Connect with us

Tech News

Overnight, DocuSign helps customers ensure document security

DocuSign is taking actions from education to additional security measures to ensure privacy of documents and user info, even when shared outside of the DocuSign Network.

Published

on

What was viewable online yesterday is not today

Yesterday, AG uncovered that some names, emails, locations, and document names of customers were publicly visible online, discovered through a simple Google search.

Realtor Frank Llosa tells the story of how this information was visible to everyone, noting that he was emailing with a user of his website who said they had a house to list and sell. As part of his “who is this person” background, he did a Google search on the prospect’s email and found that they had signed a listing agreement with a broker a couple of days prior.

Overnight, DocuSign took action

“Rest assured that DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security,” said Chief Security Officer, Joan Ross in a statement last night.

The company tells AGBeat that “While DocuSign always encourages customers to save their DocuSigned documents on the secure DocuSign Global Network, it’s come to our attention that a small number of customers have saved personal copies of their documents on publicly accessible websites that are being indexed by search engines.”

DocuSign says they are taking the following actions to help their customers:

  • “DocuSign is contacting the few customers we’ve found who have personal copies of DocuSigned documents on publicly accessible websites to either confirm that is their intent (which in some cases it is), or if not to suggest ways to secure them.
  • To make information on signature validation even less accessible, DocuSign has added a second step that requires any party searching for information on a DocuSigned document to provide additional transaction details.
  • To make personal copies of documents that DocuSign customers have saved on the public Internet less discoverable, DocuSign is working with search engines to block indexing of links to DocuSign within public documents.
  • DocuSign will also proactively provide on-going education to customers and the market around best practices for securing personal copies of documents and data. Content will be made available through the DocuSign Trust Site and the DocuSign blog at https://www.docusign.com/blog/.”

All URLs that AGBeat was able to click and view yesterday now require a user to know the Envelope ID, in other words, the link is no longer indexed, and put behind a wall to everyone except those with the specific identification number given to the document.

Although AG uncovered additional documents and email addresses visible to the public, out of concern for DocuSign user privacy, we are not publishing any of that information, rather have turned it over to DocuSign to make necessary changes out of a shared concern, which the additional layer of requiring the Envelope ID number before viewing any details appears to have resolved.

The company tells AGBeat that “A benefit of DocuSign that customers value is that signatures on documents are verifiable through a hyperlink to a customer-created DocuSign ID card. This helps parties to a transaction validate who has actually signed a document and displays a legally binding audit trail. Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites. Leaving personal copies of documents on public sites where they can be indexed rather than within the secure DocuSign Global Network is like leaving copies of documents from a locked filing cabinet out on a public table for others to see.”

DocuSign recommends that customers store documents in the secure DocuSign Global Network and limit saving personal copies only to secure locations that meet the security requirements of all signing parties. AG would add that some third party locations may seem secure, particularly document hosting and sharing sites, but it doesn’t take much for those hyperlinks to be shared and indexed by any search engine.

The American Genius is news, insights, tools, and inspiration for business owners and professionals. AG condenses information on technology, business, social media, startups, economics and more, so you don’t have to.

Continue Reading
Advertisement
13 Comments

13 Comments

  1. Jon S

    June 8, 2012 at 9:36 pm

    asdf

  2. Ex customer

    June 8, 2012 at 9:43 pm

    This is not true. These links were hosted on DocuSign’s domain and publicly accessible as well as being indexable by search engines. There is no “downloading” involved, just posting links online.
    To think their “chief security officer” doesn’t understand this and doesn’t understand how to use ‘noindex’ meta tags is frightening.

    • franklyrealty

      June 9, 2012 at 4:14 pm

       @Ex customer You are right, in part. 
       
      YES! The “noindex” was a flat out mistake. That and Robots.txt should have instructed Google to stay away from these files and areas.
       
      What happened was (and I didn’t get it after a few reads). Is the BROKER or party to the contract uploaded the PDF to ANOTHER site. Like Google Docs, or their own website. (Yep they did, bare with me). And then within that PDF there was a link BACK to docusign.net…. that had the confirmation details of that file. 
       
      Who is at “fault”?
      1) The party that uploaded the file to a PUBLIC website.
      2) Docusign for now predicting how a user might incorrectly use the service (albeit a hard thing to do)
      3) Docusign for not adding a NoIndex to their files. Now keep in mind #3 only kicks in because of #2, because they never would have thought users would share private documents publicly. So you decide whether they should have foreseen that.

      • FirenzeForever

        June 11, 2012 at 8:14 am

        @franklyrealty @Ex customer

        When I do a search in google for “Docusign envelope ID” I see many contracts out there…fully readable. Why are these contracts showing up?

        • franklyrealty

          June 11, 2012 at 9:03 pm

           @FirenzeForever  @franklyrealty  @Ex Great question. Many of these are disclaimer or disclosure statements. In Va you are required as a seller, or listing agent, to supply the statement before an offer is submitted. So many will post that online for easier access. Nothing is wrong with this. The screw up was when Docusign put a LINK inside these PDFs that linked to docusign.net proof of signature page. And they didn’t add “nofollow” code to that link to stop Google from checking it out. AND they didn’t add “no index” to the page sitting on docusign.net to again block out the engines.
           
          However there are some documents that were uploaded by one of the signers, that should not be online. Docusign can’t do much about that except educate their customers. Also they might be able to put noindex on the pdf document itself, but not sure.

        • FirenzeForever

          June 11, 2012 at 9:09 pm

          @franklyrealty @FirenzeForever @Ex

        • FirenzeForever

          June 11, 2012 at 9:13 pm

          So how does Docusign receive a SAS70 series 2 compliance rating and all these other SASE credentials. Where is the compliance or punishment for this? Meanwhile NIST organization is turning a blind eye to cloud computing and things like this happen. I wonder if FANNIE MAE will stop using Docusign…again.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

  3. franklyrealty

    June 9, 2012 at 11:24 pm

    One slight correction is necessary. May seem petty, but the missing word changes all the meaning.

    The author of the post wrote:
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites.”

    It should say (the change is in the caps):
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network, UNLESS THERE ARE hyperlinks from publicly accessible websites.”

    Why does this matter? A simple “no index” forethought would have allowed the removal of the “unless” statement, and thus make the document MORE secure (ie, less accessible to the public). If they used the simple 1 line of basic code (which they use now) then the search engines would NOT have been able to index the pages, even if linked to from a public location.

    But I doubt most Realtors will care to understand the distinction. One shifts or obfuscates blame, one is more accurate.

  4. franklyrealty

    June 9, 2012 at 11:39 pm

    Just saw this on the Docusign blog (Since they don’t allow comments, I am putting it here).

    “Contrary to an article earlier today, there have not been any breaches in security of the DocuSign Global Network.”

    How does allowing a search engine to follow links into their “secure” global network and indexing that data for public use, not a breach?

    It has been fixed since then, but they have to admit fault instead of putting out misleading press releases, and blog posts.

  5. Ronie Walter @ IT Staffing Agencies

    July 29, 2012 at 8:35 am

    Court-accepted electronic signing of important documents. Handles multiple and sequential recipients. Tagging system shows recipients where to sign. Can send reminders. Documents can be set to expire after a time. Full history and audit trail certificate available.

  6. Pingback: Despite DocuSign promises, they couldn't avoid the inevitable - The American Genius

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News

Chrome can now group and color code your open tabs

(TECH NEWS) Do you have too many tabs, and can’t tell what’s what? Google has tab groups that make it easier to find what you’re looking for.

Published

on

google tabs group

Are you a tab collector? That’s Google’s name for people who have tabs upon tabs upon tabs open on their Google Chrome browser. And while third party apps are already available to help collectors manage tabs, Google is now stepping in with Tab Groups.

Tab Groups, try it here, allows users to color-code, group and add text or emoji labels to separate clusters of tabs in their browser.

Right-click on any tab and choose Add to New Group. A gray dot will appear to the left of the tab and outline it in the same color. Clicking on the dot lets users update the color, label and name the group. Once grouped together, the tab groups can be moved and reordered. They’re also saved when Chrome is closed and reopened.

Google said after testing Tab Groups for months, they noticed people usually arranged their tabs by topic and that appeared most common when people shopped or were working on a project.
“Others have been grouping their tabs by how urgent they are, “ASAP,” “this week” and “later.” Similarly, tab groups can help keep track of your progress on certain tasks: “haven’t started,” “in progress,” “need to follow up” and “completed.”

Of course, this new feature does nothing to dissuade users from opening too many tabs, despite research that says multitasking may change the structure of your brain and Chrome is notorious for using too much RAM. So now you can’t concentrate, and your computer is running hot and slowing down.

A solution? Use Chrome extensions such as The Great Suspender, which suspends tabs that have been inactive for a specific amount of time. Don’t worry, you can whitelist specific websites so if you always need a tab for Twitter open, it won’t be suspended.

Another tip is to focus on one task at a time using the Pomodoro Technique, breaking tasks and your workday into 25-minute bursts of productivity with five-minute breaks in between. FocusMe uses a timer and website blocker to reduce the risk of getting distracted. You’re on the internet, after all.

Continue Reading

Tech News

Quarantine bod got you down? AI trainer Artifit lifts you up

(TECH NEWS) If staying home has caused some unfortunate weight gain, Artifit can help you keep your home body fit during and way after quarantine is over.

Published

on

Artifit website

Mandatory lockdown’s have changed people’s routine’s in every conceivable way. From the way we work and cook to how we exercise. Home workout routines have been a hot topic in the last couple of months. People are trying to find a way to retain some sense of normalcy and maintain their healthy lifestyles We’ve all heard jokes about the so called “Quarantine 15” online and maybe you’ve even made a disparaging comment or two about your weight since gyms closed.

To be clear, there is nothing wrong with a little weight gain the face of a global pandemic. The world is changing, your life is changing, and times are scary. Be gentle with yourself and those around you.

If you are looking for a way to get regular workouts back into your life and YouTube videos just aren’t cutting it, there is a high-tech solution. Artifit is an AI personal trainer designed to make your solo workouts safer and more effective. The app acts as your personal trainer by creating your workout plans, tracking progress, and providing posture corrections.

The app uses your phone’s camera to track your reps and spot errors in form while providing real time audio feedback. According to the app creators, [Artifit] recognizes 20 major joints movements via mobile camera, and we are constantly working on adding new joints and improving the algorithm.”

Beyond the workouts, Artifit taps into your competitive side by providing you with a score at the end of each work out that you can then share with friends. The app measures and analyze your progress over time and uses this data to create a workout plan that is best suited for you.

There are a ton of reasons you might be looking for a tech-driven approach to your workout routine. Most of us already rely on technology to track out movement in one way or another – think about the Health app on your phone or your Fitbit. Working out from home isn’t for everyone, but some are thriving under a more flexible schedule and want to keep it that way.

If you are not sure when you’re going to feel comfortable going to the gym again or you no longer want to fuss over scheduling appointments with a personal trainer, this could be the app for you. Artifit can help you keep your homebody tendencies intact way after quarantine is over.

Continue Reading

Tech News

Google has another video conference tool, but are they too late?

(TECH NEWS) Google is making their Google Meet, available for anyone with a gmail account, leaving us to wonder if it’s a little too little, too late.

Published

on

Google meet

Google Is now making its business video meeting tool available for free to everyone with a Gmail account. Wait! What? We already have that, don’t we? We do, kind of. Google has long offered free Google Hangouts, a messaging function that includes chat and video chat features for groups of up to 25 people. Google Duo is a video meeting app that has been available for cell phones and tablets, previously available for up to 8 people, but now for up to 12 people.

Sooooo, why do we care about free Google Meet? Isn’t this taking us back to, say, 2009? The difference is that with Google Meet, you can include up to 100 participants. This service used to be available only to paid G-Suite customers. Video conferencing has never been more popular or necessary, with Zoom leading the pack. Google wants you to blow off the others and give Google Meet a shot.

Why should we care? If you are already using a video meeting tool that works for you, what’s the incentive to switch? If you’re using Skype, you can only have up to 50 participants, while you can have up to 100 participants on Google Meet. On Zoom, you can also include up to 100 people on a video meeting. With a free Zoom account, you can meet for up to 40 minutes, and Google Meet has expanded their free Meet calls to 60 minutes.

Zoom has had serious issues with security and privacy. While Zoom is scrambling to enhance the safety and privacy of users, including ways to prevent illegal Zoombombing. Yet, it will be harder to trust Zoom again, now that the damage has been done. Google Meet already has a robust security system, including end-to-end encryption of all video calls. All calls go through Gmail, which already lives behind a bunch of protections, which has to be a good thing.

Google Meet also offers easy live captioning through their own voice recognition service and other accessibility considerations such as screen readers and magnifiers. People who are already familiar with Google chat/meeting tools will likely try Google Meet right away to see how it compares to Zoom, Skype, and other video conferencing tools. Google is betting on it.

However, if you already have a tool you love, you might be like, “Meh.” If you are the type who loves researching all of the tools to find your perfect match, then this is likely exciting news for you. Options are always good, though. The strangest thing is that Google has had this capability all along. When schools started shuttering during the pandemic, Zoom immediately stepped up and offered educators its professional tools for free–a clutch move that garnered them loads of positive press and help propel them past competitors into the top spot.

Google Meet will have to prove to be at least as clear, fast, easy to use as Zoom. With Google’s collection of launched and abandoned video tools, though, we have to wonder if it will be. At least Meet is already starting out more secure, which is a superb start. With the launch of Zoom 5.0, though, will it be too little, too late for Google Meet to capture a good chunk of the video tool?

Continue Reading
Advertisement

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!