Watch what details you include in uploaded trees .....

Post by **emanday** » Thu Jun 01, 2006 3:19 pm

I've posted this on another family history site, and think it needs to be mentioned here.

This morning, I got a very worrying call from a security chap at my bank about a card payment I made last night from my account to Ancestry.com. He said he just needed to make sure it was OK. As it was for less than £20 I was naturally curious as to why it merited a personal phone call. What he told me has concerned me very much.

It seems that thieving people are obtaining data about LIVING people from family trees uploaded on some sites and obtaining credit cards, loans, etc... I must admit I had noticed that it is possible to get that kind of info but hadn't given the potential fraud thing much thought.

The really

clever

thing these thieves do is to use the fraudently obtained cards to set up new accounts on these same sites so that they can search for more stuff, but with no connection to their previous memberships.

Guess who is removing some details from my uploaded tree

edited to "... thieving people ..." to remove words that I'm confident the bank official never used - AndrewP

Post by **AndrewP** » Thu Jun 01, 2006 5:15 pm

Hi Emanday,

There are differing opinions as to how recent family tree information it is wise to put online. I would certainly say no living people should be on your online tree. But think also about any deceased from one generation before yourself. The most regular bank security question asks you what your mother's maiden name is.

My opinion is to follow a similar route to the approach used on ScotlandsPeople - not to include those born within the last 100 years for a publicly available tree. If anyone wishes to find more recent information, then it is for them to contact you, and for you to assess if you are happy letting that person have the more recent information.

All the best,

AndrewP

Post by **emanday** » Thu Jun 01, 2006 6:22 pm

As you say, including mother's maiden names, deceased or not, are a truly potential security no no.

As to the word I used; I do confess that was my addition, but the way I was feeling, that is what I thinks they are. Shouldn't have used it on the forum though.

<i>For the benefit of others - it wasn't one of THOSE words</i>

pinkshoes · Post by **pinkshoes** » Thu Jun 01, 2006 6:24 pm

Hi Emanday & Andrew

This issue worries me a great deal - even more so now. I've related incidents elsewhere on TS where people have indirectly obtained info about my family and posted details of living people on a genealogy website. These websites are potentially goldmines for the unscrupulous. As Andrew says, date of birth, place of birth, mother's maiden name - all bog standard security questions just waiting to be harvested.

You can guarantee, if it CAN happen, it WILL happen. Sadly the inevitable result of exercising caution is restricted opportunity to find connections. I have to say at least one website doesn't seem too concerned about the potential for identity theft (I'm not on about Ancestry - don't know how their security works) and in fact responded to my question on the subject in quite a "too bad, sharing info is what we're about" manner.

Up to each of us to make our own decision about what to upload I guess, but at least be aware. I thought I was ultra careful, but accidents happen. Look out too for the website that sends your tree to enquirers by default.

Best wishes
Pinkshoes

mallog · Post by **mallog** » Thu Jun 01, 2006 7:43 pm

Pinkshoes,

Glad you mentioned this as it is one of the reasons I haven't rushed to join sites like that but it obviously doesn't concern a lot of people. It's bad enough coping with all the spam just putting your email address on-line without all that as well.

Andrew,

I think your suggestion of the 100 year rule is a good idea.

Mallog

David Douglas · Post by **David Douglas** » Mon Jun 12, 2006 9:01 pm

I publish my data online at www.gencircles.com - it hides details of the living from everyone except the owner of the data when logged in. With large trees, expecially following descendants of a common ancestor, it would otherwise be difficult to remove such private data if I had to remember to do it myself each time.

Mind you, I think I'd be pretty annoyed if my bank started acting as a 'nanny', prying into what kind of purchases I make. In Denmark, where I live, that would be in violation of the Data protection act.

Post by **emanday** » Wed Jun 14, 2006 12:22 am

David Douglas wrote:Mind you, I think I'd be pretty annoyed if my bank started acting as a 'nanny', prying into what kind of purchases I make. In Denmark, where I live, that would be in violation of the Data protection act.

I think you'll find that you'd be even more annoyed if you discovered that your bank was aware of thieves doing this kind of thing, saw such potential activity on your account, but simply ignored it. People have had their accounts cleaned out, credit cards issued fraudulently being maxed out in their name, etc...

Me - I was very grateful and reassured that their security was on the ball.

David Douglas · Post by **David Douglas** » Wed Jun 14, 2006 4:10 pm

Yes, but as I understand it, all you did was to make a small credit card payment at Ancestry.com. Does the bank really call up every customer that spends money at Ancestry.com, or other genealogy sites? It's not as if Ancestry.com is a disreputable company.

I would only wish to be contacted by the bank if there were evidence of an actual fraud, rather than potential risks. I don't wish to have my lifestyle analysed by a bank - I don't trust them not to misuse the information, especially given the other businesses banks are involved in, like insurance.

There was a case in Denmark a few years ago when banks who noticed their customers doing business with a controversial German life insurance company contacted them to warn about these life insurance policies being very overpriced and difficult to get out of. But the bank got into trouble with the data protection authorities - they did not have permission to use information in that way. After all, the insurace company, though very controversial, was operating legally in Denmark. And the bank itself was one of their competitors in the life insurance market.

Banks can of course send brochures out to all their customers, explaining various risks.

Post by **emanday** » Wed Jun 14, 2006 7:19 pm

David Douglas wrote:I would only wish to be contacted by the bank if there were evidence of an actual fraud, rather than potential risks.

So, what you're saying is; You'd rather the fraud had actually taken place, (i.e. Some thieving person had already run up a huge loan or credit card bill in your name), before the bank should do anything?

David Douglas · Post by **David Douglas** » Wed Jun 14, 2006 9:54 pm

Yes, actually, since I don't think it's their job to monitor what I spend my money on. It just seems such a thin pretext on the part of the bank - "this customer is interested in genealogy on the internet, therefore he risks revealing his personal data to criminals". I'm not disputing that it is unwise to reveal data on the living on an internet site. But why would they think you would do that, just because you're an Ancestry customer?

You might appreciate the bank contacting you with advice; I personally would not want to be contacted on that basis. If they sent out letters to all credit-card customers offering general advice, that would be no problem. I suppose they want to get people to listen to their message, but so do huge numbers of other companies, all competing for our attention every day.

Genealogy is a non-controversial pastime, but other purchases that customers might make could be of a more personal and embarrassing nature.