What was viewable online yesterday is not today
Yesterday, AG uncovered that some names, emails, locations, and document names of customers were publicly visible online, discovered through a simple Google search.
Realtor Frank Llosa tells the story of how this information was visible to everyone, noting that he was emailing with a user of his website who said they had a house to list and sell. As part of his “who is this person” background, he did a Google search on the prospect’s email and found that they had signed a listing agreement with a broker a couple of days prior.
Overnight, DocuSign took action
“Rest assured that DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security,” said Chief Security Officer, Joan Ross in a statement last night.
The company tells AGBeat that “While DocuSign always encourages customers to save their DocuSigned documents on the secure DocuSign Global Network, it’s come to our attention that a small number of customers have saved personal copies of their documents on publicly accessible websites that are being indexed by search engines.”
DocuSign says they are taking the following actions to help their customers:
- “DocuSign is contacting the few customers we’ve found who have personal copies of DocuSigned documents on publicly accessible websites to either confirm that is their intent (which in some cases it is), or if not to suggest ways to secure them.
- To make information on signature validation even less accessible, DocuSign has added a second step that requires any party searching for information on a DocuSigned document to provide additional transaction details.
- To make personal copies of documents that DocuSign customers have saved on the public Internet less discoverable, DocuSign is working with search engines to block indexing of links to DocuSign within public documents.
- DocuSign will also proactively provide on-going education to customers and the market around best practices for securing personal copies of documents and data. Content will be made available through the DocuSign Trust Site and the DocuSign blog at https://www.docusign.com/blog/.”
All URLs that AGBeat was able to click and view yesterday now require a user to know the Envelope ID, in other words, the link is no longer indexed, and put behind a wall to everyone except those with the specific identification number given to the document.
Although AG uncovered additional documents and email addresses visible to the public, out of concern for DocuSign user privacy, we are not publishing any of that information, rather have turned it over to DocuSign to make necessary changes out of a shared concern, which the additional layer of requiring the Envelope ID number before viewing any details appears to have resolved.
The company tells AGBeat that “A benefit of DocuSign that customers value is that signatures on documents are verifiable through a hyperlink to a customer-created DocuSign ID card. This helps parties to a transaction validate who has actually signed a document and displays a legally binding audit trail. Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites. Leaving personal copies of documents on public sites where they can be indexed rather than within the secure DocuSign Global Network is like leaving copies of documents from a locked filing cabinet out on a public table for others to see.”
DocuSign recommends that customers store documents in the secure DocuSign Global Network and limit saving personal copies only to secure locations that meet the security requirements of all signing parties. AG would add that some third party locations may seem secure, particularly document hosting and sharing sites, but it doesn’t take much for those hyperlinks to be shared and indexed by any search engine.
The American Genius is news, insights, tools, and inspiration for business owners and professionals. AG condenses information on technology, business, social media, startups, economics and more, so you don’t have to.
Jon S
June 8, 2012 at 9:36 pm
asdf
Ex customer
June 8, 2012 at 9:43 pm
This is not true. These links were hosted on DocuSign’s domain and publicly accessible as well as being indexable by search engines. There is no “downloading” involved, just posting links online.
To think their “chief security officer” doesn’t understand this and doesn’t understand how to use ‘noindex’ meta tags is frightening.
franklyrealty
June 9, 2012 at 4:14 pm
@Ex customer You are right, in part.
YES! The “noindex” was a flat out mistake. That and Robots.txt should have instructed Google to stay away from these files and areas.
What happened was (and I didn’t get it after a few reads). Is the BROKER or party to the contract uploaded the PDF to ANOTHER site. Like Google Docs, or their own website. (Yep they did, bare with me). And then within that PDF there was a link BACK to docusign.net…. that had the confirmation details of that file.
Who is at “fault”?
1) The party that uploaded the file to a PUBLIC website.
2) Docusign for now predicting how a user might incorrectly use the service (albeit a hard thing to do)
3) Docusign for not adding a NoIndex to their files. Now keep in mind #3 only kicks in because of #2, because they never would have thought users would share private documents publicly. So you decide whether they should have foreseen that.
FirenzeForever
June 11, 2012 at 8:14 am
@franklyrealty @Ex customer
When I do a search in google for “Docusign envelope ID” I see many contracts out there…fully readable. Why are these contracts showing up?
franklyrealty
June 11, 2012 at 9:03 pm
@FirenzeForever @franklyrealty @Ex Great question. Many of these are disclaimer or disclosure statements. In Va you are required as a seller, or listing agent, to supply the statement before an offer is submitted. So many will post that online for easier access. Nothing is wrong with this. The screw up was when Docusign put a LINK inside these PDFs that linked to docusign.net proof of signature page. And they didn’t add “nofollow” code to that link to stop Google from checking it out. AND they didn’t add “no index” to the page sitting on docusign.net to again block out the engines.
However there are some documents that were uploaded by one of the signers, that should not be online. Docusign can’t do much about that except educate their customers. Also they might be able to put noindex on the pdf document itself, but not sure.
FirenzeForever
June 11, 2012 at 9:09 pm
@franklyrealty @FirenzeForever @Ex
FirenzeForever
June 11, 2012 at 9:13 pm
So how does Docusign receive a SAS70 series 2 compliance rating and all these other SASE credentials. Where is the compliance or punishment for this? Meanwhile NIST organization is turning a blind eye to cloud computing and things like this happen. I wonder if FANNIE MAE will stop using Docusign…again.
BenspBenfb
August 30, 2012 at 7:03 pm
@FirenzeForever @franklyrealty @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.
BenspBenfb
August 30, 2012 at 7:03 pm
@FirenzeForever @franklyrealty @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.
franklyrealty
June 9, 2012 at 11:24 pm
One slight correction is necessary. May seem petty, but the missing word changes all the meaning.
The author of the post wrote:
” Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites.”
It should say (the change is in the caps):
” Search engines cannot and do not index documents saved on the secure DocuSign Global Network, UNLESS THERE ARE hyperlinks from publicly accessible websites.”
Why does this matter? A simple “no index” forethought would have allowed the removal of the “unless” statement, and thus make the document MORE secure (ie, less accessible to the public). If they used the simple 1 line of basic code (which they use now) then the search engines would NOT have been able to index the pages, even if linked to from a public location.
But I doubt most Realtors will care to understand the distinction. One shifts or obfuscates blame, one is more accurate.
franklyrealty
June 9, 2012 at 11:39 pm
Just saw this on the Docusign blog (Since they don’t allow comments, I am putting it here).
“Contrary to an article earlier today, there have not been any breaches in security of the DocuSign Global Network.”
How does allowing a search engine to follow links into their “secure” global network and indexing that data for public use, not a breach?
It has been fixed since then, but they have to admit fault instead of putting out misleading press releases, and blog posts.
Ronie Walter @ IT Staffing Agencies
July 29, 2012 at 8:35 am
Court-accepted electronic signing of important documents. Handles multiple and sequential recipients. Tagging system shows recipients where to sign. Can send reminders. Documents can be set to expire after a time. Full history and audit trail certificate available.
Pingback: Despite DocuSign promises, they couldn't avoid the inevitable - The American Genius