Connect with us

Tech News

Overnight, DocuSign helps customers ensure document security

DocuSign is taking actions from education to additional security measures to ensure privacy of documents and user info, even when shared outside of the DocuSign Network.

Published

on

What was viewable online yesterday is not today

Yesterday, AG uncovered that some names, emails, locations, and document names of customers were publicly visible online, discovered through a simple Google search.

Realtor Frank Llosa tells the story of how this information was visible to everyone, noting that he was emailing with a user of his website who said they had a house to list and sell. As part of his “who is this person” background, he did a Google search on the prospect’s email and found that they had signed a listing agreement with a broker a couple of days prior.

Overnight, DocuSign took action

“Rest assured that DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security,” said Chief Security Officer, Joan Ross in a statement last night.

The company tells AGBeat that “While DocuSign always encourages customers to save their DocuSigned documents on the secure DocuSign Global Network, it’s come to our attention that a small number of customers have saved personal copies of their documents on publicly accessible websites that are being indexed by search engines.”

DocuSign says they are taking the following actions to help their customers:

  • “DocuSign is contacting the few customers we’ve found who have personal copies of DocuSigned documents on publicly accessible websites to either confirm that is their intent (which in some cases it is), or if not to suggest ways to secure them.
  • To make information on signature validation even less accessible, DocuSign has added a second step that requires any party searching for information on a DocuSigned document to provide additional transaction details.
  • To make personal copies of documents that DocuSign customers have saved on the public Internet less discoverable, DocuSign is working with search engines to block indexing of links to DocuSign within public documents.
  • DocuSign will also proactively provide on-going education to customers and the market around best practices for securing personal copies of documents and data. Content will be made available through the DocuSign Trust Site and the DocuSign blog at https://www.docusign.com/blog/.”

All URLs that AGBeat was able to click and view yesterday now require a user to know the Envelope ID, in other words, the link is no longer indexed, and put behind a wall to everyone except those with the specific identification number given to the document.

Although AG uncovered additional documents and email addresses visible to the public, out of concern for DocuSign user privacy, we are not publishing any of that information, rather have turned it over to DocuSign to make necessary changes out of a shared concern, which the additional layer of requiring the Envelope ID number before viewing any details appears to have resolved.

The company tells AGBeat that “A benefit of DocuSign that customers value is that signatures on documents are verifiable through a hyperlink to a customer-created DocuSign ID card. This helps parties to a transaction validate who has actually signed a document and displays a legally binding audit trail. Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites. Leaving personal copies of documents on public sites where they can be indexed rather than within the secure DocuSign Global Network is like leaving copies of documents from a locked filing cabinet out on a public table for others to see.”

DocuSign recommends that customers store documents in the secure DocuSign Global Network and limit saving personal copies only to secure locations that meet the security requirements of all signing parties. AG would add that some third party locations may seem secure, particularly document hosting and sharing sites, but it doesn’t take much for those hyperlinks to be shared and indexed by any search engine.

The American Genius is news, insights, tools, and inspiration for business owners and professionals. AG condenses information on technology, business, social media, startups, economics and more, so you don’t have to.

Continue Reading
Advertisement
13 Comments

13 Comments

  1. Jon S

    June 8, 2012 at 9:36 pm

    asdf

  2. Ex customer

    June 8, 2012 at 9:43 pm

    This is not true. These links were hosted on DocuSign’s domain and publicly accessible as well as being indexable by search engines. There is no “downloading” involved, just posting links online.
    To think their “chief security officer” doesn’t understand this and doesn’t understand how to use ‘noindex’ meta tags is frightening.

    • franklyrealty

      June 9, 2012 at 4:14 pm

       @Ex customer You are right, in part. 
       
      YES! The “noindex” was a flat out mistake. That and Robots.txt should have instructed Google to stay away from these files and areas.
       
      What happened was (and I didn’t get it after a few reads). Is the BROKER or party to the contract uploaded the PDF to ANOTHER site. Like Google Docs, or their own website. (Yep they did, bare with me). And then within that PDF there was a link BACK to docusign.net…. that had the confirmation details of that file. 
       
      Who is at “fault”?
      1) The party that uploaded the file to a PUBLIC website.
      2) Docusign for now predicting how a user might incorrectly use the service (albeit a hard thing to do)
      3) Docusign for not adding a NoIndex to their files. Now keep in mind #3 only kicks in because of #2, because they never would have thought users would share private documents publicly. So you decide whether they should have foreseen that.

      • FirenzeForever

        June 11, 2012 at 8:14 am

        @franklyrealty @Ex customer

        When I do a search in google for “Docusign envelope ID” I see many contracts out there…fully readable. Why are these contracts showing up?

        • franklyrealty

          June 11, 2012 at 9:03 pm

           @FirenzeForever  @franklyrealty  @Ex Great question. Many of these are disclaimer or disclosure statements. In Va you are required as a seller, or listing agent, to supply the statement before an offer is submitted. So many will post that online for easier access. Nothing is wrong with this. The screw up was when Docusign put a LINK inside these PDFs that linked to docusign.net proof of signature page. And they didn’t add “nofollow” code to that link to stop Google from checking it out. AND they didn’t add “no index” to the page sitting on docusign.net to again block out the engines.
           
          However there are some documents that were uploaded by one of the signers, that should not be online. Docusign can’t do much about that except educate their customers. Also they might be able to put noindex on the pdf document itself, but not sure.

        • FirenzeForever

          June 11, 2012 at 9:09 pm

          @franklyrealty @FirenzeForever @Ex

        • FirenzeForever

          June 11, 2012 at 9:13 pm

          So how does Docusign receive a SAS70 series 2 compliance rating and all these other SASE credentials. Where is the compliance or punishment for this? Meanwhile NIST organization is turning a blind eye to cloud computing and things like this happen. I wonder if FANNIE MAE will stop using Docusign…again.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

        • BenspBenfb

          August 30, 2012 at 7:03 pm

           @FirenzeForever  @franklyrealty  @Ex This is really odd considering some also include handwritten signatures that can now easily be copied and pasted for simple “looks good to me” forgeries — phishing scams work by looking real, which is why few smart e-signature companies use images of actual handwritten signatures that are easily reused malevolently.

  3. franklyrealty

    June 9, 2012 at 11:24 pm

    One slight correction is necessary. May seem petty, but the missing word changes all the meaning.

    The author of the post wrote:
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites.”

    It should say (the change is in the caps):
    ” Search engines cannot and do not index documents saved on the secure DocuSign Global Network, UNLESS THERE ARE hyperlinks from publicly accessible websites.”

    Why does this matter? A simple “no index” forethought would have allowed the removal of the “unless” statement, and thus make the document MORE secure (ie, less accessible to the public). If they used the simple 1 line of basic code (which they use now) then the search engines would NOT have been able to index the pages, even if linked to from a public location.

    But I doubt most Realtors will care to understand the distinction. One shifts or obfuscates blame, one is more accurate.

  4. franklyrealty

    June 9, 2012 at 11:39 pm

    Just saw this on the Docusign blog (Since they don’t allow comments, I am putting it here).

    “Contrary to an article earlier today, there have not been any breaches in security of the DocuSign Global Network.”

    How does allowing a search engine to follow links into their “secure” global network and indexing that data for public use, not a breach?

    It has been fixed since then, but they have to admit fault instead of putting out misleading press releases, and blog posts.

  5. Ronie Walter @ IT Staffing Agencies

    July 29, 2012 at 8:35 am

    Court-accepted electronic signing of important documents. Handles multiple and sequential recipients. Tagging system shows recipients where to sign. Can send reminders. Documents can be set to expire after a time. Full history and audit trail certificate available.

  6. Pingback: Despite DocuSign promises, they couldn't avoid the inevitable - The American Genius

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News

Earbuds that are noise cancelling hit the market just in time for the holidays

(TECH NEWS) There are no shortage of earbuds on the market, however, Nuheara’s noise cancelling, bluetooth earbuds are sure to top everyone’s wish list.

Published

on

earbuds noise cancelling

Noise cancelling earbuds are efficient for blocking out the world around you – when all you want to hear is your music and nothing else. However, for those who want a smaller, sleeker alternative, Nuheara is the perfect fit.

Nuheara are wireless audio earbuds that are customizable to your hearing needs. Even though they have the same power as noise cancelling headphones, they can be adjusted to amplify or minimize sound based on each situation.

You can choose to blend the sounds of the streets and your new favorite album in order to be aware of the world around you. The earbuds are ideal for any situation.

The noise cancelling earbuds use SINC (Superior Intelligent Noise Control) technology, which lets every user create their custom hearing experience.

There are numerous times when it’s hard to hear because of the noise around us. This may be in crowded restaurants, concerts or even when you’re at home trying to avoid the noisy neighbor in the apartment above you.

The SINC technology applies a frequency filter to sounds you choose to hear or want to avoid. Additionally, the left and right earbuds have their own settings, so that they can be customized individually. Everything is customized through the app, so it’s up to each user to decide!

Prior to founding Nuheara, Justin Miller and David Cannington worked in the oil and gas companies creating industrial strength hearing headsets.

The feedback they received during these experiences paved the way for inventing Nuheara. People wanted a sleek headset that they could wear in everyday life, not just at their job.

The earbuds will set you back a few hundred bucks, but they come with accessories like a battery charger, carrying case and 8 different silicone tips. The battery charger provides three full charges. Nuheara earbuds are also sweat and water resistant, but they are not yet waterproof.

As wireless headphones, Nuheara are also compatible with most Bluetooth connected devices. The earbuds also use tap-touch control to make hands-free phone calls, control music and adjust settings.

There is no need to connect Nuheara to external devices to use their noise cancelling capabilities.

Continue Reading

Tech News

Turn your FAQ page into a chatbot without knowing how to code

(TECH NEWS) An easy way to add a chatbot to your site and automate some of your work is through this new simple tool that doesn’t require any tech know-how.

Published

on

faqbot chatbot

Reduce your workload and personalize customer service engagement with Faqbot, the tool that turns your online FAQ into a customized chatbot.

Co-founded by Denny Wong and CEO Mathis André, Faqbot uses machine learning to streamline frequently asked questions into a handy chatbot pal.

Based on your existing FAQ content, Faqbot builds a database that learns from every conversation to improve responses. Faqbot can also be used to automate sales and lead generation.

You get to design the conversation flow, mapping out a custom path to guide users to a desired outcome. Set predefined choices or free text, customize the bot’s responses, and determine what leading questions the bot should ask.

For example, on the Faqbot site, I was given two pre-set choices to click after each response from the bot. Clicking “Thanks for helping” gets the polite response “You are welcome! ;-)” complete with an old-school emoji featuring a nose.

If you select “not my question,” Faqbot uses its general response to any unanswerable question: “Sorry, I’m a chatbot. I am constantly learning and have answers to frequently asked questions. Thank you for leaving your email and we will get back to you shortly.”

Choose your own responses based on already defined FAQ or come up with new messaging to better engage and inform your customers as needed. The free text option is also available if customers wish to continue asking questions.

Of course, I had to try out some less than frequently asked questions. When I asked Faqbot “are we friends?” it kindly replied, “Absolutely. You don’t have to ask.” So I’m smitten.

However, when I tried to take it to the next level by asking “Do you love me?,” which seems to be the internet’s favorite way to harass a bot, I got the “Sorry, I’m a chatbot” response.

That’s okay. I’ll recover. Faqbot isn’t here to love, it’s here to answer questions.

You can easily install the chatbot by either copy/pasting the snippet of codes directly into your webpage, or connect Faqbot to your company’s Facebook page. No coding skills required.

Pricing is based on number of users per month, but all levels include the same service offerings of FAQ database management, messaging interface, a ticketing system, and DIY guided conversation flow. You can try out Faqbot free for 14 days by signing up on their site.

Continue Reading

Tech News

This note-taking app is perfect for the creative mind

(TECH NEWS) The newest app for note-taking could be a tremendous asset for a very specific type of creative that tools like trello and evernote fall short on… not all apps work for all people.

Published

on

milanote

If you’re like me, you’ve had many phases in your idea-having, note-taking life. There was the AP History period, where I decided the quality of my notes would be judged based on the tininess of my handwriting and the number of innovative abbreviations coined. There was the “song collection” period, in which I wrote down song and band names with reckless abandon, on any scrap of paper or non-paper within reach, and promptly scattered the scraps everywhere. There was the post-it era, in which every single idea was carefully documented on a “Sticky Note” that tiled over my Windows desktop and was impossible to find thereafter.

And then, there was Evernote, and Trello, and I thought my evolution was complete. I had neatly organized “Notebooks” and “Cards” and I felt very structured and efficient and spiritually done with my note-taking journey.

But a whisper of rebellion called out to me. It sounded musical, colorful, whimsical. It asked me whether I wouldn’t like to liberate myself from those neat lists and stacks, let my ideas flow, visualize my thoughts?

It introduced me to Milanote – the note-taking app truly made FOR images, not just tolerant of them.

Milanote markets itself toward creatives: “For the research, thinking and planning behind your next great piece of work.”

But the strengths of this app could benefit anyone who could use a more freeform space to collect their thoughts. A blank page resembles a peg board, and users can add images, notes, links, and more in any configuration their hearts desire. You can also link any elements together with a web of lines, or leave them on their own.

This could be a great app for early-stage brainstorming and planning, when you need to play around and be flexible.

Milanote can be collaborative, like Trello, or individual and personal, like my always-evolving grocery list in Evernote. Milanote currently works in any web browser, and iOs and Android apps are coming soon.

For up to 100 notes, Milanote can be yours free of charge. More than that, though, and you’ll have to pay $9.99 for the pro version.

Something tells me infinity should cost much more, but the organic, customizable concept is something to hold on to.

Continue Reading
Advertisement

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!