Mumsnet Data Breach - Q&A

[JustineMumsnet]

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern – here’s a link to a previous thread discussing this in case you've not seen it.

Three of the screenshots showed an Admin’s view of the site and therefore contained the IP addresses of the posters concerned.

Understandably there have been loads of questions about the implications, about what data we hold and who has access to it so we've collated them here. Please do post any queries here or email [email protected] if you’ve any concerns or further questions.

Thanks and huge apologies if this has caused you any concern.

I think a number of people have noticed how strange some moderation decisions have been for a while recently.

I wonder if having temp interns, rather than longer-term staffers, has contributed to that?

How can they link your data if you delete your account and sign up again with a different email?

With ease, if they actually wanted to. It would be treading a very dangerous data protection and computer misuse line, but a website which wanted to track users across registrations would have many ways to do it. All can be defeated, but would work for I suspect 90% of people likely to be signing up for a forum.

Firstly, they can use cookies. When you log on to a website like mumsnet, authorisation is done using a cookie. A cookie is a small piece of data which is supplied to the website which gave it you every time you visit a page on that website.

So to login you supply your username and password to one page, and the site gives you back a cookie. It probably looks like dDaQU/lerSASBo/+TwYfuA==. Sometimes it encodes some information (ie, you can look "inside" it and it means something), more often it's just an encoded random number (as that is).

A database is then used to say "anyone who presents the cookie dDaQU/lerSASBo/+TwYfuA== when accessing this site, for the next 72 hours (or whatever) can be assumed to have logged in as user so-and-so".

So if you delete your account and then create a new one, the cookie from your last login session may well still be passed across. If the site is more nefarious, it could actually drop a long-lived cookie for the express purpose of doing this, but it's more likely to happen "by accident".

OK, you say: I'm across that. I'll delete my account, delete all the cookies from my browser (it isn't enough, for various reasons too tedious to go into, to just delete the cookies dropped by MN), and then create a new account. Result!

Now we're off into the world of "MN don't do this, I assume, but they could tinfoil hattery". Browser Fingerprinting is the technique of looking at the precise configuration of your browser: not only the version, and the version of the operating system you are using, but the fonts you have installed, the extensions you have installed, any number of other subtle "my browser is not quite like your browser" issues. Combined with, say, the IP number - it won't usually uniquely identify a user, but it's likely to remain constant over a "delete my account, create a new one" session, and even if it doesn't, the particular ISP you are using is likely to remain the same - and you have a good chance of identifying delete and re-sign pairs. Not always, but often. Or at least sometimes.

I would, for the record, be amazed were MN doing this deliberately. But I wouldn't be completely surprised if they were collecting in their logs and trace information sufficient that a bad actor with access to data collected for good purposes would be able to re-analyse that data to spot such pairs. A capable threat actor with administrative access to a system is not to be trifled with. Which is why controlling, and indeed filtering, logging is a serious issue in overall security.

I am so fucking sick of women being told that we are scaremongering, when we point to what could happen as a result of xyz.

The reason the Data Protection Act (and now the GDPR) even exist, is because of what could happen.

Are the people who draw up legislation scaremongers too, or is it only women who have perfectly reasonable concerns about violent men who hate them, having access to their data, who are scaremongers when they express concern?

Transactivists have a record as long as your arm, of abusing, harassing, intimidating and actually using violence against women who disagree with them (and in some cases, even against women who agree with them - check out the handmaiden at the Hyde Park fiasco who was treated very threateningly by Tara Whateverhisnameis, you know, the one who violently assaulted a disobedient woman.)

MRA's sent armed police around to Justine's house FFS.

TRA's are just another form of MRA's.

Women have every right to be at the very least extremely cautious and it is not unreasonable to be alarmed, that these violent men may have been passed personal details which identify them.

Stop telling us we're hysterical scaremongers who should just go and make a sandwich. That's how it's coming across, this minimisation and dismissal of concerns as though they are unreasonable. They are not. They really are not and it is unreasonable to pretend they are.

The tweets are still being shared on twitter, most notably by a group calling themselves ‘the Lib Dem party body for gender & sexual minorities’.

Is this an official party group?

If so will you be contacting the libdems? The screenshots are deliberately misleading (one a sarcastic post taken out of context, another a quickly reported and deleted thread).

Obviously the libdems have their own views and policies on trans issues and we can vote accordingly, but they seem to be spreading defamatory information about your moderation policies.

I cannot believe MN do not take this whole issue seriously (a bit cross, really?!)

I'm also now concerned to her that old email addresses are retained.

After reading yesterday's thread I changed my email to an anonymous one which I now find has compromised the anonymous one if it can easily be linked to my everyday one.

Please confirm today that the old email addresses have now been permanently deleted.

Thanks for answering the email question. I guess on that basis then it makes sense to assume that the deleted PMs are still there. Disgruntled staff don't need to worry about screenshotting my IP then, when all that "pretty data" is just sat there

Hi Justine

No questions. I just wanted to say "thank you" to you and MNHQ. This is obviously a difficult time for you and you are handling it with grace and courage.

it is incorrect to assume that you deleting information or changing information would cause the holder of the information to delete the previously recorded information

Why? The data protection act says that data shouldn’t be kept any longer than necessary.

Anything you post on any site ultimately can be accessed by sys admins.

This is simply untrue. There are many mechanisms/processes and tools to prevent sysadmins access actual data.

In terms of mods accessing PMs a very typical model would be segregation and hierarchy of user roles - nothing fancy, basic functionality.

Stop telling us we're hysterical scaremongers who should just go and make a sandwich

^This

I have a question not just for mnhq but anyone who knows about the gdpr. Once it comes into force, can you cherry pick information you want deleted, or is it an all or nothing thing?

So if, eg, I want my actual full name and postcode that I signed up with nearly ten years ago deleted (that I thought had already gone...), but not my entire posting history?

This is simply untrue. There are many mechanisms/processes and tools to prevent sysadmins access actual data.

And they should certainly deter people from sharing information ‘without thinking’.

Regardless of an article in The Guardian, I would like to think we can assume that the police and the IOC will deal appropriately with EH deleting any further data she may have stolen.

This is very scary. Someone mentioned on the other thread that HQ can read all your PMs, and can see all your name changes etc. That's fine, as long as it's restricted access. But if someone who is working as an intern for few months can access them as well , it really scares me. Seems like people started deleting past posts. But I've read on one of the thread(Feenie one) that HQ still can see the deleted posts. That makes me feel even more scared to post anything personal, especially if you can't really trust who are the people have all the access to our info.

But I've read on one of the thread(Feenie one) that HQ still can see the deleted posts.

I think that depends on why it was deleted- or certainly will under GDPR.

If it's deleted by them for breaching TGs then that's not the same as being withdrawn by you for privacy reasons - the former is effectively "hide" rather than "delete". Under GDPR as I understand it, if you request a delete of all your data including posts then they also have to delete the information from the back end including backups (so it can't accidentally be restored in the event of reverting to a backed up instance). I don't know what that will look like on MN because at present a deleted post isn't deleted, but just emptied: the poster/time/date line is still there. I suspect all that will happen is that the time/date trace will still be there but the username will be redacted (see e.g. Reddit for examples).

That would show a difference between e.g.

GoadyFucker 13/04/18 12:52
Deleted for breaching Talk Guidelines

13/04/18 12:59
Message withdrawn at poster's request

AskBasil, I agree absolutely with your post. This whole fiasco, but more importantly the way The way it's been minimised, has left me gobsmacked. I think this whole mess is going to escalate to serious violence at some point.

BUT:

Transactivists have a record as long as your arm, of abusing, harassing, intimidating and actually using violence against women who disagree with them (and in some cases, even against women who agree with them - check out the handmaiden at the Hyde Park fiasco who was treated very threateningly by Tara Whateverhisnameis, you know, the one who violently assaulted a disobedient woman.)

I'm pretty sure the TRA who menaced that woman was not Tara Wolf, but a different person. They were dressed very differently iirc. Which actually makes it fucking worse, that there were two violent TRAs present at Hyde Park and not just the one.

Along with some pp I too am concerned that my original (identifying) email address is still on 'file'.

I think a change should be initiated whereby the only email address stored is my current one.

What comes out of this is that firewalls and so on are all very well but employees are always an organisations' biggest risk. Very many data breaches are the result of either deliberate action by disgruntled employees or accidents by employees (e.g. leaving a password on a sticky post-it, failing to log off the system when away from a desk, leaving your laptop in the pub etc).

For a site like Mumsnet, which has thousands of posts every day, many of them relating to sensitive issues such as domestic violence, sexual assault or abortion, the safety of posters' data is absolutely paramount. Mumsnet's employee vetting procedures must be rigorous, their training must be thorough and their access to sensitive data strongly controlled.

What happened in this case was relatively minor in itself but it should be taking as a warning sign of what can happen when an employee goes rogue. I'd like some reassurance that Mumsnet is putting in place the appropriate procedures I've suggested above.

What happened in this case was relatively minor in itself but it should be taking as a warning sign

As anyone working in health and safety or quality or any other statistical process will tell you: it's the near misses that count. The untreated risk of a catastrophe is quite small, so a year in which a catastrophe doesn't happen doesn't tell you that your controls are working, it just tells you that a rare event didn't happen. It's the near misses, and the little incidents, that should have been stopped by your controls but weren't, but which didn't turn into catastrophes because luck, which tell you whether your controls are effective. You need to listen to the near misses.

Everyone working in engineering of any sort should read Feynman's appendix to the Challenger report every year.

science.ksc.nasa.gov/shuttle/missions/51-l/docs/rogers-commission/Appendix-F.txt

It covers the way in which people use failures which don't develop to disasters to lull themselves into a false sense of security better than anything ever written.

I am willing to believe that the extent of the damage in this particular case was limited because the person involved only had a vague idea of how the internet works.

However, in general, I don't think employing people who are only vaguely aware of how the internet works is an effective way of maintaining security at a company like MN. I want to know how this situation will be improved.

Most of them are violent Spiderweb.

They are bog standard abusers and if they didn't call themselves women, they would be generally recognised as such.

Would it be possible to put a thread linking to www.mumsnet.com/info/mumsnet-data-qa at the top of every board

Or, you know, email every user as is pretty standard when a data breach becomes apparent...

It really does seem like MNHQ trying as hard as possible to make sure no-one finds about this. This thread isn't even stickied FFS.

Would be really pissed if I only found out about the breach in the press!

And the Q and A page seems to only be linked to from this thread, not promoted in any way...