camera phone photos online but don’t want to share where you live, work or otherwise frequent?  Most people are not comfortable telling the entire internet their whereabouts but they may be doing so unintentionally.  Make sure your phone isn’t freely giving this information out.

Geotagging

Digital cameras store images in a format called Exchangeable Image File (EXIF).  EXIF files can be TIF or JPEG format but they also include information about the photo including the type of camera used to take the photo and the camera settings.  The EXIF specification also allows for GPS coordinates to be included.  Adding geographic information to photos is called geotagging.  Phones that can geotag photos include Blackberry, iPhone, G1 and Palm Pre.

Geotagged Images Online

With the iPhone there was a limitation in the API used to upload and email photos that stripped GPS and other data when the photos were uploaded directly from the phone.  This can be seen as a flaw by some and an accidental security measure by others.  However, the API was fixed in the iPhone 2.1 update so all EXIF data is now being transmitted depending on what application you are using to upload the photos.  In addition, if you save the photos on your computer the data remains in the file so if you subsequently upload those files anywhere the location data will go along with them.

If photos are uploaded to Flickr, the service can automatically geotag them based on EXIF data.  However, I am not so much worried about sites like Flickr.  Flickr has the ability to hide EXIF data and many image hosting sites strip EXIF data from the image it shows (probably in the interest of saving bandwidth).  But what happens when one uploads photos to blogs or other sites?  Anyone, especially stalkers or other people with ill intentions, can view the photos’ EXIF data to find out where the photos were taken.  One seemingly innocuous photo could result in people knowing the exact GPS coordinates of your house.

It looks like many phones will allow you to turn geotagging off.  However, this feature cannot be turned off on an iPhone without turning off all location services.  At one point the iPhone’s Camera application would ask to know your location.  This was a good way to opt out of location data being stored in the photo.  However, the application no longer asks for permission and automatically stores the location data in each photo.

What Can Be Done

The most important thing is to be aware when you are geotagging photos.  On the iPhone it is likely that turning off location services completely is not a convenient option.  If you are saving the photos on your computer and then uploading them, you will have to edit the EXIF data to remove the GPS coordinates before uploading the files.  Many image editing programs will allow you to do this.  However, if you are uploading images directly from your phone, you are sending your GPS data to the internet.  I just checked the App Store and there aren’t any apps to remove geotags.  (I did see three apps that claim to remove all EXIF data though.)  Your best bet would be to not directly post anything from private locations unless you know for sure that your geotag data will be stripped.

I do not have access to other GPS-enabled phones at this time but will try to get my hands on some for testing.  From a cursory look on the internet it appears that Blackberry and Pre have an option to enable geotagging which probably means it can also be disabled.  I did not immediately find information on whether geotagging can be disabled on a G1.  I will definitely look more into this.

Are you unwittingly sharing location data?

You might also be interested in:

• Solar Charge on the Go
• iOS 4 Upgrade on iPhone 3G
• iPhone 4 and iOS 4 Introduced: Verdict Out
• Palm Pre: Nice Ad But …

Until recently I was under the impression that Facebook’s Friend Finder would suggests friends based on common friends or on common schools or employers.  That had been the bulk of the suggested friends I was getting.

A few weeks ago, I noticed that Facebook had started suggesting people that I know that had no common Facebook friends with me.  They had no common schools either.  What we did have in common was an employer but I have not included employment information in Facebook.  Facebook no longer seems to say why someone is being suggested.

Last week Twitter friend @lightfoot wondered how Facebook was suggesting two friends that she had no idea was on Facebook but whom she emails often.  I suggested that it was because Facebook kept email addresses from her address book when she allowed Facebook to search it the find friends on the network.  At the time, I was not completely sure that this was the case.  As of last night, however, I am sure.  Facebook suggested a person as a friend that I have emailed only once.  This person was someone I met in the Dominican Republic last year who gave me his email address to send him the picture he requested that I take of him (believe it or not this happens a lot).  There is no way possible that I have any connection to him other than that one email and photo.

I took a look at the Friend Finder page to see what was included about how the service works.

It clearly states that it will not store your password but you have to click the “Learn More” link to find out what it does with the data it uploads from your address book. It says that the data is used to find and suggest friends and it mentions that the data is stored.

Facebook does, however, allow you to delete that data.

If you don’t want Facebook holding on to that data, you should delete it as soon as possible.  Disclaimer: I have not yet read the terms of service to verify that “remove” really means “remove”.

It can be argued that if one gives Facebook access to one’s address book then he or she deserves whatever happens.  The problem with this argument is that people allow access to their data without knowing what will actually be done with that data or how long it will be stored.  That said it’s a good idea to read the small print before giving up your data.

Update 6/23: After deleting my stored contact information on Facebook, the service seems to be on overdrive recommending friends to me that are from my address book (three new ones today).  Apparently, this information was not deleted.  It’s best not to let Facebook have access at all.

You might also be interested in:

• Facebook Security Snare
• Trojan Outbreak on Facebook