Connect with us

Tech News

Overnight, DocuSign helps customers ensure document security

DocuSign is taking actions from education to additional security measures to ensure privacy of documents and user info, even when shared outside of the DocuSign Network.

Published

on

What was viewable online yesterday is not today

Yesterday, AG uncovered that some names, emails, locations, and document names of customers were publicly visible online, discovered through a simple Google search.

Realtor Frank Llosa tells the story of how this information was visible to everyone, noting that he was emailing with a user of his website who said they had a house to list and sell. As part of his “who is this person” background, he did a Google search on the prospect’s email and found that they had signed a listing agreement with a broker a couple of days prior.

Overnight, DocuSign took action

“Rest assured that DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security,” said Chief Security Officer, Joan Ross in a statement last night.

The company tells AGBeat that “While DocuSign always encourages customers to save their DocuSigned documents on the secure DocuSign Global Network, it’s come to our attention that a small number of customers have saved personal copies of their documents on publicly accessible websites that are being indexed by search engines.”

DocuSign says they are taking the following actions to help their customers:

  • “DocuSign is contacting the few customers we’ve found who have personal copies of DocuSigned documents on publicly accessible websites to either confirm that is their intent (which in some cases it is), or if not to suggest ways to secure them.
  • To make information on signature validation even less accessible, DocuSign has added a second step that requires any party searching for information on a DocuSigned document to provide additional transaction details.
  • To make personal copies of documents that DocuSign customers have saved on the public Internet less discoverable, DocuSign is working with search engines to block indexing of links to DocuSign within public documents.
  • DocuSign will also proactively provide on-going education to customers and the market around best practices for securing personal copies of documents and data. Content will be made available through the DocuSign Trust Site and the DocuSign blog at https://www.docusign.com/blog/.”

All URLs that AGBeat was able to click and view yesterday now require a user to know the Envelope ID, in other words, the link is no longer indexed, and put behind a wall to everyone except those with the specific identification number given to the document.

Although AG uncovered additional documents and email addresses visible to the public, out of concern for DocuSign user privacy, we are not publishing any of that information, rather have turned it over to DocuSign to make necessary changes out of a shared concern, which the additional layer of requiring the Envelope ID number before viewing any details appears to have resolved.

The company tells AGBeat that “A benefit of DocuSign that customers value is that signatures on documents are verifiable through a hyperlink to a customer-created DocuSign ID card. This helps parties to a transaction validate who has actually signed a document and displays a legally binding audit trail. Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites. Leaving personal copies of documents on public sites where they can be indexed rather than within the secure DocuSign Global Network is like leaving copies of documents from a locked filing cabinet out on a public table for others to see.”

DocuSign recommends that customers store documents in the secure DocuSign Global Network and limit saving personal copies only to secure locations that meet the security requirements of all signing parties. AG would add that some third party locations may seem secure, particularly document hosting and sharing sites, but it doesn’t take much for those hyperlinks to be shared and indexed by any search engine.

The American Genius is news, insights, tools, and inspiration for business owners and professionals. AG condenses information on technology, business, social media, startups, economics and more, so you don’t have to.

Continue Reading
Advertisement
13 Comments

13 Comments

  1. Jon S

    June 8, 2012 at 9:36 pm

    asdf

  2. Ex customer

    June 8, 2012 at 9:43 pm

    This is not true. These links were hosted on DocuSign’s domain and publicly accessible as well as being indexable by search engines. There is no “downloading” involved, just posting links online.
    To think their “chief security officer” doesn’t understand this and doesn’t understand how to use ‘noindex’ meta tags is frightening.

    • franklyrealty

      June 9, 2012 at 4:14 pm

       @Ex customer You are right, in part. 
       
      YES! The “noindex” was a flat out mistake. That and Robots.txt should have instructed Google to stay away from these files and areas.
       
      What happened was (and I didn’t get it after a few reads). Is the BROKER or party to the contract uploaded the PDF to ANOTHER site. Like Google Docs, or their own website. (Yep they did, bare with me). And then within that PDF there was a link BACK to docusign.net…. that had the confirmation details of that file. 
       
      Who is at “fault”?
      1) The party that uploaded the file to a PUBLIC website.
      2) Docusign for now predicting how a user might incorrectly use the service (albeit a hard thing to do)
      3) Docusign for not adding a NoIndex to their files. Now keep in mind #3 only kicks in because of #2, because they never would have thought users would share private documents publicly. So you decide whether they should have foreseen that.

      • FirenzeForever

        June 11, 2012 at 8:14 am

        @franklyrealty @Ex customer

        When I do a search in google for “Docusign envelope ID” I see many contracts out there…fully readable. Why are these contracts showing up?

        • franklyrealty

          June 11, 2012 at 9:03 pm

           @FirenzeForever  @franklyrealty  @Ex Great question. Many of these are disclaimer or disclosure statements. In Va you are required as a seller, or listing agent, to supply the statement before an offer is submitted. So many will post that online for easier access. Nothing is wrong with this. The screw up was when Docusign put a LINK inside these PDFs that linked to docusign.net proof of signature page. And they didn’t add “nofollow” code to that link to stop Google from checking it out. AND they didn’t add “no index” to the page sitting on docusign.net to again block out the engines.
           
          However there are some documents that were uploaded by one of the signers, that should not be online. Docusign can’t do much about that except educate their customers. Also they might be able to put noindex on the pdf document itself, but not sure.

        • FirenzeForever

          June 11, 2012 at 9:09 pm

          @franklyrealty @FirenzeForever @Ex

        • FirenzeForever

          June 11, 2012 at 9:13 pm

          So how does Docusign receive a SAS70 series 2 compliance rating and all these other SASE credentials. Where is the compliance or punishment for this? Meanwhile NIST organization is turning a blind eye to cloud computing and things like this happen. I wonder if FANNIE MAE will stop using Docusign…again.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

  3. franklyrealty

    June 9, 2012 at 11:24 pm

    One slight correction is necessary. May seem petty, but the missing word changes all the meaning.

    The author of the post wrote:
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites.”

    It should say (the change is in the caps):
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network, UNLESS THERE ARE hyperlinks from publicly accessible websites.”

    Why does this matter? A simple “no index” forethought would have allowed the removal of the “unless” statement, and thus make the document MORE secure (ie, less accessible to the public). If they used the simple 1 line of basic code (which they use now) then the search engines would NOT have been able to index the pages, even if linked to from a public location.

    But I doubt most Realtors will care to understand the distinction. One shifts or obfuscates blame, one is more accurate.

  4. franklyrealty

    June 9, 2012 at 11:39 pm

    Just saw this on the Docusign blog (Since they don’t allow comments, I am putting it here).

    “Contrary to an article earlier today, there have not been any breaches in security of the DocuSign Global Network.”

    How does allowing a search engine to follow links into their “secure” global network and indexing that data for public use, not a breach?

    It has been fixed since then, but they have to admit fault instead of putting out misleading press releases, and blog posts.

  5. Ronie Walter @ IT Staffing Agencies

    July 29, 2012 at 8:35 am

    Court-accepted electronic signing of important documents. Handles multiple and sequential recipients. Tagging system shows recipients where to sign. Can send reminders. Documents can be set to expire after a time. Full history and audit trail certificate available.

  6. Pingback: Despite DocuSign promises, they couldn't avoid the inevitable - The American Genius

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News

3 awesome ways bug sized robots are changing the world

(TECH NEWS) Robots are at the forefront of tech advancements. But why should we care? Here are some noticeable ways robots are changing the world.

Published

on

Bits of robots and microchips changing the world.

When we envision the robots that will (and already are) transforming our world, we’re most likely thinking of something human- or dog-sized. So why are scientists hyper-focusing on developing bug-sized (or even smaller!) robots?

Medical advances

Tiny robots could assist in better drug delivery, as well as conduct minor internal surgeries that wouldn’t otherwise require incisions.

Rescue operations

We’ve all heard about the robot dogs that can rescue people who’ve been buried beneath rubble or sheets of snow. However, in some circumstances these machines are too bulky to do the job safely. Bug-sized robots are a less invasive savior in high-intensity environments, such as mine fields, that larger robots would not be able to navigate without causing disruption.

Exploration

Much like the insects after which these robots were designed, they can be programmed to work together (think: ants building a bridge using their own bodies). This could be key in exploring surfaces like Mars, which are not safe for humans to explore freely. Additionally, tiny robots that can be set to construct and then deconstruct themselves could help astronauts in landings and other endeavors in space.

Why insects?

Well, perhaps the most important reason is that insects have “nature’s optimized design”. They can jump vast distances (fleas), hold items ten times the weight of their own bodies (ants) and perform tasks with the highest efficiency (bees) – all qualities that, if utilized correctly, would be extremely beneficial to humans. Furthermore, a bug-sized bot is economical. If one short-circuits or gets lost, it won’t totally break the bank.

What’s next?

Something scientists have yet to replicate in robotics is the material elements that make insects so unique and powerful, such as tiny claws or sticky pads. What if a robot could produce excrement that could build something, the way bees do in their hives, or spiders do with their webs? While replicating these materials is often difficult and costly, it is undoubtedly the next frontier in bug-inspired robotics – and it will likely open doors for humans that we never imaged possible.

This is all to say that in the pursuit of creating strong, powerful robots, they need not always be big in stature – sometimes, the tiniest robots are just the best for the task.

Continue Reading

Tech News

Extend your smart home to the mailbox with the Ring Mailbox Sensor

(TECH NEWS) With the rise of the smart home and mail theft, Amazon’s new Ring product is the perfect addition to protect your letters and packages.

Published

on

Ring Mailbox Sensor on the inside of a mailbox door with hand delivering letters.

Smart home enthusiasts worried about the increasing problem of mail theft are getting a new piece of security technology: The new Ring Mailbox Sensor.

Pop the wireless, battery-powered motion sensor in your mailbox, and it will alert you when someone opens the lid or door. You can get a notification in the Ring app on your smartphone and, because Ring is an Amazon company, through any Alexa-enabled device. (So your Ecobee thermostat can tell you you’ve got mail. Cool.)

The sensor’s biggest benefit: You can immediately collect your mail when you get an alert that it’s been delivered. If you’re home.

There’s no camera with live view or speaker for yelling at the thief to drop your stuff, although you can do that with any microphone-enabled cameras near your mailbox.

But if you’ve ringed your home with Ring products, you can set the sensor to turn on Smart Lights or to make the video doorbell or security cameras start recording. If your mailbox is near your front door, however, that will probably already be happening after those devices detect motion. The sensor could be very useful for mailboxes at the end of a long driveway and out of sight of any cameras.

You can preorder the Mailbox Sensor ($29.99) at Ring.com and Amazon.com starting on Oct. 8. To connect the sensor with the doorbell, smart lights, and Alexa devices, you’ll need the Ring Bridge ($49.99).

You may want to keep an eye on Amazon’s new Sidewalk technology, however. Sidewalk is designed to extend the range of your Wi-Fi network. It siphons off a small part of your bandwidth, and that of your neighbors with Amazon-related devices, to create a crowd-sourced neighborhood network.

Amazon has released a list of devices – mostly Echoes and cameras – that will act as bridges themselves, and it’s not yet clear how the Mailbox Sensor will interact with all of that in the future. By the way, if privacy concerns were the first thing that popped into your head when you read that, check out Amazon’s Sidewalk white paper on privacy.

FYI: If your mail is stolen, You should report to the USPS, using their online form. You could report to the police via 311 but know that it’s unlikely officers will pursue the crime.

The best defense against thieves is still a locked mailbox. It’s not fool-proof, of course, but it can make thieves take longer to get at your mail. But if they take the sensor with your mail, or even your whole mailbox, Ring will replace the Mailbox Sensor for free.

You can find out more about the Mailbox Sensor in Ring’s support FAQ.

Continue Reading

Tech News

Degree holders are shifting tech hubs and affordability

(TECH NEWS) Tech hubs are shifting as degree holders move, but it’s causing some other issues and raising some interesting questions about the future of jobs.

Published

on

degree city

Bloomberg recently announced their annual “Brain” Indexes. The indexes are an annual reckoning of STEM (Science, Technology, Engineering and Mathematics) jobs and degree holders. The “Brain Concentration Index” approximates the number of people working full time in computer, engineering, and science jobs (including math and architecture.) It measures the median earnings for people in those jobs. It also counts how many people have a bachelor’s degree in a STEM field, or an advanced degree of any kind. It blends those things together to determine how “brainy” a city is.

Since they started in 2016, Boulder, CO has been at the top of the list. This year it’s followed by San Jose, CA, which many people might expect to be at the top. Many of the more surprising cities, like Ann Arbor, MI, Ithaca, NY, and even Lawrence, KS, are bolstered by the presence of a strong university.

It’s an interesting methodology. It’s worth noting that anyone with an advanced degree, whether it’s an MBA, a law degree, or a Ph.D. in literature, contributes to which city is a “tech hub.” It’s also worth noting how expensive many of these places are to live.

If you follow this kind of national data collection at all, you may also know that Boulder is one of the least-affordable cities in the country. So is the San Jose/Sunnyvale/Santa Clara metro area, with a median home price of 1.25 million dollars and a median household income of $117,474. (That means that the average mortgage is more than half of the average paycheck). However many people tech hubs like San Jose and San Francisco attract, they’re also hemorrhaging talent. Every day, 8 Californians move to Austin. Of the people who stay, more than half are thinking of moving.

They aren’t doing that for fun. As much flak as Californians get for gentrifying places like Austin, they’re being megagentrified out of their own homes. As salaries rise and CEO gigs attract the wealthy (and turn them into the Uberwealthy), the people who wait on tables or teach their children can’t afford to stay there anymore.

Speaking of people leaving, Bloomberg also measured what they call “brain drain,” the flow of advanced degree holders out of cities. They pair that with a decline in white-collar jobs and a decline in STEM pay to come up with their annual list. It includes places like Lebanon, PA and Kahului, HI.

All in all, it’s interesting information. But there are other factors at work that it can’t speak to. What does wage stagnation in the U.S. mean for the flow of education workers? If San Jose and San Francisco can be tech hubs based on the number of people with degrees, but people are still fleeing, what does that say about rankings like these? What human stories get lost in the shuffle? And is “tech hub” even something a city wants to be if that means running out of teachers (or making them sleep in garages)? Where does the next generation of tech hub workers come from?

Knowing the people behind the numbers makes it clear just what a mixed bag this is. Maybe we need more tech hubs like Lawrence, Kansas. Or maybe we need rent control. Or maybe we need to embrace remote work. Maybe there are no answers. As interesting as data like this is, there’s something sort of wistful about it, too.

Continue Reading

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!