If you follow security or tech news, you might have heard about a site called Family Tree Now making a stir a few months ago. As far as businesses go, Family Tree Now is hardly unique or original. It's another one of those ancestor/lineage tracers that attempts to dig into records and other data sources to see who you're related to, where they come from, and as far back down the line as they can. Other sites have done it before, more sites will probably be doing it in the future.
No, what sets Family Tree Now apart isn't what it does, but how it does it. Unlike most ancestry sites, Family Tree Now allows access to all of this information about you for free. To anyone.
Profiles on Family Tree Now are not limited to dim and distant relatives and trivia about what farms they might have tilled or what boat they might have come over on. No, the information available on Family Tree Now includes age, birth month, current and past addresses and phone numbers of currently living people. It even includes a list "possible associates” that will identify children, siblings, and friends, providing a complete look at your family and social circles. It's possible, even likely, your information is up for grabs on the site right now without you even knowing it.
Obviously, this is a major concern for anyone who cares about their privacy, but it is extremely dangerous for anyone in a vulnerable or precarious state. Imagine if you had a problem with a persistent stalker, an abusive ex you were trying to keep at arms length? Or if you worked in a sensitive industry that could inspire personal retaliation from people you interact with, such as working on the police force or as an attorney? This site hands anyone who might be curious about your whereabouts and family members that information on a silver platter with no mind to their possible intention.
Even removed from potentially volatile situations such as a stalker situation, what Family Tree Now offers is a worrisome security risk even to the average person. Social engineering techniques rely on finding an angle, some speck of information that can be used as a wedge to pry open your privacy, wallet, or bank account. Family Tree Now offers a wide range of jimmies including your mother's maiden name (always a great starting point for any password reset or identity fraud scam), a list of previous addresses (one of the pieces of info businesses like a phone company will use to collaborate your identity), and a list of family members. It's a smorgasbord for anyone looking for an easy in on a social engineering scam.
You can choose to opt-out of Family Tree Now (if you're aware of it), but the process is complicated and error prone. Rather than just supply your name and be done with it, Family Tree Now places the labor on you to find your own profile out of a stack of similarly name ones and manually flag it for de-listing. Many users have reported getting error messages while attempting this process or opting out, only to see their profile still appear on the site days later (Family Tree Now says it may take up to 48 hours to de-list).
Of course, "de-listing” is also not the same as deleting. Learning nothing from other large scale sensitive data breaches such as the Ashley Madison fiasco from a few years ago, information about you isn't deleted from Family Tree Now's database after opting out, they still retain it. That means the info is one data-breach or careless upload away from being back on the web.
If the notion of all your information just hanging out in the breeze has you spooked, hang on, it's going to get worse. Family Tree Now is a flagrant offender, but the reality is most of the same information they have is already available through other means if someone is determined enough to find it.
In security circles, this is what is referred to as "open source intelligence” or OSINT. Publicly available or easily accessed information that can be used to determine details about an individual. Police and intelligence agencies use this kind of data to monitor and track criminal activity, build profiles, and assess potential threats all the time. Now, businesses are making use of the same tactics to turn a dollar.
Remember, Family Tree Now offers all this potentially harmful information up to people for free, so what are they getting from it? The same thing services like Facebook, MySpace, and countless other sites have before them – advertising dollars. Family Tree Now might pose a massive security risk to thousands of people, but ultimately, it's in the business of selling targeted ads just like everyone else.
You can opt-out of Family Tree Now, but what about the next site? What about the dozens of sites already out there hosting the same information? Trying to stay ahead of information online is like trying to swim upstream while tangling with a hydra at the same time.
We're coming to a point where the individual cannot reasonably control the private details of their life. But unlike the worries of media in the past, it isn't due to razor sharp hackers or invasive government surveillance, no, it's market forces and inertia that pulling back the blinds to our private lives.