Posted by Michael Andersen (Contributor) on June 15th, 2016 at 3:16 pm
One day after it started selling memberships, Portland’s new bike-share system has apologized to its first 400 members for inadvertantly letting any of them pull up a virtually complete list of other members’ names.
In an email circulated to those early members on Wednesday, the city said that no other information had been made public. By way of apology, it also offered an additional free month of bike-share membership to everyone who signed up before the city fixed the problem at noon Wednesday.
City spokesman John Brady said Wednesday that the issue stemmed from the “social function on the website that allows people to look up friends.” But the function also let people search by member number.
“I think what happened is someone realized that the member numbers were sequential, entered member numbers, and was able to get the first members’ names,” Brady said.
“I think what happened is someone realized that the member numbers were sequential, entered member numbers, and was able to get the first members’ names.”
— John Brady, Portland Bureau of Transportation
In response, the city has now changed the account numbers of those 400 early members and changed the default setting for new members from “public” to “private.” This means someone will no longer be able to look up virtually every member’s name, only those who opt in to making their membership status public.
The issue was first publicly discussed in a BikePortland subscriber post (since edited) by Ted Timmons. In that post published Wednesday morning, Timmons speculated on the number of people who had signed up for the system in the first 24 hours, and mentioned that another early member, Alan Kessler, had gotten a full list of members.
After Timmons’s post went up, I emailed Brady and Biketown to ask if they knew that a full list of members’ names and Biketown ID numbers could be so easily compiled. They didn’t.
By noon on Wednesday, Kessler had spoken with city officials to explain how he got the list of members.
“All of the people who signed up in the first hours were chatting on Twitter, sort of excited, figuring out who was hipper than who and trying to figure out who signed up,” Kessler said. “We were searching names we knew to try to find out member numbers. … And realized that if you actually searched for member numbers itself, you could actually generate a list of everybody who had signed up.”
Kessler said he basically wanted “to see how successful Biketown was being.”
“I didn’t publicize the names, I didn’t broadcast it,” Kessler said. “But on the other hand, the site doesn’t make any effort to make it private, so it didn’t feel like private information that needed to be protected, necessarily. … it was a feature of the site that you could look at everybody.”
Kessler (who works as a patent attorney) added that Biketown’s website would be more secure in general if something as public and predictable as a member number weren’t also being used as security credentials.
“If they want to make it more secure, they should use a much larger number where most of the numbers don’t correspond to real accounts,” Kessler said. He said that’s what the U.S. Postal Service does. “They also should not use the member number that is used in the web interface as a security credential. … That’s actually something I told PBOT this morning.”
Here’s the email circulated Wednesday by Biketown:
Thank you again for signing up for BIKETOWN. We’re excited to have you as a member!
We need to tell you about an issue that we discovered this morning. Social Bicycles, our technology vendor, offers a social feature that allows you to search by name or bike share membership number to find friends so you can share your rides and your BIKETOWN milestones. The only information that is available via this function is name, membership number and if you’ve uploaded one, a photo. All other information remains private and fully secure.
We’ve learned that this function was turned on by default, and as a result, members were able to obtain the names and member numbers of other members. We care about your privacy and realize that some of you may not want this information searchable.
Therefore we are taking the following steps:
The sharing settings for all BIKETOWN members have been switched to private and this will be the default going forward.
We will change the member numbers of everyone who signed up before 12 pm today. This is when we discovered the issue.
We apologize for this mistake, and as a sign of how seriously we take your privacy, we will credit your account with an additional month free.
If have any questions or concerns, please email us at firstname.lastname@example.org.
The BIKETOWN Team
“There wasn’t a malicious intent here,” Brady said Wednesday, summarizing Kessler’s actions. But “privacy is a really sensitive subject, and there are people who want to keep that to themselves.”
I asked Brady if Biketown member IDs will change so they will no longer be assigned sequentially.
“I’m certainly hoping so, yes,” he said.
Brady said that as of 2:20 p.m. Wednesday, the system had registered 428 members.
— Michael Andersen, (503) 333-7824 – email@example.com
Our work is supported by subscribers. Please become one today.